Communications Teams Get a Failing Grade Over Heartbleed

Linda Musthaler
By | April 18, 2014

Posted in: ISP DDoS Protection , Hosting Provider DDoS Protection

First of all, let me say thank you to the security professionals who are working their butts off to develop patches and permanent fixes for problems caused by Heartbleed. I know this is an extraordinary case of the highest priority. Thank you for using your talents and your time to plug this gaping hole and make your users safe again.

That said, I must criticize you for not engaging your colleagues on your communications team to keep your customers apprised of the situation. If ever there was a time to talk directly to consumers about computer security, this is it. Consumers are wholly confused and a little scared by this situation and they don’t know what to do—if anything.The general media made a big deal out of Heartbleed. Reporters told everyone, “Change your passwords! Now!” Unfortunately all they did was stir up panic in a consumer population that has little control over the situation.

As people in the IT industry know, not every website is vulnerable to Heartbleed. Only those websites that utilize certain versions of OpenSSL are vulnerable. But consumers don’t know what tools are behind the websites they use. They have no way of knowing if their credentials could be stolen via this exploit.

This is where it’s critical to have someone in an official communications capacity provide guidance to users of your website. It’s important to be forthright and tell users straight out, “We were affected, we are fixing the problem, and here is what you need to do.” Or, conversely, “We were not affected because we don’t use the vulnerable tool so there is nothing for you to do or worry about.”

I’m an IT insider but I’m also a consumer. When I first heard about Heartbleed, my thoughts turned to the sites where I conduct financial transactions—especially my online banking. I went to various websites I use regularly to see what they posted about Heartbleed, and it turned out to be nothing. Literally nothing. There was no communication to the public to say what, if anything, a consumer should do.

I happened to be on a support call with my bank for a different issue and I asked, “By the way, is your website affected by Heartbleed?” The support technician told me no, they did not use OpenSSL so there was no problem. This is one of the largest banks in the country. You would think they’d want to allay their customers’ fears about this situation. A simple “Heartbleed doesn’t affect our website” should have been posted prominently on the bank’s splash page. But no, I had to ask.

Today – at least 10 days after news of Heartbleed hit the press – I got an email notice from one of my security vendors, Norton. The subject line is “Security Alert: Information on Heartbleed.” Finally, at least one of my vendors wants to communicate with me about what’s going on! Unfortunately, the message has several grammar errors and a “from” address of norton@nortonfromsymantec.com – normally Norton is known as “Norton by Symantec” – so this made me suspect the message as a phish. I can’t trust anything in the message.

Right after Heartbleed was made public, security expert Jake Williams gave a presentation at a SANS Institute event in which he repeatedly advised his audience, “Tell your web users if they are affected or not. Don’t leave them wondering.” Apparently few people took his advice.

I am putting this failure on corporate communications teams. They are the ones responsible for communicating urgent matters with the public. Maybe they just didn’t understand the nature of this incident, however. In that case, it’s incumbent on the IT professionals who addressed the technical aspects of this matter to go to their corporate communications people and advise them on what to say—even if it’s “Everything is OK. We were not affected.”

Every incident response plan should have a communications aspect to it. When something serious happens, you must ask, “Should we tell our customers, and if so, what should we tell them?” To say nothing in a situation like the incident with Heartbleed is heartless.

You May Also Be Interested In: