Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
eSentire is a sponsor for 451 Nexus.
Join experts from eSentire and VMware Carbon Black as they debunk…
Join Tiff Cook, eSentire's Sr. Director of Incident Response and Bill…
This blog was created from a live webinar presented in conjunction with ILTA on 4/28/20. Access the webinar on-demand here.
The likelihood of a data breach that could put you in the headlines grows as cybercriminals test traditional defenses, often using legitimate credentials and fileless attacks as highlighted in the eSentire Annual Threat Intelligence Report: 2019 Perspectives and 2020 Predictions. Unfortunately, many organizations don’t see themselves as targets and are thus unprepared for the challenges and public storm when crises occur.
Exploring headlines from past crises of all types is a good way to learn how to build a crisis communications framework. Not to admonish the publicly scrutinized and sometimes condemned spokesperson or their companies, but to learn from missteps and find an alternate course to avoid negative backlash.
Perhaps the most memorable event is also one of the most tragic. On April 20, 2010, while completing testing of a well cap, massive explosions crippled the Deepwater Horizon drilling rig just off the coast of Louisiana. Most of the 126 people aboard were rescued, but sadly, 11 crew members were lost. British petroleum giant (BP) had commissioned Transocean to conduct the exploratory drilling. Over several months, 210 million gallons of oil spilled into the Gulf of Mexico as attempts to cap the well failed. The resulting environmental disaster destroyed Louisiana wildlife, wetlands and the economy. As of 2018, BP had paid an estimated $65 billion in clean-up, law suits, fines and other losses.
On May 31, 2010, then BP CEO Tony Hayward arrived to personally oversee operations to stem the leaking oil. During a CNN interview, Hayward said, “We are sorry for the massive disruption this has caused ... There is no one who wants this thing over more than I do. You know, I’d like my life back.” In the blink of an eye, he made personal statements that eclipsed the loss of life and regional environmental and economic disaster. To make matters worse, he was filmed sailing with his son in a yacht race. The resulting furor led to his termination and sank BP into further public perception trouble..
This apparent apathy serves as a warning to those representing their company in a time of crisis. It’s what I term the three Ds of poor crisis communications: defend, deflect and deny. None of these play well with the media, investors and customers. When communicating about a crisis, avoid the three Ds and be mindful of these 10 pieces of advice:
Remember the doctor who was dragged unconscious off a United Airlines flight 3411 in 2017? Then CEO Oscar Munoz issued a statement in which he referred to the incident as “re-accommodating the customers” and characterized the passenger as “disruptive and belligerent.” Of course, he was left holding the hot potato when video surfaced on social media showing the unconscious and bloody doctor being dragged down the airplane’s aisle. After sharp criticism, and a steep drop in stock value, the airline forced Munoz to publicly apologize and stripped him of a planned promotion to chairman.
Was Munoz misinformed and genuinely protecting his employees? Perhaps. A culture of truth and accountability is paramount. The point person becomes the public lightning rod of criticism. And it’s the job of the CEO to be informed. A captain might not be responsible for every action on the ship, but they are accountable.
We’ve seen two stories of what not to do. Now let’s look at the right way to plan and respond in a crisis. The first stage, like incident response or business continuity planning, is about being prepared, knowing roles and responsibilities and following the plan.
Your plan provides a framework by which you respond when a crisis occurs. It should contain:
Your crisis team is responsible for building the plan, training representatives, supporting internal and external communications, measuring response and adapting to coverage. First responders include the executive sponsor who acts as the decision-maker, PR leader, legal counsel and contracted crisis management firm. Once the alarm is pulled, other members join the extended team: internal, partner and customer communications, social media and website and human resources.
It’s critical that you train your spokesperson(s). Media interviews are stressful. Some journalists will use tactics to evoke headline comments and time as a pressure point. Often, a company will receive a media inquiry late in the day, looking for a comment on a story they are planning to run during the 6 p.m. news. It’s designed to put you on the defensive.
