Monthly Archives: April 2014

Heartbleed Bug: What a Business Owner Should Know

The name Heartbleed OpenSSL Vulnerability (aka Heartbleed bug) is as scary as it sounds. Some reports say up to two thirds of all secure websites (e.g. those with a web address starting with a green https://) are using OpenSSL.  It has been reported that Google was first to discover the Heartbleed bug  that compromised sites including Yahoo, Tumblr, Flickr, Amazon, and other websites relying on OpenSSL for security.  This security breach may provide hackers access to accounts, passwords, and credit card information.

Heartbleed and Your Systems

Business owners using OpenSSL for their email, website, eCommerce applications, or other  web applications should take action to prevent data loss or theft.  The fix for the Heartbleed bug should be installed on your operating systems, network appliances, and other software to ensure that confidential information is protected.  Consider having your IT professional test your public web servers to determine if they are safe.

Heartbleed and Your Employees

Your employees may have used websites that were exposed to the Heartbleed bug.  This means their username and password combinations may have been compromised by hackers tapping into what was supposed to be encrypted communications.  Employees should be reminded to reset passwords within the guidelines established by your company.  There are plenty of resources on creating a secure password.  Microsoft offers tips for creating a strong password on their website.

The Need for IT Security

Because the Heartbleed bug is pervasive, most internet users need to change passwords on sites like Gmail, Yahoo, and Facebook.  The Heartbleed bug is a wake-up call to the importance of having an IT Security policy that includes strong password policy, employee training, and systems compliance.  As applications get more complex, more issues like Heartbleed can be expected.  The Heartbleed OpenSSL Vulnerability highlights that applications have security risks, and it is just a matter of finding them.

Mobile Security: Does Your SmartPhone need a Kill Switch?

Many Smartphones and Tablet computers have access to corporate applications and their data through Bring Your Own Device (BYOD) policies and corporate-sponsored mobility strategies.  Mobile Security has become a popular topic for good reason.  According to CIO Insights, mobile data traffic is expected to increase eleven-fold by 2018. Because of increasing data traffic on mobile devices, some government agencies are looking at legislation to require manufacturers to add a smartphone kill switch to remotely wipe a mobile device if it is lost or stolen.

Keeping in mind that a four-digit iPhone passcode could be hacked in minutes, this begs the question:

Does your Smartphone Need a Kill Switch?

Having a smartphone Kill Switch may give a sense of false security.  Adding a kill switch to protect your privacy and corporate information is reactive, rather than proactive.  If not done properly, you could wipe your employees’ irreplaceable information, such as family photos.  A Kill Switch may also make the phone entirely unrecoverable.  This means you will surely need to replace the device once the remote kill switch is invoked.

Proactive Mobile Security

Before you hit the Kill Switch consider proactive mobile-security measures. Smartphones and Tablets are great innovations that allow your employees to stay in touch and work anywhere.  Access to email, operational data, financial information, and customer information through a mobile device can empower your employees and increase their productivity.  Access to this information should be password-protected at all times.  Additionally, any corporate data should be encrypted in transit and at rest. Only approved applications should be allowed on the mobile device and personal data should be stored in a separate “container” from company information.

Beyond Mobile-Device Management

In addition to protecting the information stored on and accessed by a mobile device, you should take the time to train employees on your mobile-security policy.  Your mobile security policies and training should touch on topics such as what is an acceptable use of a Mobile Device in the workplace, why mobile security is important, and how to report a mobile-security incident.

Requiring manufacturers to include a Kill Switch in a mobile device does not go far enough to protect your company information assets.  Having a comprehensive mobile security plan, however, will go further to prevent data loss in the long run.