As I’m sure that most people reading this blog are aware, we here in the United States are in the midst of an election. As I’ve been watching our candidates out on the campaign trail I have been reminded that perception is as important (if not more important) than substance. The candidates are bouncing around the country communicating their message. As the country is in financial crisis, communication is critical.
Communication is also critical when a company is facing crisis. I’ve been considering two security incidents and how they are being handled in terms of public relations. Now what I’m going to give should not be considered legal advice and I’m of course not a public relations expert. I do however have an opinion and feel that both of these situations are being handled poorly.
The first case is that of the World Bank. Fox News is reporting that the World Bank is in the middle of a security incident. Apparently the World Bank Group’s computer network has been compromised for over a year. The Bank controls $25 Billion a year in funds to the developing world and holds one of the world’s largest repositories of sensitive data concerning the world’s economy. One of the systems is reported to have held contract-procurement data. (I can’t help but wonder how many contracts have been won based on compromised data?)
Now no matter what the specifics of the breach(s) are, what is important for this post is how the World Bank is handling it. Currently the World Bank’s tactic is to deny what is happening despite the leak of internal memo’s which paint a different story.
The second case is that of the Massachusetts Bay Transit Authority (MBTA). For those of you who don’t already know, several students from the Massachusetts Institute of Technology (MIT) who intended to give a presentation at DEFCON explaining vulnerabilities that they discovered with the MBTA’s fare card system. These students were hit with a restraining order and forbidden to present their paper (apparently the information had already been released on CD’s given to the conference attendees – I wasn’t there; that is just what I heard). (The restraining order has since been reversed by the court)
Again, I don’t want to get into the specifics of who did what and when. That is for the court to decide. What I’m concerned with for this post is how the company handled the situation. The NBTA elected to go on the offensive and use the legal system to keep the information from getting out. Ironically the action had the reverse effect causing the incident to be widely publicized. (See the so called Streisand Effect).
Having a security incident is a nightmare and won’t endear you to stockholders but can the actions a company takes actually make the situation worse? I believe so. Let’s look at these two stories. In one case we have a company that feels that loud public denials of the situation are the way to go and on the other hand we have a company that is doing all it can to hide the details of their vulnerabilities. Their very actions are calling public attention to the incidents.
Imagine the situation at the World Bank. If the Bank had issued a statement that it was their policy not to comment on security incidents until they have been resolved there would probably have been some hoopla over it but it would have most likely have died down rather quickly. As it is now we have a denial in the presence of apparent evidence to the contrary. That just invites increased scrutiny by the news media.
In the case of the NBTA you have an organization that is trying to suppress information. The simple act of suppression is going to bring about increased attention. During hunting season (and it’s always hunting season) why paint a larger target on yourself than you need to?
The time to decide on how to handle the public relations side of an incident is before an incident actually happens. Too much disclosure can be just as harmful as too little disclosure. Of course you won’t know the details or the specifics of an incident before it happens but a company can decide whether or not it should comment and if so what it should be. There may be legal considerations so legal needs to be part of this process. Guidelines should be set forth to determine what criteria need to be met before certain information is released in company statements.
Personally I’d recommend acknowledging that an incident has happened and that to restrict comments until the incident is actually over. Now I’m sure that will probably draw fire from some of you out there and that is okay. By all indications, both of these companies are still in the midst of these incidents. They are still investigating what has happened and are still in the process of instituting controls to keep the incident from reoccurring. The key at this point is to manage the public relations aspects of an incident rather than have them manage you.
Entries (RSS)
Nice post. Thanks for sharing these tips.
Well said, I like your take on the issues at hand. Are you some sort of PR student or just enjoy it?
No, I haven’t studied PR but I do enjoy it. My perspective on this story comes from having worked in a few places that have had issues though not on this type of scale. As I watched management twist and turn trying to blame someone else I’ve come to the conclusion that it only made things worse in the end.
I also don’t believe that there is such a thing as a totally secure system. No matter what we do something bad will happen so it is inevitable that sooner or later you’ll be involved in having to explain what happened. Personally I’d rather be driving that discussion than have it drive me.
A thought has come to mind – if there is a PR professional out there who would like to collaborate with me on a few posts please contact me at gmckee (at) ascensionriskmanagement.com We could create a mock incident and then talk about how it could be handled and what sorts of things need to be in place beforehand to manage the PR side of an incident.