Canada markets closed

Heartbleed fallout could drive fundamental change

Fin - Dashboard - CA
The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called the "Heartbleed Bug" in Toronto, April 9, 2014. REUTERS/Mark Blinch

If it’s a big enough threat to scare the taxman, it should be big enough to scare everyday users, too.

By any definition, news that two-thirds of all web servers on the planet are at greater risk of being compromised by hackers because of the recently identified Heartbleed vulnerability ranks as one of the most significant online security events in recent history.

The taxman runneth

With millions of Canadians filing their tax returns online, the Canada Revenue Agency decided to temporarily shut down access to its publicly facing taxpayer services while it worked behind the scene to update its web servers. It’s a concrete example of how much is at stake as consumers shift more activities – like retail purchases, e-filing tax returns and other government services – online.

But let’s put this news into perspective: This is a vulnerability, or an acknowledged weakness in the code that runs web servers. It isn’t a breach or an attack. To the best of the knowledge of the researchers who discovered the flaw, there have not been any large-scale attacks as a result of this vulnerability. This isn’t a replay of the Target retail hacking, and millions of consumers haven’t already had their confidential data – or worse – violated thanks to Heartbleed.

Still, because of Heartbleed’s sheer scope, this isn’t just another everyday security scare. It’s a siren call for greater investment, at all levels of business and government, in online security tools, people and related resources. Like insurance, which few of us pay attention to until we really need it, up-front investments in security – from the leading-edge tools that keep servers safe and hackers out to the IT professionals who scan the horizon for new and emerging threats – must now become higher-priority items within organizational budgets.

Failure to do so will render all organizations, both public and private sector, increasingly vulnerable to high-profile data loss. And once disaster strikes, recovery is infinitely more expensive and damaging than simply paying up-front for protective capabilities. The CRA may not live in a competitive environment, but the cost of a government breach of any scale would be catastrophic. In the profit-seeking business landscape, it could be deadly to the organization. No organization of any size can afford to ignore this issue. Consumers will simply abandon them if they do.

Pay now, or pay later

Our inability or unwillingness to invest in protective capability is already costing us. Recent reports that Canadian government agencies lost 10 times as much data last year as in the previous 10 years combined serve as damning proof that the public sector isn’t doing enough to safeguard the rising volumes of confidential data entrusted to them. The for-profit sector isn’t doing much better, with high-profile attacks on Target, Neiman-Marcus and Michael’s prompting online and in-store shoppers to wonder who they can trust.

Unfortunately, no one. Online security is ultimately the consumer’s responsibility. We can complain all we want about the government, our social media provider, or our bank letting us down with weak technology, insufficiently staffed IT departments and lax data stewardship policies. But in the end, we’re the ones who choose to sign on.

Take control

With that in mind, consumers must step up and follow password management best practices – use secure passwords, do not reuse them for multiple online services, change them regularly and use password apps to keep track of them all – and challenge online vendors, including the government as well as any institution or organization that requires and stores personal information online, to maintain their investments in security. And find alternatives if they don’t.

Heartbleed won’t be the last vulnerability to hit the online community, but it might very well be the straw that breaks the back of laissez-faire security. Organizations that fail to prioritize a security-first culture will find themselves on the losing end of a consumer culture that places ever increasing value on keeping stakeholders, and their data, safe.

Carmi Levy is a London, Ont.-based independent technology analyst and journalist. The opinions expressed are his own. carmilevy@yahoo.ca