Life After Heartbleed: Are Online Scammers Winning the War?

The Heartbleed security vulnerability was announced recently and had IT security professionals rapidly taking action to plug security holes. System passwords were changed and alerts sent to end users telling them to do the same.

Heartbleed is a highly serious data security vulnerability that was discovered in the OpenSSL cryptographic software library. It is so called because it affects a SSL extension commonly known as Heartbeat. Over half a million websites are believed to have been affected by the Heartbleed vulnerability.

The Internet is normally secured with SSL/TLS encryption. This allows information to be exchanged securely by a wide range of Internet applications, including Instant Messaging (IM) services, email, and even Virtual Private Networks (VPNs). Unfortunately, the Heartbleed bug allows anyone to steal passwords even with SSL/TLS encryption in place. According to American cryptographer Bruce Schneier, Heartbleed is a potentially catastrophic security vulnerability. He recently said, “On the scale of one to 10, this is an 11.”

IT departments have been frantically issuing alerts to change passwords

Sensitive data is protected by passwords; however, Heartbleed has potentially allowed passwords to be compromised. The security vulnerability may have only just been discovered, but it has existed for at least two years. Hackers are not understood to have used the vulnerability to gain access to sensitive data, but it is actually rather difficult to tell even if they have. As a security measure, IT staff have been sending emails to all users advising them to change their passwords just in case.

Unfortunately, they are not the only individuals sending password change requests to users. Online scammers have been piggybacking on the major data security event and have been sending emails of their own. Conveniently, also including links to allow users to rapidly address the huge security hole.

Any individual who has heard about the security issue will be keen to protect themselves against hackers and cyber criminals. Emails telling them to change their passwords are likely to be clicked. Unfortunately, clicking those links will take users to a website where they enter their current passwords. By doing so they will be giving them to criminals. They may think they are protecting themselves, but their actions will be doing the exact opposite.

Beware of Heartbleed Protection Scams

Piggybacking on major news events is a common tactic used by phishers to get computer users to reveal their sensitive information. News of a major IT security flaw is music to phishers’ ears. Computer users are fearful of a cyber attack and phishers play on those fears. The response rate to emails of this nature is typically high.

Many IT professionals have been busy securing their networks and have performed security audits to address the latest vulnerability and search for others that may exist. Software companies are taking advantage and are offering products that will perform full system security checks. After all, there is no better time to boost sales than when the public is keen to improve online security.

Scammers have been taking advantage by sending links to websites that will perform security checks. The scam emails and adverts appear genuine. They offer a free system check to determine whether vulnerabilities exist and they have even promised to clean systems and install the required patches to secure devices. By accepting these checks, users will just be guaranteeing their devices are compromised. It is therefore a time to be extremely vigilant for online scams. Efforts must be made to check that any request to improve security is actually genuine before it is accepted

How to Beat the Scammers, Spammers and Phishers

Fortunately, it is relatively easy to avoid becoming a victim of one of these scams. Receiving an email with a link or an attachment will not automatically compromise a computer. Action is required by the user for that to happen. If the phishing email is deleted, so is the threat. However, not all users know how to identify a phishing email. If one does reach an inbox, a user may end up infecting their computer or, worse still, the network to which that computer connects.

It is important to give computer users the information they need to protect themselves. They must be advised of the tell-tale signs of a phishing email. Only then will they know how to determine if an email is genuine. Training is therefore important, and now is a good time to ensure that the staff is well informed.

It is also an ideal time to install some additional safeguards to prevent spam and scam emails from reaching users’ inboxes. SpamTitan Technologies offers two excellent security solutions. The first is a robust and highly effective spam filter that prevents spam and scam emails from being delivered. The second solution prevents users from clicking links to scammers websites.

SpamTitan web filtering works like a business version of a parental control filter. Instead of just blocking gambling, dating, and pornographic websites from being visited, it also blocks users from visiting known phishing websites and even genuine websites that have been infected with malware.

By installing both of these anti-phishing solutions, IT professionals can sleep easy. The Heartbleed vulnerability will still need to be addressed, but they will be able to relax a little knowing that end users will not be falling for the myriad of piggybacking phishing campaigns that have been developed over the past few days since the Heartbleed announcement was made.

Will Your Brand Image Survive a Data Breach?

Consumers are spending less in bricks and mortar stores, and more people are looking for goods and services online. On top of this some major retailers have suffered data breaches which have tarnished their reputation. For Target, the data breaches it suffered have had a serious impact. Sales have been lost to competitors as a result.

According to a Cowen & Co.’s tracking survey, there has been a decrease in customer satisfaction. The survey indicates there has been a fall in satisfaction in the overall shopping experience and ratings for customer service have also declined.

The data show that reputation and brand image do have an impact on shoppers’ behavior. They will go elsewhere if they do not trust a retailer.

Target is one of the biggest retailers in the United States. What would be the impact on a small to medium sized organization? Would it be possible to weather the storm after a massive data breach has been suffered?

Data Breaches Can Cost SMBs Dearly!

The cost of a data breach can be considerable. The Ponemon Institute has recently quantified this. In a recent survey, 850 executives were asked about reputation damage following a data breach. 44% of respondents said it would take between 10 months and 2 years to recover from damage to reputation following a data breach. For some companies the effect will be felt for much longer. If they manage to stay in business that long!

Not all breaches have the same effect on a company’s reputation. Consumers are aware that security breaches are now a fact of life, but they are likely to be unforgiving if their Social Security numbers, credit card numbers, or bank account details are obtained by criminals.

The potential financial losses for a company can be considerable. Ponemon’s study suggested that brand image damage can cost between $184 million and $330 million. Best case scenario? You are likely to lose 12% of your brand’s value.

Your Competitors are Waiting to Take Advantage

All companies are likely to suffer a data breach of some description, yet many are ill prepared to deal with a security breach when it occurs. If a breach response plan is developed prior to a security incident being suffered, this can reduce the damage caused.

It is possible to win back the trust of customers after a breach, but it can be a long and difficult process. It is not actually clear whether a company’s reputation can ever fully recover. After all, today’s marketplace is particularly unforgiving. There is simply too much competition and plenty of competitors who will be ready to take advantage.

If your reputation is damaged, it will have an impact on your bottom line. Customers will change brands and there will be class-action lawsuits filed as plaintiffs try to recover damages. Revenues are likely to fall, and regulators may also issue costly financial penalties.

Fortunately, there are a number of actions that can be taken to reduce the risk of a data breach being suffered. Should the unthinkable happen, they can also reduce the severity of the breach. Think of data security investment as an investment in your brand image. That must be protected at all times.