By now, you’ve likely heard of the latest massive security flaws, Meltdown and Spectre. After news dropped Jan. 3 of the multiple, critical vulnerabilities in modern processors (mostly, but not exclusively, Intel chips), the Tech community and businesses wanted to know: how bad will the impact be? The answer is complex and made more confusing by Intel’s statements that went from saying the performance impact of patches for these security flaws “should not be significant” to “may initially be higher” to “significant” in under a week. We’re here to help clear up the confusion surrounding the impact Meltdown and Spectre security flaws, and their respective patches, will have on your business.

First Things First: What are Meltdown and Spectre?

Before we get into the nitty-gritty of the impacts on your business, you need to understand what Meltdown and Spectre security flaws entail to get an idea of the large-scale, lasting impact this will have on the future of cybersecurity and hardware security. These security flaws affect almost all processors produced since 1995, so yes, every laptop, desktop, or smartphone you use is at risk.

Meltdown “basically melts security boundaries which are normally enforced by the hardware,” while Spectre “breaks the isolation between different applications” which gives hackers the ability “to trick error-free programs, which follow best practices, into leaking their secrets,” according to researchers. Translation: These vulnerabilities can be exploited by hackers to steal sensitive data, like passwords, from your computer. Spectre is even worse because it’s a threat to smartphones as well as major server-based cloud providers since it may allow hackers, posing as customers, to steal information from virtual neighbors hosted on the same server.

The major things to know are that Meltdown can be mostly mitigated through software patches that major Tech giants, like Apple, Google, and Microsoft, are rapidly pushing out. However, only some exploitations of Spectre can be stopped by patches, which means new hardware may be necessary to guarantee security. It’s also likely Spectre will continue to be exploited for years to come given the fact that it offers various avenues of attack. For a full explanation and helpful FAQ section, check out the Meltdown Attack website created by the researchers that helped discover it.

How Meltdown and Spectre Impact Your Business

There are two primary ways Meltdown and Spectre could impact your business, which are an increased risk of cyberattacks targeting your sensitive data by exploiting these processor vulnerabilities and a decrease in performance, AKA speed, resulting from patches for your business’ devices or the cloud services supplied through your cloud provider. While patches are being produced rapidly to diminish the likelihood of successfully exploiting Meltdown and Spectre vulnerabilities, the performance impact of these patches is likely to be the most damaging aspect of these security flaws.

While there are differing reports from a variety of Tech companies and experts evaluating the projected performance impacts of these patches, it’s more complicated than a simple answer. The performance impact is highly dependent on your hardware, operating system, and workload. So, while reports that the average computer user shouldn’t experience noticeable slowdowns may be true for newer devices, computers with chips dating back to 2015 or older will slow down “significantly,” according to Microsoft.

However, businesses running large-scale, heavy workloads, like virtualization and data center/cloud workloads, on their servers should expect a significant performance impact. Intel is still getting a sense of the performance impact data centers of major cloud-service providers like Amazon and Microsoft can expect. These providers will likely see the most damaging performance impacts since they have the highest workloads and are also most vulnerable to exploitations through Spectre vulnerabilities, meaning the sensitive business data you store in the cloud through these providers is now at risk.

What You Can Do

Here’s a look at what you can do to protect your business from Meltdown and Spectre:

  • Update, update, update. Dispatch your cybersecurity team to have every business device's operating system and browser of choice updated with the necessary patches for these security flaws. Develop a process requiring employees to update their devices on a regular basis. (Forbid the tempting "Remind Me Later" option commonly provided with update notifications.)
  • Stay abreast of new information. While Meltdown is mostly resolved with patches currently available, Spectre is not. Ensure your cybersecurity team is staying abreast of any new information regarding security updates for Spectre and communicating it to your employees.
  • Analyze your entire security chain.  The security of your business today expands much further than the four walls of any office space. You likely rely on a variety of providers for services like Wi-Fi, cloud computing, data visualization/analysis, and more. Review the security measures these providers follow and put pressure on them to ensure your business is protected.
  • Evaluate the data you need. Companies today amass a wealth of data on everything from website traffic to specific consumer and employee information, like addresses, credit cards, social security numbers, and more. Evaluate which data you actively utilize and if there is any data being collected simply because it always has been. Reducing the amount of sensitive data stored on offsite servers through cloud providers minimizes the risk that hackers will be able to access that data by exploiting Spectre vulnerabilities.
  • Hire cybersecurity talent. If you haven't already, now is the time to expand your cybersecurity team. Cybersecurity is by far the most invaluable Tech skill set for businesses considering the rise in massive, wide-spread cyberattacks, security flaws, and increased reliance on vulnerable service providers in recent years. Hiring the right cybersecurity talent is an investment that will likely provide the highest ROI out of any new hire in the years to come.

Although there aren’t many solutions at the moment of how to minimize the performance impact of the patches on devices with heavy workloads, it’s crucial to start putting the security of these devices ahead of performance. In fact, it was the Tech industry’s insistence on putting performance ahead of security throughout the past two decades that resulted in Meltdown and Spectre, according to Paul Kocher, one of the researchers who discovered the vulnerabilities.

One thing made clear through the discovery of these security flaws is that the current standards of security in the Tech industry are dismal at best, which is why having a highly qualified cybersecurity team has never been more crucial. If you lack the cybersecurity talent you need to protect against Meltdown, Spectre, and future security threats, contact Mondo today. We have the highly qualified cybersecurity talent you need to ensure your most sensitive and valuable data remains secure.