In a very small non-technical business which relies on some ssl based services, where I am the only nerd, here's my experience.
I had to:
- Test everything with SSL that we use in-house (we got off easy), then patch openssl on our internal web server. That was mostly for fun, since our network is fairly secure, and nobody that uses our internal network would be smart enough to exploit heartbleed. But still, NAT invaders, you never know. Maybe an hour spent, probably less.
- Explain this bug to everyone that isn't tech saavy, how it probably wont make a difference for us, but what it means for security. It wasn't worth calling a meeting over, so I did it individually, took a while, though.
- Make all employees reset ALL of their passwords on the SSL websites we use, after testing a small sample of them and finding several were affected by the bug, better safe than sorry. From a micromanagement standpoint, this is actually a gigantic expense of time, since we generally don't cycle passwords on many of these sites very often, and often share non-critical accounts between employees. There's wasted time when everyone types the old password, scratches their head, tries to remember the new one, has to find someone else to ask, etc.. A customer could walk away in frustration if it takes too long. Probably an hour or two spent.
- Contact any of the web service providers that we use, that I know were affected, sit around, wait on hold (for a long time obviously) to try to get some kind of plan of action or disaster report out of them. Many hours spent, but probably a waste of time anyway.
- Loss of business from downtime of two critical sites that shut down for a few days when they discovered the bug. Not as bad as it could have been if it were a larger business.
So how much did it cost our organization specifically? A couple hundred bucks in time total might be a reasonable estimate. Definitely not a problem for an end user like us.
This is nothing in contrast to a bad IT problem - for example when our entire network got raped by Zeus.....
We're talking every email account compromised, our static ips placed on god knows how many blacklists, practically worldwide email blacklist of our entire domain, very difficult removal, loss of HUGE amounts of business data to cryptolocker, loss of reputation when many of our customers also got the virus from opening emails from us, or received spam under our name, our ISP even cut us offline until repairs were done, we were down for a week.
It even hit a backup drive with cryptolocker because someone left it plugged in, which was very unfriendly when the banks needed to audit some business data that was cryptolockered in two places. Management freaked and required very expensive antivirus software that slowed our computers to a crawl, requiring upgrade or replace of every system in the entire building.
I bet Zeus cost us over 50 grand, we had to change our domain name, which is the worst way out, and who knows what kind of data those assholes got while they were abusing our mail server.
We were tempted to burn the building to the ground and change our name to recover from that one.