There used to be an old line, “When GM sneezes, the nation gets a cold,” that reflected the national economy’s reliance on heavy industry. Today, you could substitute “internet” for “GM” and describe a similar – if not more far-reaching – effect.
That sneeze you heard a few weeks ago was news of the so-called “Heartbleed” vulnerability, a defect in open-source code encryption that was built into a large number of internet-connected devices and software around the world.
News reports indicate that the National Security Agency recognized Heartbleed about two years ago and has been exploiting the vulnerability as part of its standard data-snooping practice. It’s not an IT security management issue or virus, per se. Rather, it’s a weakness – a programming mistake – created by a German software developer who was working on a way to improve OpenSSL data encryption.
He inadvertently introduced an exploitable flaw into the code underlying OpenSSL. As a result, bits of data stored in your computer’s short-term memory – such as passwords or other data you type in – can be exposed as part of regular security protocols. The leak, or “bleed,” of critical information would be virtually undetectable.
Heartbleed’s Effects Stretch Far and Wide
Heartbleed is a huge threat to global computing. Big, tech-savvy heavy hitters like Cisco and Juniper have discovered that the Heartbleed vulnerability exists on many of the servers they sell to or operate on behalf of other corporate customers in industries across the full spectrum of commerce. BlackBerry’s famously secure smart phones haven’t be affected, but the code underlying the popular BlackBerry Messenger secure texting service is.
All Android devices – 79 percent of new mobile devices now sold in the U.S. are Android – are vulnerable. And because certain industries, such as health care, are heavily dependent on OpenSSL programs, they are especially exposed to Heartbleed. Closing those vulnerabilities, patching systems and networks, and then dealing with the down-line effects of those changes – lost or misplaced data, web pages that won’t render properly, extended system downtime, and the like – could be enormously expensive.
Downtime is a particularly large threat. What’s the cost to your company if a customer or client can’t log on when they need to?
Outages Mean More than Loss of Immediate Sales
But not only do outages cost you immediate sales, they also can erode your company’s reputation in the minds of current and potential clients. How many future sales will that cost? It’s hard to know, but a 2012 study done by IBM shows that reputation problems caused by such outages and other technical disruptions can cost the average company anywhere from $21,000 to more than half a million dollars over the following 24 months.
And that applies to small and midsize companies just as much to huge corporations. Indeed, small and midsize companies might be relatively more sensitive to such negative effects and costs, simply because they likely never operated on mainframes or custom-built programs, instead relying on simpler, off-the-shelf programs and applications. And a majority of such programs and applications have used OpenSSL encryption. Thus, a large majority of such companies are, at least in theory, exponentially more exposed to Heartbleed.
Their problem also is compounded by the fact that, based on their size and budget limitations, they have either a small or relatively undertrained IT staff – or both.
Many small or midsize companies, in fact, rely on third-party IT suppliers and managers. Unfortunately, not all such vendors are themselves capable of dealing quickly, efficiently and accurately with newly exposed problems like the Heartbleed vulnerability. And many vendors who do have the savvy to deal with such challenges lack the bandwidth to respond quickly to every one of their clients. Thus, they have to decide which of their customers will be served first, and which ones will wait the longest to be helped. And chances are, they will do that based on the size of each account, with smaller companies being pushed to the rear of the line.
That’s another factor small and midsize companies need to consider when searching for an IT managed services partner: Where will your company rank on that vendor’s priority list when something hits the fan the way Heartbleed has this month?
If your vendor specializes in providing elite-level IT services to companies in your size category and industry, chances are they’ll be the kind of company you can count on to respond to your needs sooner.