You may have seen news about Heartbleed on tech sites and even major news outlets like CNN. A lot of the coverage has focused on technical details and not much on real-world impact.

That may have left you asking: “How does this affect me or my business?” Based on the hit-and-miss effects of previous “big news” vulnerabilities, many people have also made the assumption that they don’t need to worry about Heartbleed, because, like those previous vulnerabilities, it doesn’t apply to them.

If you use the internet, Heartbleed impacts you. Over half of all the websites on the internet use OpenSSL, the software affected by Heartbleed. The percentage of sites using OpenSSL is even higher when you look at web services like Dropbox, Facebook, and online banking.

The Heartbleed vulnerability allows an attacker to transparently capture and decrypt encrypted data, including usernames and passwords and any other information passing between the affected web server and you.

The vulnerability is easy to exploit and tools already exist to take advantage of it. So this is going to be a very popular attack vector in the coming months and anyone running OpenSSL on their web servers or using a service that relies on OpenSSL is at considerable risk of having a data breach.

If you’re a consumer of web services, there’s not much you can do at this point to protect yourself. Most of the responsibility for protecting users is on the service provider’s side.

Resetting your passwords for the online services you use will mitigate the damage caused by your user credentials potentially being exposed. If you’ve been following good password practices and using unique passwords for each service, you’ll be in better shape than most.

If not, this is a good time to change your habits. Password management software like LastPass and 1Password will help make the transition to unique passwords easier.

If you run a business that uses OpenSSL, there are a few things you can do to protect the business and the users who access your technology.

The first step you need to take is to patch your systems with the newest version of OpenSSL. (If you don’t know where to start, we may be able to help.)

Once your systems are patched, it’s also a good idea to re-generate any SSL certificates currently in use. While your servers may not have been compromised, it’s safer to assume that they have been.

While many consumer focused businesses have sent e-mails suggesting that users change their passwords, it may be better to actually force a password change depending on your situation.

Taking these steps will mitigate much of the current risk, but given that the Heartbleed vulnerability was discovered to be over two years old, many web servers on the Internet may have already been exploited.

If you’re concerned that your servers and internal information may have been breached, a security assessment will help determine if you need to take additional steps to protect yourself.

As a responsible business owner, what you absolutely cannot afford to do at this point is ignore Heartbleed. Well-known security expert, Bruce Schneier, who has historically been very conservative when talking about the effects of security issues has called this particular vulnerability “catastrophic” – “On the scale of 1 to 10, this is an 11.”

If you have questions about how to implement theses fixes and protect your business from Heartbleed and other web vulnerabilities, get in touch and we can talk through what we might be able to do to help.