Treasury Today Country Profiles in association with Citi

Heartbleed – what the treasurer needs to know

Woman entering details into laptop

Cyber security risk continues to be a threat to companies and their data. The latest cyber menace to be discovered is Heartbleed, a major security flaw that affects over two-thirds of internet servers and can expose sensitive information such as passwords and bank details. Here is what every treasurer needs to know.

A critical defect has recently been discovered in the software which is used by an estimated two-thirds of internet servers to protect users’ private information such as passwords and banking details. The defect, dubbed ‘Heartbleed’, was discovered by Google and Finnish software security firm Codenomicon earlier this month, and has since received a torrent of (often confusing) media coverage.

In this article Treasury Today explains what Heartbleed is and how it can affect your treasury department. We also offer some practical steps, drawn from our recent coverage of cyber security and the public information circulating about Heartbleed, which can help you to protect your company’s assets.

What is Heartbleed?

Heartbleed is a bug which is found in some versions of OpenSSL, a piece of open-source software which encrypts a user’s communications with web servers all around the world. The software – often represented by the URL beginning with HTTPS:// and a padlock symbol in a web browser – is designed to secure the line of communication so the user can input sensitive information, confidentially.

The bug creates a vulnerability gap in this encryption which can be exploited by hackers to allow them to read the memory of the server and see the information which has been passed through it. This includes, but is not limited to: user names, passwords, bank account details and internal and external emails. The vulnerability ultimately allows hackers to steal data and impersonate services and users.

Worryingly, Heartbleed has been in existence for over two years and it can be exploited without trace. This makes it impossible to see if your company’s systems have already been exposed to the bug, and if so, what data has been stolen.

The good news is that a fixed version of OpenSSL has been created and deployed by many major websites. However, due to the large volume of websites which use OpenSSL it may take some time before all vulnerable websites are updated and secured. This can impact companies because many ‘behind-the-scenes’ servers which have used or which still use the software may remain vulnerable, leaving it hard to calculate the exposure.

Mobile technology

With the increasing use of mobile technology in the treasury department, it is important to note that Android devices running version 4.1.1. or lower have also been vulnerable to Heartbleed. This has been fixed by Google in the last 18 months, in three new versions of the operating system, and in seven bug fixes. But these updates have not been pushed out to many devices and it is estimated that close to one billion devices worldwide still use the older version and remain exposed.

Some mobile applications which use the old version of OpenSSL also remain at risk, although there is no way for the user to tell they are still at risk just from using the app. The best practice recommended by security firms is to be vigilant and check on the app developer’s website that they are secure, and to avoid using any apps which you cannot get confirmation on.

Steps to mitigate the risk of Heartbleed:

  1. Although some major websites such as Google have indicated that users do not need to take any action, it may be a useful exercise to change passwords for any vital services, including VPN. Cyber security experts advise that passwords be changed regularly anyway, so now is as good a time as any to begin.

  2. Create a list of websites and services which the treasury uses and determine whether any of these have been affected. Mashable offers a list of the Heartbleed status of major websites including email services and banking websites. Password manager LastPass also offers a website vulnerability checker.

  3. Be vigilant over all accounts – email, bank and so on – which the department has accessed online and monitor activity closely, as well as backing up data and securing offline.

  4. Ensure that all Android mobile devices used by the treasury team are running version 4.1.2 or higher.

  5. Speak to the IT department and ensure that, if a server is vulnerable, they replace the SSL certificate. Also, enquire about security testing for treasury going forward.

  6. Continue to employ the basic cyber security measures as normal as these remain your key defence against cybercrime.

Finally, treasury professionals should pay keen attention to cyber security, even when it is not headline news. Treasury Today discussed this topic with three experts in a recent Question Answered article, which contains further useful information around best practice in this field.