Although the Heartbleed bug was discovered in April, a concerning number of computer servers still need to be fixed. Whilst many organisations worked fast to address the bug in their environment, others have been slow to fully patch against OpenSSL.
Just weeks ago, a leading Australian security research company found that over 300,000 interconnected systems are still vulnerable to the bug – one of the most significant security threats in the history of the internet.
Perhaps organisations don’t realise the risk of not patching known security flaws in their systems. Maybe some are suffering from what has been termed as ‘vulnerability mitigation fatigue’ as they struggle to keep up with the changes required to secure their networks. Regardless, Kareem Tawansi from Solentive Technology Group says the longer it is neglected, the more the problem will grow.
“Some organisations have processes in place that may be hindering the speed with which they can patch security flaws in their systems,” the CEO explains. “Whatever the reason, organisations that are not patching this vulnerability as a priority are taking a big risk.”
Heartbleed was a major security flaw that originated from a programming mistake that left a gap in the OpenSSL – an encryption technology that provides communication security and privacy over the internet for applications such as email and messaging. OpenSSL is used in many large online services, including Google, Facebook and eBay, amongst others.
The bug exposed usernames, passwords and personal data to cybercriminals, forcing organisations to update their software, obtain new ‘master keys’ and encourage their customers to change their passwords.
Several months on, there is significant concern that many organisations are taking too long to address the problem, leaving themselves and their customers at risk.
“What they don’t realise is that by taking their time, organisations may actually face legal consequences,” explains Tawansi. “They could be breaching privacy laws or face potential criminal charges for not fixing a known security flaw.”
“If organisations are finding they are slow to respond to security flaws due to internal processes, it’s important these processes are addressed,” says the CEO. “This way, organisations can respond to security flaws before they become entrenched and create an even bigger problem.”
Depending on the value of the data, Tawansi says people working with organisations that are yet to address the security issues should put pressure on their vendors to protect their confidential information.
If they are not sure whether their organisation has been affected by the Heartbleed bug, it is critical they engage an IT specialist to assess their systems, and conduct risk analyses to identify any compromises and potential security threats.