As details emerge about a software flaw that allows attackers to steal information, including cryptographic keys, from servers, KPMG’s Stephen Bonner argues that panicking consumers into changing their passwords is not necessarily the right response.

Instead, he suggests that organisations hosting sensitive information should identify the weak points in their web footprint and fix these, before advising customers on the appropriate action to take.

Bonner, a partner in KPMG’s Information Protection and Business Resilience team, said, “Too much credence is being given to the idea that the Heartbleed Bug can be beaten if customers change the passwords they use to shop and communicate online. It’s an easy option, but one that ignores the real questions around what businesses should be doing to safeguard their Internet footprint.”

 “The web is a world without borders, meaning that companies must map their entire online presence, identify where vulnerabilities exist and work with their software suppliers to ensure the Heartbleed Bug is blocked at any point of entry.  After all, the software flaw may have a fix available, but it’s only when every gateway is guarded with the relevant patch that customer password changes will be effective.  The fact remains that if passwords are changed beforehand they are just as vulnerable.”

 “If a company identifies vulnerabilities, the next step should be to assess the impact and take action to protect any sensitive data.  If they find that they are secure, logic suggests that customers should be assured this is the case.  After all, having different passwords on each service and changing them on a regular basis makes good sense, but the rush to urge immediate action creates a sense of panic that helps no one.”