Two examples come to mind. In 2011, during an uproar over privacy and transfer of confidential data upon government request, then smartphone giant BlackBerry CEO, Mike Lazaridis, lost his cool during a BBC interview, repeatedly stating: “That’s just not fair,” when pressed on the security issue. He sidestepped responsibility, claiming “We’ve been singled out because we are so successful.” Minutes later he stated, “It’s over, the interview is over,” then walked out of the interview straight into headline news rather than a sleepy midday business segment.
And in this perfect example of hubris, then CEO of Sainsbury’s was caught singing “We’re in the money” before being interviewed by ITV news about the company’s impending acquisition by Asda. The multibillion-dollar deal was scuttled as a result of the interview that made the merger a topic of monopoly violations and forced the hand of the government to quash the merger.
Holding statements are basic responses to anticipated scenarios:
We are aware that confidential information has been made public by one of our employees, and we have enacted robust response protocols and have launched a thorough investigation. We are moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly.
At this time what we do know is <describe situation in appropriate level of detail>.
We can confirm that we are working with those involved and the appropriate authorities have been notified. The actions by this/these individual(s) is incredibly disappointing and is not reflective of the values and beliefs that are held to the highest standard by the other employees of the organization. We do not condone this type of activity and will be taking severe measures including termination for those who were involved. We deeply regret this incident.
We are committed to ensuring we get the correct details on the matter and will continue to communicate appropriately when we have what we believe is credible and actionable information.
As stakeholders, your employees have a right to know what’s going on. More importantly, they need to understand their role and the limits of their position. It’s critical that they know how they must avoid heroics, grandstanding or even acting with what they think are good, but ill-informed, intention. Loyalty can be dangerous when not checked, especially considering a reporter could approach employees in the parking lot in an attempt to elicit a comment.
During the Equifax breach, CEO Rick Smith said in a video statement: “Equifax will not be defined by this incident, but rather by how we respond.” The next day, a support center employee posted on Twitter “Happy Friday! You’ve got Stevie ready and willing to help with your customer service needs today!” Responses were, of course negative, including one unhappy customer who reportedly replied: “Stevie, can you help repair my life your company just ruined?”
Time is critical in crisis. Telling your story first sets the tone and establishes a baseline of facts. In 2009, a musician immortalized his experience on a United Airlines flight from Halifax to Chicago in YouTube music video. While on a layover in Nebraska, passengers witnessed baggage handlers throwing guitars. Upon arrival he discovered that his $3,500 Taylor guitar was smashed. He filed a claim which the airline deemed ineligible for compensation. The musician later wrote a book on the subject and United Airlines' stock price fell 10 percent, costing stockholders about $180 million. (read the full story)
Turning to breach-related crises, it’s about building trust (or rebuilding it). Consider Equifax CEO Rick Smith’s statement that the firm would be “defined by its response.” Well, its response was to publish a website on which customers had to file a claim by entering confidential information that Equifax had already mishandled! Brian Krebs, a leading cybersecurity journalist responded, “I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived.”
More recently, Uber was exposed for an attempted payment to keep criminals from exposing a massive data breach. It’s one thing to forgive the initial hack. On some level, the company was a victim, too. But paying to cover it up is another thing. They even went as far as demanding the hackers signed nondisclosure agreements … I’m speechless!
And in 2020, Travelex camouflaged a system-wide outage as a “scheduled maintenance,” later admitting that the event was the result of a massive ransomware attack, ignoring the age-old wisdom that “honesty is always the best policy.”
This one is straightforward. If you manage protected data or operate in a regulated industry, then follow the rules about breach notification. This also applies to state and other privacy laws like GDPR.
You should monitor coverage and adapt to public responses; don’t bury your head in the sand. This includes mainstream and social media to assess tone and provide a response that protects your reputation. Remember, you don’t have to respond to every post.
Like any plan, things often change as soon as a crisis occurs. People panic or take matters into their own hands. It’s imperative that you review performance and determine ways to improve. The reality is that the first time won’t be the last time you face a crisis.
Ironically, Equifax CEO Rick Smith had it right in one regard. A good crisis management plan and response will help ensure that your firm is not defined by the crisis but rather how you respond.
Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.