Recent events suggests that hackers' skills are evolving faster than those of data security experts, with new breaches occurring on a regular basis and compromising the personal information of millions of Americans. But it's not only the new threats that you have to worry about. Many consumers assume that once a specific attack is uncovered, corporate security teams move quickly to upgrade digital systems, preventing similar future issues. Unfortunately, this is not always the case.
Recent reports have found that hundreds of thousands of corporate servers, routers and devices still have a security vulnerability discovered six months ago — the one that made the Heartbleed hacks possible. In fact, the analysts at Venafi Inc. found that more than half of the Forbes Global 2000 listing of the most profitable companies on earth are still at risk, with 448,000 vulnerable servers between them.
A spokesman told Bloomberg News that the list of those companies include some very big names in the banking, health care and retail industries, although he refused to say which ones. Only 3 percent of public-facing services belonging to the Global 2000 companies can currently be deemed secure.
"IT Security teams are under the false notion that they have fully remediated Heartbleed by applying a software patch," write the Venafi researchers in the report. "But if someone walks into your house through an open door and steals your house keys, you don't then rely on the same locks once you've closed the door. Organizations must find and replace all of their keys and certificates - all of them. Otherwise significant security gaps and open doors remain."
A separate report from consulting company Errata Security substantiated those conclusions, finding as many as 300,000 network points that are still exposed to Heartbleed hackers. Many analysts believe that Heartbleed was the point of entry for cyber criminals who managed to steal patient records from Community Health Systems in one of the largest data breaches in the health care industry. Bloomberg reports that the attack happened a full week after the bug was publicly announced in April, meaning that hackers were able to leverage it well after security experts learned it was a potential problem.
Unfortunately, as a consumer there is little that you can do to directly influence the security measures of big companies with which you do business, beyond pressuring them to improve response times and increase transparency. (Remember that companies are not required to reveal data breaches unless they know that they lost legally protected information, such as credit card numbers or health records.) Corporate digital defenses continue to lag when compared to the hackers against whom they are fighting.
However, there are important steps you can take to protect yourself as a consumer, such as keeping a close eye on your credit history. Every American is entitled to one free credit report a year from the three major credit bureaus — TransUnion, Experian and Equifax. We also suggest investing in a credit monitoring service. While such services cannot guarantee your protection against identity theft, they can alert you to certain activity that may indicate potential fraud, giving you the chance to mitigate the potential damage. Until the world's biggest corporations are better able to defend themselves against cybercrime, it's up to you to protect yourself.