By now you have probably heard about Heartbleed, a security vulnerability publically disclosed this week that affects vast numbers of websites, mobile apps and online services across the web. To recap, a version of the OpenSSL protocol, which is used widely to encrypt and securely transfer information over the Internet, was potentially exposing this typically secure traffic and related data including everything from usernames and passwords to personal information from website users.
The ubiquitous nature of the potential threat, combined with some very smart communications by the folks that found it, has created a media firestorm and significant concern by users and affected companies trying to figure out how to respond.
Here are four key considerations for communicators when dealing with Heartbleed.
- Understand the extent of the exposure. The ability to communicate about security issues is largely dictated by first understanding basic technical details about the vulnerability and what the risk it is to customers. In the case of an Internet-wide issue like Heartbleed, the potential exposure is significant and should be considered a critical vulnerability.
- Work immediately to fix the issue. In the case of Heartbleed, where a patch to the issue exists, it’s important for companies to fix the issue before communicating if possible. This approach allows communications to be more focused on resolution versus mitigation, which is a much better message. This will be more difficult for hardware makers versus web companies as updating software is much different in this environment. However, generally Heartbleed is the exception versus the rule as many major vulnerabilities are announced before a fix is available, leading to the need for much more nuanced statements.
- Focus on protecting and communicating to customers. If Heartbleed affects an organization, they have a duty to notify customers about how to protect themselves. In this case that means encouraging (or requiring) people to reset their passwords and be on the lookout for phishing scams.
- Be careful of absolute statements. Security issues are typically quite complex and often include a few twists. When communicating about them, it’s typically much more effective to outline steps being taken to resolve the issue and resist to the temptation to claim absolute victory.
I suspect we will hear much more about Heartbleed affecting even more systems and companies in the coming days, and it will be interesting to see how companies respond. While no two security issues are the same, these concepts can serve as a starting point in addressing other issues.
Image by snoopsmaus.