Put Users First, Not Brand in Security Breaches
Today OneLogin announced a massive breach that was filled with vagueness and lack of clear understanding. OneLogin provided three different sets of information to its users, but the first notice was provided last night only if you logged into your account.
I get the natural instinct to want to protect your image and furthermore, mitigate the brand damage. This is a fault that many companies run to. To protect the brand, I assume, they started by addressing their users, privately. When you logged in you saw a notice to do a bunch of security changes.
How do we know thats real? How are we suppose to trust that we should start entering all new credentials. Am I really connected to the OneLogin site?
Announcing publicly protects your users. It assures us that you recognize the issue, it’s serious, and you should go to this trusted place to update credentials. You are, after all, a trusted source for credentials.
Putting brand over user trust will hurt your brand even more. Now there are three different updates, Im still not sure what is trusted information and potentially my credentials are decrypted?
In everything you do, from company messaging to software development, users are your most important asset. Without them, there is no software to write and no brand to protect.
Many articles talk about “users first”. Examples of companies that put users first; Facebook, Twitter, Google. While our most common brands are on these services now, they didn’t start out that way. Their only assets were their users and without them, even today, the brands leave.
If you are doing content, product development, and/or messaging for your brand first, you will end up sending the message to users that you are servicing the brand first and not them.
I still don’t know which information on the OneLogin breach is real. This manner of notification to it’s users, will stop me from ever being a OneLogin user. Not because of a breach, but because its apparent, their own brand is more valuable than me.