How to Protect Your Small Business From the Heartbleed Bug
The Heartbleed Internet security bug has a scary name, but how does it affect you as a small business owner?
Here’s what you should know about Heartbleed — and what you can do to protect yourself and your business.
1. What is Heartbleed?
Engineers at Google discovered the the flaw and announced it to the world on April 7 — the same day a fix became available. About 17 percent of all secure websites were affected by the bug, according to internet services company Netcraft. Other estimates found that two-thirds of all websites were at risk when the bug was first discovered.
You no doubt know that entering sensitive information into a non-encrypted website is a bad idea. If the URL doesn’t begin with “https,” the page isn’t encrypted and hackers could potentially steal your information.
Software installed on a server encrypts the data so it can’t be intercepted. One of those programs is OpenSSL, which is is widely used by businesses all over the world, including giants like Google, Yahoo, and Amazon Web Services.
A Google engineer found a vulnerability that allowed a piece of code to be attached to a routine message sent to a server. This malicious code could give hackers access to the encryption keys allowing the data to be unscrambled. In other words, the server could be tricked into giving up the unlock code to sensitive data.
2. Is it a virus?
Heartbleed is not a virus. It is a security hole specific to the OpenSSL software. It’s not being replicated as a virus would, so you don’t have to worry about infecting your customers or your customers infecting you.
3. Have there been any known exploits of user data?
Very few have been reported. The most notable was in Canada where a 19 year-old man was arrested for stealing Canadian taxpayer data. He used the Heartbleed bug to commit the crime.
4. How do I know if my computer runs OpenSSL?
Because OpenSSL runs on servers, individual computers aren’t vulnerable. You don’t have to do anything to your personal computer to protect yourself from the bug. However, some of your networking devices, like routers and network storage devices, could be affected. More about that below.
5. How about my mobile devices?
The bug does not affect mobile devices per se, but some of the apps you run on them may be cause for concern. There are reports that older versions of Android software are vulnerable. If you haven’t updated your mobile devices’ operating system, do so immediately.
6. I don’t own servers, so why should I care about this?
Many small businesses don’t have an IT department and for that reason, they likely don’t own or administer servers directly impacted by the bug. It is highly likely, however, that as a small business you rent space from an internet service provider, or ISP. Some ISPs were affected.
You probably also rely on internet and cloud services for daily business operations. Do you use Dropbox, PayPal, Evernote, Box, Etsy, or Facebook apps? If you do, your data and your customers’ data could be at risk. You can see a list of online services and apps affected by Heartbleed here. Many of these services were never vulnerable — that’s good news.
7. What should I do to fix this?
Unless you administer your own server, you can't fix the problem. Companies around the world have installed a simple software patch that plugs the security hole.
Don't forget about devices like routers, network storage devices, and access points. Even home automation systems and cable boxes are vulnerable. For a (hopefully) complete list of network devices affected, click here. Some devices may never receive a fix, according to MIT Technology Review.
Experts advise all internet users to change their passwords. You can spend a bunch of time trying to figure out which companies were affected or you can simply change all of your passwords — which you should do regularly anyway. Some experts advise changing passwords once a month for the next three months just to be safe.
8. What should I tell my customers?
After you have conducted an internal security audit of your equipment and all services you use and made any necessary patches, reassure your customers that you are not vulnerable through a carefully worded email, a blog post, and/or a special page on your website. It's a good idea to advise your customers to change their passwords just to be safe. Finally, assure them that although this was a major security event, there is no evidence that data was compromised (presuming you have found no evidence of a breach).