When news of the OpenSSL Heartbleed vulnerability was announced to the public, its risk dominated the press. This infamous security vulnerability allows hackers to intercept communications and obtain information from vulnerable servers. OpenSSL is used for countless services, including Web servers, mobile applications, operating systems, routers and email clients. Articles quickly spread across the Internet with recommendations — some of which were counterproductive — yet many users took no action at all to protect sensitive information.
“This is a serious vulnerability,” wrote Forbes cybersecurity columnist Joseph Steinberg about Heartbleed. “Some might argue that it is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.”
Consumers trust banks, retail stores and communications companies with personal information, including phone, credit card and social security numbers. Despite a couple of months passing since Heartbleed was announced, the bug continues to haunt consumer, technology firms and corporations alike. Consumer trust was severely violated during this security debacle, as judged by the overwhelmingly negative sentiment shared online Heartbleed immediately after the breech was announced. Companies need to rebuild trust and educate consumers to protect their data — but some are responding with ambivalence and inaction, the opposite of what is needed.
A study by Errata Security found 309,197 servers were still vulnerable (down from 600,000 in April), some of them critical. “This indicates people have stopped even trying to patch,” says Robert Graham, Errata’s owner. “We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.”
According to analysis by Venafi Labs, some industries have been faster than others to respond to the Heartbleed vulnerability. The top 10 list of remediated sites in the sample set includes discount stores, semiconductors and major banks. Leading the pack on the top 10 most vulnerable from the sample set: telecommunication services, electronics and railroads.
The companies with vulnerable servers are likely to be targeted by hackers, enabling Heartbleed problems to continue nearly three months after the vulnerability was announced. “Hackers are looking for those who haven’t yet changed their passwords and for services who did not install a patch quick enough,” said Christopher Hadnagy, chief human hacker at the security consulting company Social Engineer.
In the digital age, companies that don’t prioritize data security are more susceptible to publicity nightmares that encourage users to close accounts and go elsewhere. Companies must act proactively to earn and maintain credibility and a strong brand.
Sheila Jordan, chief information officer for Symantec, recommends businesses determine which information is really sensitive and which isn’t. They can then segment data security strategies and prioritize the highly sensitive data.
“It is really important that businesses understand their data,” says Jordan in an interview with Triple Pundit. “It really is all about the data and how it is now flowing between mobile devices, cloud, and structured and unstructured data coming in.”
Jordan urges widespread employee engagement for data security. “In reality, it is the job of the CIO and CSO to educate the employees on policy, process, and how to secure our devices. I think everyone within the organization has to take a role in really securing that information.”
Unfortunately, a study by Software Advice, an online evaluation firm for IT security software, found that more than 75 percent of respondents say they’ve received no advice about Heartbleed in the workplace, and two-thirds of respondents haven’t changed any passwords to protect their accounts. Despite Google and Yahoo being affected, only 19 percent of all respondents changed email passwords. Many Internet users still perceive the Internet as safe, but future privacy debacles will reduce confidence.
Consumers also need to take responsibility for protecting themselves. There are plenty of users out there that haven’t taken action to protect their personal information in response to Heartbleed. According to a Pew study from late April, a mere 39 percent of Internet users have changed passwords or closed accounts. This number was greater in households with higher incomes and levels of education.
“As consumers, we’ve done such a great job of securing our homes and buying insurance policies,” says Jordan. “We need to heighten our awareness of securing our data and our identities. As consumers, it’s our responsibility when we’re interacting with companies to check out their security policies and procedures.”
One unlikely outcome of the OpenSSL Heartbleed security disaster is the creation of the Core Infrastructure Initiative (CCI) through a collaboration between the Linux Foundation and early contributors: Adobe, Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace and VMware, which aims to fund critical elements of global technology. This initiative is spurred by the fact that OpenSSL, vital to Internet security, ran on a donated operating budget of $9,000 in 2013. In addition to preventing similar vulnerabilities and security breaches, supporting organizations may gain credibility in the eyes of consumers, seeing them as part of the solutions.
To boost trust and protect privacy, companies need to secure data, but they also must educate both users and employees on safe Internet practices. Workplace policies and educational programs are important and vital to responding to the changes in the business environment brought on by internet security threats. Companies that lead the way with transparency and proactive initiatives will thrive in the digital age.
Image Credit: Mashable Composite, iSock, Saul Herrera
Sarah Lozanova is a regular contributor to environmental and energy publications and websites, including Mother Earth Living, Green Building & Design, Triple Pundit, Urban Farm, and Solar Today. Her experience includes work with small-scale solar energy installations and utility-scale wind farms. She earned an MBA in sustainable management from the Presidio Graduate School and she resides in Belfast Cohousing & Ecovillage in Midcoast Maine with her husband and two children.