View more on these topics

Ian McKenna: What firms should have learnt from the Heartbleed bug


Given the ever-increasing use of online services, it is worrying to discover that, for more than two years, most supposedly secure online sites had a significant  vulnerability. 

Across the industry we use technology to try to improve services and reduce cost so
anything that calls into question the security of such services is clearly a risk.

The recent episode with the Heartbleed scrare is a classic case. I wonder if, as an industry, we are being explicit enough about Heartbleed and how it might affect services.

The first thing to understand about Heartbleed is that is it not a virus. It is essentially a security hole in a widely used version of software known as Open SSL. To get technical just for a moment, this is an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption.

It seems that approximately 60 per cent of supposedly secure websites were using the at-risk code for around two years before the flaw was widely recognised. The weakness could have allowed hackers to extract secure information. In fact, no one really knows how much data might have been stolen.

Open source software has the advantage of being low-cost but, given many financial organisations’ preference for proprietary software, it is fair to assume that less than 60 per cent of firms in the industry are affected as many were not using Open SSL. 

I am surprised more life companies and platforms have made statements about how they might have been affected. If they were not using Open SSL they do not have a Heartbleed problem.

Notably, Standard Life has put a statement on its consumer login to confirm it had not been affected but I have found no similar declarations on other life office or platform sites.

Similarly, industry technology suppliers could make clear statements to advisers confirming either that they have not been affected or, if they have, when their servers were patched to address
the issue. 

Software specialist JCS did put out a statement to users confirming it has no vulnerability. It would be good if others could provide such an assurance. I expect the vast majority have had no problems but I communicating this would be a positive move.

Some very big technology companies, ones many people use every day, have been affected by this problem and if you are not using good password discipline, that is, maintaining an individual alphanumeric password, ideally using special characters for each website you use, there is some risk your security may have been compromised.

From a practical perspective this means that if you used the same password to access a popular social media site as you did for logging in to details of clients’ investments or for cloud storage you could have been compromised.

The advice if you think you might have been affected is to wait until the vulnerable site has been patched – most now have – and then change your passwords. If in doubt, there are an increasing number of Heartbleed checkers you can use to check if a site is vulnerable.

One company I always find talk a lot of sense when it comes to data security is Trend Micro. You can find its Heartbleed plugin for Chrome here and the Android App can be found here.

So far, there have been surprisingly few horror stories about losses incurred as a result of Heartbleed, but it is important not to be complacent. It may be that firms are not coming forward with such information – or that the internet simply had a very lucky escape. 

All this is a stark reminder of why password security is essential. Using the same passwords in your personal life and on social media as you do in business is asking for trouble.

Ian McKenna is director of Finance & Technology Research Centre


Making auto-enrolment work: Employers need to start early

Those employers which felt that auto-enrolment was a task that could be left until the last possible moment have learnt to their cost the value of planning ahead. Putting aside the difficulties employers are facing finding a suitable pensions provider, other than Nest of course, there is a lot of work which needs to be […]


Danby Bloch: Why the Govt’s state pension top up is such a good deal

From October 2015, some clients will be able to top up their state pension by making the new Class 3 national insurance contributions. The deal will be very good for most people who qualify, so advisers need to make sure that these clients have enough funds to be able to make this investment. Advisers should […]

Loney-Phil-Royal London-2013

Royal London prepares D2C assault with TV advertising campaign

Royal London is set to launch its first TV advertising campaign in over 10 years as the provider prepares for an assault on the direct-to-consumer market. Last October, the mutual insurer confirmed plans to move all its UK life, pensions and investments businesses under a single brand. The exercise will take two years and see well-known adviser […]


Ex-Whitechurch MD Ian McIver joins IFA Compliance

Former Whitechurch Network managing director Ian McIver has been appointed as managing director of support firm IFA Compliance. McIver quit Whitechurch last month after its parent company On-Line Partnership Group was taken over by Russell Investments. He has also been appointed a director of adviser firm Nexus. IFA Compliance is owned by Charlie Palmer who […]


News and expert analysis straight to your inbox

Sign up


There is one comment at the moment, we would love to hear your opinion too.

  1. Simon Webster 6th May 2014 at 3:22 pm

    We had to email Iress to get them to confirm they were not impacted as we use their portal. There seems to be a fair degree of complacency in FS on this sort of issue…

Leave a comment


Why register with Money Marketing ?

Providing trusted insight for professional advisers.  Since 1985 Money Marketing has helped promote and analyse the financial adviser community in the UK and continues to be the trusted industry brand for independent insight and advice.

News & analysis delivered directly to your inbox
Register today to receive our range of news alerts including daily and weekly briefings

Money Marketing Events
Be the first to hear about our industry leading conferences, awards, roundtables and more.

Research and insight
Take part in and see the results of Money Marketing's flagship investigations into industry trends.

Have your say
Only registered users can post comments. As the voice of the adviser community, our content generates robust debate. Sign up today and make your voice heard.

Register now

Having problems?

Contact us on +44 (0)20 7292 3712

Lines are open Monday to Friday 9:00am -5.00pm