However, the same solution cannot be easily applied to employees using a vulnerable SSL VPN connection between their smartphones and tablets and the corporate network, Williams said. Companies could switch all traffic to a non-standard port, but that would entail changes to the end-user device, as well as the networking gear, which might not be practical.
In those cases, CSOs will likely have to weigh the risk of continuing to allow employees to use the VPNs versus taking them down until a patch can be applied.
"This is going to come down to risk tolerance for each individual company," Williams said.
"Basically, they're going to have to take a look and say, 'We assess the risk to be so low, or the cost to be so high, that we'll accept the risk based on the lost revenue if we didn't allow them (employees) to connect.'"
Cybersecurity firm Codenomicon discovered and published information about the Heartbleed bug Monday night. On Thursday, U.S. Department of Homeland Security warned companies that cybercriminals could exploit the vulnerability.
"At this time there have not been any reported attacks or malicious incidents involving this particular vulnerability, but because it is a highly visible media topic, it is possible that cybercriminals could exploit it in the future," the advisory said.
Sign up for Computerworld eNewsletters.