The Heartbleed bug is bad news for most companies, including small businesses, both because it potentially leaves
customer data open to hackers and because of the scale of the web traffic involved. Even though the weakness, which exploits
a flaw in popular open source encryption software.
Open SSL has been around since March 2012, its existence has only come to prominence in April this year. Worryingly, experts believe that up to two thirds of all websites have been compromised so how do you know if your business or data is at risk?
Open SSL runs on web servers and was designed to protect traffic that carried personal data between users and
supposedly secure sites such as banking and shopping carts. It’s used widely across the web, from huge companies such as Yahoo down to small e-commerce sites.
But it has now emerged in what has been dubbed the world’s ultimate web nightmare that these encryption keys
could be lifted from the sites themselves if the Heartbleed bug had compromised them. Worse, it can be done without leaving a trace.
“The main worry is for small e-commerce sites that do not know they have been affected,” says Keith
Cottenden, director at cybersecurity specialists CY4OR told the BBC.”Any business that takes customer details could be
vulnerable because this encryption is designed to protect personal data. Businesses need to apply mitigation now.”
Effective and robust data security is business-critical for companies of all sizes, but the cost is often disproportionately high for
smaller outfits.
While bad data handling can cost clients and trust both key to the success of small businesses many companies have inadequate systems in place, either because of a lack of resources and understanding, and rely on a head-in-the-sand approach when something like Heartbleed occurs. But the expert opinion in this case is that no company can
afford to ignore Heartbleed.
The bug has been around for two years, meaning that anything held in that time could potentially have been accessed if your website relied on Open SSL for secure communications with users, and there’s no way of knowing if this has happened. While the advice to users is to change passwords once sites have been fixed, the onus is on sites to update their security systems
first, otherwise the new password is also vulnerable.
Key steps to take to make sure any data such as credit card details or passwords that your site holds is secure includes updating Open SSL on each individual internet-facing computer you have, as well as revoking your SSL certificates and generating new ones.
If you have an IT department, they should be able to sort this for you if not and this sounds confusing, then it is likely that you need assistance from specialists for this and other data security needs.