Category Archives: Crisis management

Ransomware 1 minute after – are you ready?

By Tom Mueller

It’s a busy workday – a normal workday – with lots to do and deadlines approaching, and in the midst of this your computer stops working. You want to save the document you’re working on, but it’s no use. You’ve lost it.

Then a new page appears on your display. It’s a politely-worded page demanding a ransom payment in order to unlock the files on your computer. Everyone on your team and on your floor are now staring at this same screen. And the malware that caused it is still spreading – maybe across your entire company.

What you might see on your computer screen during a ransomware attack. This is a bad day.

Within a few hours, you’ve lost all or nearly all of your company laptops to this ransomware. What now, my friend? You need to provide guidance and leadership to your global organization. How do you keep communications flowing?

If your organization has migrated systems to the Cloud, you can simply switch to the cloud-based software tools. Microsoft’s Office.com is a cloud-based version of the tools you use on your laptop. So migrate your communications operations to that platform.

Your staff know how to access and use the tools there, right? I work on the cloud-based tools regularly and I can tell you these tools are not identical to those on your laptop. The names are the same – Outlook, Onedrive, PowerPoint – but the functionality is not always the same. That’s why your staff need to use these alternate tools regularly and become familiar with the differences.

The black swan event

In the black swan version of this ransomware event, you may lose your single-sign-on capability, which could eliminate access to your network, your email, your VOIP phone capability, and your ability to communicate across your organization. The backup Cloud-based tools I mentioned earlier generally work using the single sign on technology. They could be out of reach now.

You may even have lost operational control of your operating facilities if they use computer process controls.

The black swan has landed. What now?

Step 1: Re-establish communications to key personnel and offices. Seems simple enough, but if you’ve lost email and your internal communication channels, and your phone system is disrupted, you need alternatives.

Keep it simple – go where employees and managers already are: messaging apps. While these apps (WhatsApp, FB Messenger, etc.) may not meet company guidelines for business as usual communication activities, in a major crisis they may be just the thing you need to re-establish connectivity.

Step 2: Gather up the team. Use these messaging apps or other tools to host a conference call to assess your situation. The field of crisis apps is expanding rapidly today, with several good options that would allow you to quickly host a conference call directly from the app. Your crisis plan can also be stored in the app, along with checklists, contact lists, and more.

Step 3: Implement your cyber crisis response plan. This assumes you have a cyber response plan. If you don’t, then it’s time to show your improvisation skills. But better to have a plan in place, no?

How will you write employee update notes, press releases, investor updates and the many other communications that you’ll need to manage? Will your IT department have lots of extra laptops laying around you can borrow? Will your team be at the top of the priority list for those few available laptops? You may find yourself headed to Best Buy with a company credit card.

Back from Best Buy, you now have an arm load of laptops that won’t connect to your downed network. How will you print your documents for approvals? How will you email them for approval – and to what email addresses? Do you have backup email addresses off-network that you could rely on in this scenario? If your staff are working remotely from home, what devices can they use to access your response tools? Do they have those devices in hand?

The answers to these questions aren’t necessarily difficult, but they do require some planning and some dogged attention by someone on your team. This might be a special assignment – perhaps a developmental assignment – for someone to build the plan and backup systems, and develop some training materials. But it won’t happen unless it is set as a clear priority and supported by senior leadership.

Cyber attacks and crisis communications – planning for the big one

By Tom Mueller

Business continuity planning has always been an important part of crisis planning, albeit not a very sexy one. The time and energy invested in BC planning was mostly about setting up alternative office space, work stations, phone lines – all tying back to the company’s main operating systems and network. It was an infrastructure conversation about alternative physical infrastructure should your building suffer a fire or be in the path of a major hurricane.

But the threat of cyber attacks is changing the game, and putting communication leaders in the position of rethinking what business continuity means in this new threat environment.

In a number of recent cyber attacks, large firms lost entire communications systems – phone systems, intranet, email – and were left scrambling for alternative communication tools to keep the information flowing. These systems outages halted companies’ ability to take orders, to track orders, to deliver goods and to communicate with employees and customers. In some cases, competitors swooped in to pick up those customers, potentially resulting in a long term loss of business for affected firms. Commercial impacts from malware / ransomware attacks in 2017 have been significant.

So, what’s your plan?

These real-life incidents beg the question: what is your backup plan if your email system goes down? And if your intranet goes along with it? Or if your company laptops all suddenly go belly-up with a ransomware attack? How will you access your contacts, crisis plans and other data that live on that Sharepoint site? How will you get updates and instructions to your employees without those tools? And more fundamentally, how will you print documents if your networked printers are no longer networked?

Keep it simple?

Given the pace of change in the tech industry and the number of new tools and technologies coming into the marketplace, keeping up with evolving options can be a full-time job – so let’s start with simple.

