Now that the hubbub over Heartbleed has finally started to calm down — not that the hubbub was undeserved, but nonetheless it was hubbub — we’re beginning to see the solutions in how to protect your small business from Heartbleed’s OpenSSL bug. For now, try to ignore the accusations of insider trading or pay attention to the potential mad scientist behind Heartbleed, but rather follow this recap of ways to protect yourself.
1) Understanding Heartbleed
Heartbleed is a bug, not a virus. Basically it means that someone can ask a server for data, but not put a limit on how much data the server spits out to them. Here’s a great picture by xkcd.com that explains it:
Without knowing it ever shared sensitive data, your server can actually divulge way too much about your users, their passwords, their encrypted data, etc. That means that a hacker could get your email address and password, and potentially use it to log in to that website under your name or into any other website in which you’ve used the same username/password combination.
2) Protecting Your Computer & Mobile Device
Technically you don’t need to. Heartbleed affects servers, not your PC or cell phone. That being said, the websites you visit and the apps you use may be compromised. Check this website for a list of affected sites. If you have an account on one (or more) of them, we recommend changing your password and checking with the company to make sure they’ve patched the bug.
3) Protecting Your Servers
If you don’t host your own servers — for example, you use GoDaddy or BlueHost — you should change your passwords and confirm that the host has fixed the patch. The same goes if you use Dropbox, PayPal, Evernote, Box, Etsy, or Facebook apps. Go change your password(s). As for your own servers, you should get your network admin to patch them and then change the passwords. The same goes for you routers, network storage devices, and access points.
Kind of repetitive, right? There really isn’t much you can do to actually fix the wound Heartbleed caused. Instead, the best solution is the Band-Aid one: a patch to fix it and a password change. The damage has already been done. The best you can do now is prevent it from reoccurring in the future.
4) What To Tell Your Clients
Conduct an internal security audit and tell your clients that you’ve checked and double-checked that everything’s been patched. Inform them of the potential breaches and inform them — very carefully — that they’re valuable data is probably safe. Lastly, tell them to change their passwords on your site. Heartbleed affected everyone, so don’t be afraid to tell your clients. Better to be on the safe side.