Suppose you’re a small to midsize business (SMB). Your IT department is likely quite minimal and on a small budget—and for some small businesses, IT may be on a contract-only basis. Suddenly, this new Heartbleed bug is in the news. IT patches the company website, no problem. And just when you think your Heartbleed troubles are behind you, you read the latest news: Around two dozen other network devices such as routers, phones, switches, cameras and servers have also been affected by the bug.
For SMBs, this bug presents a huge complication to business as usual. It is affecting companies’ online business and will likely cost quite a bit more by the time all sites and devices are patched and updated. What’s worrisome is the situation going into the Heartbleed challenge. According to data from the F-Secure Annual Report for 2013, only 59 percent of SMBs said that their software is patched and kept up-to-date. And surprisingly, only 63 percent of those businesses felt that they had enough IT support to keep all their software patched and updated.
The Heartbleed bug exploits a vulnerability in the OpenSSL protocols to enable an attacker to access data during file sharing, communications and even while sitting on a “protected” server. So only websites and networked equipment that use SSL would be vulnerable. However, the list for the sites and devices affected by Heartbleed is a bit overwhelming.
For these reasons, it’s imperative for SMBs to take the Heartbleed bug seriously and for IT staff to be meticulous in their work to ensure all Web-facing presences and networked devices are patched.
IT staff should also inform users of how the Heartbleed bug works and how they can protect themselves and company data. Then, ensure that sites the company and its users visit are updated. Next, require users to create new passwords for the sites they must visit regularly for work or via the company network. Lastly, VentureBeat offers another suggestion that can protect users and company data: Two-factor authentication (2FA). According to a Sophos NakedSecurity blog post:
… 2FA does make it harder for the crooks. And while it wouldn't have made Heartbleed less of a bug, it would have made any passwords harvested by means of the bug much less useful, perhaps even useless. In short: we recommend 2FA.
Paul Ducklin, the NakedSecurity blog writer, explains how 2FA works and how companies can employ this technology to provide stronger, more robust security to its networks. Ducklin explains 2FA in easy-to-understand terms:
Examples of 2FA include:
- An ATM (cashpoint) withdrawal. You have a card issued by the bank. You know a PIN that unlocks the card for use. Neither one on its own gets you anything.
- An immigration check at the US frontier. You have a passport. You are the person with specific fingerprints.
- A secure WordPress login. You know a password. You have possession of a mobile phone that receives a one-off authentication code.
Ducklin goes further to explain the best methods for implementing 2FA (he recommends the one-time-password [OTP] method via SMS). This method is fairly simple to deploy and shouldn’t prove too costly for cash-strapped SMB IT departments. Although using this security method doesn’t guarantee any network absolute security, it can provide a second layer of protection where it is most needed.