The Heartbleed computer bug that has left many websites vulnerable and open to data theft this week could affect more than Internet Web servers, according to security experts. Since the encryption flaw surfaced on Monday, it has affected companies including Amazon.com, Google, and Yahoo.
PRWeek asked agency executives to share their insights on how companies should communicate internally and externally about Heartbleed.
What are the main challenges for companies trying to communicate a potential data breach?
Kathy Bloomgarden, CEO, Ruder Finn: A communications team needs to be quick and responsive, which can be a challenge when one doesn’t have all the information necessary to give out details and say what the exposure is and what has happened in an individual context. But a company still needs to keep the trust and communications levels high, and keep people up to date.
There also has to be an educational process about online behaviors. All of us get stressed. We don’t change our passwords, we stay signed in because it is easier. It is complicated to remember all the different passwords one has, and if they are all different it is complicated to remember to change them. This documents there is behavior one needs to adopt, so another aspect the communications team must address is making people understand why it is important to adopt their online behavior in an instance like this.
Jeremy Rosenberg, SVP, head of digital, Allison+Partners: In a situation like this, companies have to walk the line between exposing that some of their services may be vulnerable to this attack, while ensuring their users’ and employees’ information is being kept safe. And because of the uniqueness of this particular bug, which is different from other kinds of hacks that have happened in the past, you can’t just send a message right away telling people to reset their passwords, because that actually won’t help. They have to make sure their systems are secured first, inform users, customers and internal folks that their system might have been vulnerable, and then instruct them on how to take cautions and safeguards against their own personal data.
How have your clients been assuring customers that they haven’t been affected?
Heather Kernahan, GM and EVP, Eastwick: Our client ARKpX , a secure file-sharing platform, launched a new product this week. We ended up working with them to adjust their launch announcement because they are in the security industry and they weren’t affected by Heartbleed. Although the message still focused on their new product, a lot of the announcement was about how their technology was not impacted by Heartbleed. We ended up making a nice link between their technology’s core strength as a secure file sharing platform, and why they are not exposed to this kind of security threat. We have also done a lot of advising with clients that could potentially be impacted.
What kind of external comms should companies do in response to Heartbleed?
Kernahan: We are advising people to be proactive and transparent, which is a good comms strategy when you are dealing with any issue.
Because so many consumer sites have been impacted, we are pushing clients to focus on customer friendly messages without going deep into the technical details, although making that available somewhere else on their websites.
Like any launch or issue companies deal with, companies should think about all of their comms channels and pick the ones that are going to reach the right audience. Some of our clients are using email comms direct to their customer base and stakeholders. And they have also added content to their website and are driving their social channels, and anyone who has questions on social, to that one page. Think about all the channels and strategically use the ones that are going to reach the target audience.
Richard Cline, global technology practice leader, Porter Novelli: Heartbleed’s impact has been focused on companies like Yahoo, Google, Dropbox, Facebook, and online banking, but those are big companies that are going to quickly update customers and [tend to the issue]. Smaller companies that don’t have the ability to upgrade like that will need more help, so security companies need to educate customers. Our largest client is network security company Palo Alto Networks. They have a blog on their web page that is a how-to of all the different measures you can take and all the different points of vulnerability. They have been directing customers to the blog, and it has proven to be their fastest communication route in this instance.
When a company has its own blog, it can keep customers regularly updated and get important information out more quickly and more effectively than going through traditional media channels, which might misconstrue the information.
How should companies communicate with employees?
Kernahan: Once they have their outbound message, companies should prep client-facing staff. This is a step we find people often miss when they are dealing with issues like this. Prep the sales team, anyone who answers the phone, and technical support staff with key messages. Companies may say they don’t have time for that, but the most critical thing a company can do is make sure everyone who is client-facing has the same message.
What are companies telling business partners to do?
Rosenberg: If it is a matter of partnerships or relationships one company might have with another one, they should be advising each other as to the updates on their own systems, as well as what they have been communicating to their users.
Kernahan: You want to make sure to communicate to clients and external stakeholders what is happening with your system, any steps that are being taken to put a patch in place, and show them that you are being as proactive as possible. I think companies want to prevent customers or stakeholders from being confused or worried about their security systems, so the faster companies can get a message together and get it out proactively, the better.