Jason Arabian is the president of CMIT Solutions of Central Rhode Island, an IT service provider for the small- and medium-sized business community based in Portsmouth.
Arabian spoke with Providence Business News about the Heartbleed security bug in the open-source OpenSSL cryptography library, and how businesses can protect themselves from Heartbleed and other cybersecurity threats.
PBN: What is Heartbleed, and why do small businesses in Rhode Island need to know about it? Should it be taken as seriously as media reports suggest?
ARABIAN: Heartbleed is a recently discovered vulnerability in widely used cryptographic software. In short, information that we thought was encrypted and secure was not. Yes, it should be taken seriously as it affects countless Internet applications, including email, instant messaging, and virtual private networks. It’s very rare that the IT industry urges the entire world to change all of its passwords based on one newly discovered vulnerability.
PBN: How have you advised your clients about coping with Heartbleed, and what lessons about cybersecurity can businesses take away from the Heartbleed bug?
ARABIAN: We contacted all of our clients and advised them on the steps we were taking to protect their information as well as the steps they needed to take both inside and outside their business environments.
The first step is to change passwords for all online portals — email accounts, online banking and any other logins. Sounds obvious, but we’re serious: create new, strong and secure passwords for any online portal, as there’s still no indication of the Heartbleed vulnerability’s scope. It only takes a minute and it will instantly improve your online security. Using a password management tool is crucial.
The second step is check your business’ website, particularly if it relies on e-commerce. If, as many experts fear, the Heartbleed bug has been stealing data for the last two years, credit card info will probably be at the top of that list. Many online outlets purport to test for Heartbleed vulnerability, but working with a trusted IT provider is your best bet to ensure security, transparency, and proper implementation of fixes. All of CMIT Solutions’ websites were unaffected by Heartbleed, allowing us to concentrate on proactively solving any problems our clients may have with the bug.
The third step is to consider a remote monitoring and management service that keeps your systems safe and running. Keeping up with the avalanche of tech troubles in the news recently (CryptoLocker, data breaches and now Heartbleed) is virtually impossible — especially when you’re trying to run a business. Rather than stressing over anti-virus updates, security fixes, and malware protection, businesses should concentrate on their area of expertise: giving customers the best service possible while increasing revenue.
PBN: From your perspective as the president of an IT services company, what are some of the most common misconceptions about cybersecurity?
ARABIAN: There’s an overwhelming belief that cyberspace is secure because just about everything has a password or requires a login. Fact is passwords need to be complex and should be changed regularly. Another common misconception is the definition of valuable information. Many people believe that their computer does not contain any valuable information. It doesn’t have to be a bank account or credit card number. Usernames and passwords to secure sites can typically be found in an unprotected format. It’s also important to remember that any personal information can help thieves gather enough information to commit identity theft.
PBN: For local businesses, which is the greater threat: massive, widely reported bugs like Heartbleed or smaller, targeted attacks?
ARABIAN: Targeted threats are very real and dangerous, but they are not very common in respect to average business. Bugs like Heartbleed represent a much greater threat as it encompasses a weakness across multiple environments. The fact that it went unnoticed for so long is also alarming. It will be difficult to assess what damage, if any, has been done due to Heartbleed.
PBN: What are the top security threats facing businesses, and how can business owners protect themselves, their customers and their reputations?
ARABIAN: The weakest link in any network is and probably always will be the end user. Even if IT has the ability to remove the bulk of the security risk, human habit always has a way of showing itself. Today, thieves are becoming masters of social engineering and phishing campaigns. Through seemingly harmless conversation they can gather key pieces of information which could ultimately lead to theft or loss.
We must become much more aware of the risks of sharing sensitive information – difficult to do in a world where sharing the entire day’s events is fast becoming normal. We must realize both as individuals and businesses that our private information and data must be guarded closely. Policies and procedures only work if everyone follows them all the time. Ever-strengthening local and federal laws are holding businesses accountable for the client information they handle and responsible for the losses incurred during a breach. It comes full circle as the media is very sensitive to this type of event, which often translates to headlines. Everything is at stake here: financial responsibility, customer trust and reputation.