CAN YOU HANDLE THE CRISIS? (or how to win at incident response…)
What always amazes me is the wide disparity in business attitudes when faced with such a crisis, and how organisations will handle communications, internal or external, if at all…
So let’s look at the real victims here: the customers, the partners, the employees and potentially anyone that has a connection with the organisation. They may have had their business or personal information stolen and were potentially the targets (at best) or victims (at worst) of scams, fraud, or disruption. Or they might be at some point in the future. What will be done for them and what advice and help will be given? Time always tells.And even if information is not at risk or stolen, the potential reputational damage to a breached organisation can be vast and have serious business implications…
In the meantime, let’s look again on the positive aspects of fully and effectively communicating important information to the public in the event of a crisis (and that’s for any crisis, not just data breaches).
THE NEED FOR SPEED…
With social media and modern working practices, time is of the essence in crisis management: the first 24 hours are crucial. This is when people will cast out their digital nets and frantically search for information, whatever the sources. At this stage, the reliability of the sources is less important than their ability to disclose information at speed and many will speculate widely, until the authorised/ official/ recognised/ trusted/ influential sources have performed their validation activity and issued balanced statements. This usually happens within 24 hours and twitter is usually the means of disclosure and everyone will jump on the bandwagon with whatever axe they have to grind against the particular topic, organisation or industry sector…
Let’s face it: it is not Sky News’s job (or any media outlet’s) to handle YOUR customer communications… Customers won’t thank you for that. NEVER EVER. In fact, if you’re not on top of it, they will be very willing to talk to the press and tell them how bad you have been at communicating.
And that my friends, is a failure of your own, at best non-rehearsed, at worst non-existent, INCIDENT RESPONSE PLAN.
But let’s assume for a second, whilst we all know this is rarely true, that an established and a tested incident response plan and adequate processes are in place (if not, see my previous posts on the subject, here and here).
Therefore, the first thing to realise is that you need to be prepared: THE INTERNET DOES NOT WAIT FOR YOUR CEO TO RESPOND, the news will spread with or without your involvement, but you still have a chance to take control of the conversation.
So assuming incident response is already well established in your organisation and that you have the right team in place (e.g. Legal, HR, PR, Communications, IT, etc.), you are in good shape as you have most of the technical and procedural building blocks in place.
One easy block to add (now!) is a web page dedicated to a potential crisis/ incident/ breach. Having this prepared with an easy structure to follow will enable you to control the flow of information very quickly. Since I wrote my original post five years ago, I have noticed that many organisations have tried to implement this. The structure of your crisis communication web page should follow what I call THE THREE “As” OF SPEED and it should include the following sections:
ACKNOWLEDGMENT
This early, you may not know much, but you could look at:
What happened? What’s involved? Who attacked you?
Why did it happen?
When did it happen?
How did it happen?
How widespread?
What/ who does it affect?
Was personal/ sensitive information exposed?
How did you find out?
How are you going to compensate those affected?
BUT FIRST AND FOREMOST, TAKE OWNERSHIP: PASSING THE BUCK OR BLAMING OTHERS IS NOT AN ACCEPTABLE RESPONSE.
Of course, there will be instances where you cannot divulge much of the details (e.g. in the case of a hack. if law enforcement is involved and investigations are on-going), but don’t let this distract you from the fact that you have to acknowledge something, even if you cannot share details. The result of no acknowledgement will be inflated speculation, which must be avoided or at least minimised.
And in fact, it reminds me of this very well known quote from Winston Churchill:
APOLOGY
RULE NUMBER 2: SAY SORRY!
Even if you don’t know much at this stage, show you feel the pain and that you are trying to make it go away… Saying you’re sorry and that you are listening and seeking answers buys a lot of time and more importantly can quell anger and resentment. See The Power of an Apology.
ACTION
RULE NUMBER 3: HAVE A PLAN & DO SOMETHING ABOUT IT.
determine what happened,
prevent it from re-occurring and
maintain the trust of your customers/ stakeholders/ partners/ etc.
