Heartbleed isn’t just a test of your online security; it’s also a test of how you treat your customers.
In some ways the Heartbleed OpenSSL vulnerability is a business owner’s worst nightmare. For the past two years hackers might have been eavesdropping on every login and password that made its way across your website, putting all your customers at risk. You can be sure that plenty of businesses pulled an all-nighter checking their servers for the Heartbleed vulnerability and patching them accordingly.
Even people who don’t run a secure website were still forced to pull an all-nighter as they scrambled to reset all their affected passwords. The list of sites susceptible to Heartbleed reads like a who’s who of the internet, so you probably had a long personal list to work through.
Not that it takes that long to reset your password. The time-consuming part was trawling the internet to check which of your service providers were vulnerable, whether they’d patched their services and if you needed to change your password.
If you embarked on your own personal Heartbleed witch hunt then you probably saw the full spectrum of customer support efforts – ranging from astounding to appalling.
There are lessons to be learned when it comes to dealing with your own customers in times of trouble.
The most vigilant websites took a proactive approach to dealing with Heartbleed. Not only did they assess and, if necessary, rectify the problem as soon as possible, they also kept their customers informed of exactly what was happening. They sent emails to every customer explaining what happened and what they needed to do to protect themselves. They also added details to their blogs and support pages, making life easier for customers searching for answers.
Unfortunately not every business took such a responsible approach to the Heartbleed threat. I’m still waiting for official emails from several high-profile websites which I know were struck by Heartbleed and are recommending that customers change their passwords. Visit their websites and forums and you have to dig before you find any mention of Heartbleed – and then it’s usually a question posted by a concerned customer asking if there is anything to worry about.
A disaster like Heartbleed is just as much a PR challenge as a technical challenge. Leaving your customers in the dark is an instant fail and they’re entitled to wonder what else you’re not telling them.
If you’re running a secure website and dealing with sensitive information then you need to assure your customers they’re in safe hands – whether your business is affected by Heartbleed or not.
If they’re likely to wonder then they shouldn’t have to chase you in search of answers, even if the answer is that there’s nothing to worry about.
Heartbleed doesn’t just highlight security vulnerabilities, it also highlights to your customers whether or not you’re security-conscious and proactive.
It’s one test that every business should pass if it wants to survive.