Yesterday, ePlus, along with their vendor partners hosted an executive lunch meeting to discuss security and the future of disruptive technologies, and how security must change in 2014.
This just happened to coincide with Heartbleed – on of the biggest disasters we’ve seen yet on the Internet. At the end of the session, ePlus offered to provide an assessment to those who attended, helping them uncover anything that might not be inline with the protection needed to guard against current threats.
The Biggest Problem With Security
In my keynote, I addressed what I believe are some of the biggest problems with companys’ security strategies right now. There are all kinds of problems out there, but I firmly believe the biggest one is that corporate leaders think their systems and networks are more secure than they really are.
Target thought they were PCI compliant, until they were hacked – and I guess since the PCI people said they were, they were. Are they still?
66% of the Internet Webserver Administrators probably had no idea that OpenSSL was broken, and has been for two years…so for two years they’ve been saying, “We’ve got it covered,” and for two years, they’ve been dead wrong. Could they have known? Probably not, since the bug wasn’t known. But it’s that attitude that bothers me. The arrogant answer of, “We’re all set,” that makes the company leaders think they are more secure than they are.
Great Time To Review the Rest of Your Strategy
There are some great tips out there on what to do now. I suspect that most companies will jump on this update and get their webservers in order. Somehow the Heartbleed patch needs to be validated by the PCI police. Will the users all change their passwords too? Probably not. But this is a great time for companies to reevaluate their security overall. Don’t stop at SSL – consider looking at the rest of it. If you’re a technology reseller or consulting company, I would recommend contacting every one of your customers by Monday with a simple plan to help them ensure their systems are set up correctly. If the end-users of that company are using outside websites (which of course they are) for shopping, social media, daycare, and who knows what else, their credentials are now compromised. If they don’t update them, they are creating an avenue back into their company’s secure systems. Chances are they are using the same password on everything they touch from email to Yahoo, and their ERP systems.
© 2014, David Stelzl