You also need to reassure your customers/ partners/ stakeholders and show them you understand the situation. For example, we all know that criminals will piggy-back on any type of newsworthy event or crisis (see here for Target breach), and we also know that this is an excellent opportunity for criminals to start social engineering attacks, especially if the crisis involves the loss of customer/employee credentials, which are always launched very quickly. I’m pretty sure that as a result of the British Airways incident, we’ll start seeing all sorts of free flight ticket scams emerging…
Take this opportunity to warn everyone that this could happen and how you will communicate (e.g. “we will always…” or “we will never…”) and make sure everything is consistent (e.g. if you send an email out, make sure the text of the email is included on your website so your customers can clearly see it is not a phishing scam, and avoid including links in emails – also, if the crisis involves the loss of credentials, you may want to seek communication means alternative to email).
When data breaches happen in the US, this is usually when one year free credit monitoring is offered to affected individuals (but only because breached organisations are compelled to do so by law – this has yet to happen in Europe).
Design your web page with this structure in mind so content can easily be dropped in when needed. Keep the webpage uncluttered and easy to use.
HEAD FOR SPREAD
RULE NUMBER 4: SHOUT IT FROM THE ROOF TOPS!
Again, I offer another set of As: THE THREE “As” OF SPREAD
AMPLIFICATION
Use all the social media avenues available to you: twitter, Facebook, YouTube, Google+, LinkedIn, blogs, etc. Use these to direct information seekers to your crisis communication web pages (see here how Heineken diffused a dog fighting disaster). Do this often (at least two or three times a day to cater for the different time zones, and be under no illusion: the world is watching you even if you only operate in one country or time zone). Keep your web page updated as and when you know more and amplify it by using all the tools at your disposal (e.g. create your own hashtag on twitter first). Offer advice when you can but be careful not to be patronising.
ADVOCACY
RULE NUMBER 5: YOU CAN’T DO IT ALONE!
ADHESION
Facing a crisis situation does not mean you have to surrender your corporate values and governance processes. Be sure your messages are constructed within the framework of your corporate brand image and company policies. Now is not the time to surrender caution and governance.
In addition, be clear about your limits: you cannot solve every problem for everyone, so you’ll have to think of way of pacifying part of your (unhappy) audience when solutions cannot be found quickly.
In addition, now is not the time to lapse on customer service: you can be speedy and achieve spread successfully, if you don’t follow through with good customer service and deliver on your promises, all this would be in vain…
STACK THE ODDS
RULE NUMBER 6: KNOW YOURSELF AND BE OPEN!
AGGREGATION
As you’re getting the hang of it, you are now ready to become the de facto information hub for your crisis by posting all related stories on your web page (positive or negative). You will rapidly realise that you only have some amount of control over the conversation.
You are however in complete control of where the conversation appears on your web page: make sure your opinion and your content have prominent and favourable placement.
Here we go, a successful social media crisis response strategy in 9 steps:
1) THE NEED FOR SPEED
ACKNOWLEDGMENT
APOLOGY
ACTION
2) HEAD FOR SPREAD
AMPLIFICATION
ADVOCACY
ADHESION
3) STACK THE ODDS…
ANALYSIS
ANSWER
AGGREGATION
And don’t forget, suffering a crisis is not the end of the world, you might just be able to turn it to your advantage… After all, Rahm Emanuel once said “You never let a serious crisis go to waste. And what I mean by that it’s an opportunity to do things you think you could not do before.”
For the infographic associated with this post, see here.
As ever, the best line of defence is being prepared… (and maybe I can help you prepare for the inevitable crisis or raise awareness in your organisation, I do love a good workshop and I run masterclasses on the topic!…)
I first wrote on this subject in May 2012. Today, it is still the most popular entry on my personal blog. I am at once flattered and amazed that some musings derived from the good, bad and ugly of how businesses have tackled crisis communications in the past few years still very much resonate with a lot of you. I hope you enjoyed the 2017 edition…
Until next time,
*** This is a Security Bloggers Network syndicated blog from @neirajones authored by Neira Jones. Read the original post at: http://neirajones.blogspot.com/2017/05/can-you-handle-crisis-or-how-to-win-at.html