I would default to the simplest solution to maintain employee lines of communication – by going where staff already are: messaging apps. You needn’t build a parallel network in the immediate aftermath of an attack; your priority should be tapping in to these existing (albeit informal) lines of communication. I’ve found that many teams use messaging apps informally in their businesses today – to share personal notes or just build camaraderie within the team. Whatsapp as a popular app in many countries, and of course WeChat is your likely choice in China; both are powerful communication tools that can be leveraged in a crisis.

Scaling up app use in a particular business or geography may be as simple as your local employees downloading the app.

Linking headquarters to the field

First, however, you need to get your crisis messaging/instructions out to the field and in the hands of your communications teams. If you’re a communications manager sitting at headquarters, how do you do that when your intranet is down, email is out, and your laptop has been compromised?

You could turn to your phone. Notification/crisis apps such as Send Word Now or Rock Dove’s In Case of Crisis offer push notifications and are evolving to offer greater capability to transmit longer messages and even convene conference calls. Some countries don’t allow use of those services, though, so you may need more than one tool.

You might also stand up a private crisis website where you post employee communications and offer a secure venue for two-way communication with staff around the evolving situation. This site must be hosted outside of your regular corporate network. You provide password-protected access to your key communication and business leads around the world, who can then access updates and cascade the information using their local app channel or other tools. The Response Group’s Jetty crisis website tool offers this capability, along with SMS texting, and a robust inquiry-management capability that could be used to track and respond to internal questions from across the company.

Backup email

Replacing your crashed email system doesn’t have to be that difficult either. You could rely on employee personal email addresses in the near term to keep information flowing. That only works if you have your employees’ personal email addresses in a secure location outside of your now-compromised network. Or you could set up a parallel email system on a major platform like Google or Yahoo, and use those to share information. Google’s GSuite offers email using a customized domain address (your company name) for $5 per user per month. You could create parallel email addresses for critical staff there. And there are other tools out there as well. Whichever option you choose, though, your staff have to remember how to access it when needed. That means engaging them in regular training and crisis exercises.

Just for fun

Here’s an interesting way to engage your staff around this discussion – host a crisis exercise where no company laptop or network access is permitted. Then watch people get creative digging up information, preparing written communications, and trying to print documents.

The point is, you don’t want to be figuring all of this out during a crisis. You need to have a crisis communications plan in place and tested periodically. Your communications function should have a business continuity plan, and procedures for managing communications in a cyber outage should be part of it.

Crisis case study: Delta Airlines crash at La Guardia

By Tom Mueller

Here’s a quick look at crisis communications around the Delta Airlines commuter plane crash at LaGuardia Airport in New York. (Note: Reposted from my 2015 crisis archive.)

As we have seen in many other incidents, social media lit up immediately after the incident. Passengers were tweeting and posting to Facebook from the plane. There is video online from just outside the plane showing passengers coming down the wing as they exit. Reports from the scene indicated the left wing was damaged and jet fuel was leaking from the fuel tank. (Think about that if you are tempted to tweet from a crashed airliner.)

Delta Airlines had their first statement out on Twitter at 12:02 p.m., about one hour after the incident. Subsequent statements were issued at 12:37 p.m., 2:09 p.m., and 3:20 p.m., or about every 90 minutes. A tweet accompanied the release of each statement. Delta chose to tweet the address to an online statement on the company’s news site, as opposed to tweeting the actual statement out bit by bit.

In my experience, this approach for using Twitter is typically driven by the lawyers, who don’t want the statement viewed in part on any one tweet; they want it viewed in its entirety, so Twitter is used to share that link to the company website. The company did not use its corporate Facebook account to communicate crash-related information.

Celebrity blogger and TV star Jaime Primak (@jaimeprimak) was on the plane (TV show is Jersey Belles, on Bravo). She both tweeted and posted to Facebook – from the aircraft – to her 19,000 + followers. She leveraged her position on the crashed airliner into a major network interview the next morning on NBC’s Today Show.

Another passenger shot the first photo from just outside the plane and posted it to Twitter. That person, @steveblaze98, had only four tweets on his account before he tweeted that photo and immediately became a media must-have interview. News media from many outlets, including print and broadcast, converged on him via Twitter looking for permission to use the photo, and were also requesting phone interviews with him ASAP. By the way, he now has eight tweets to his name.

The port authority of New York and New Jersey (@NY_NJairports), which runs the airports,  used Twitter to alert passengers and other stakeholders about the incident and the closure of airport runways. They also announced the press briefing time and location on Twitter, and took numerous questions from passengers trying to determine if their flights were on time.

Thankfully, everyone was able to walk away from that crash, and Delta seems to have avoided a secondary crisis by engaging quickly to position the company and provide information online and through social media.

As a side note, Delta maintains three different Twitter handles to manage communications to its various stakeholders. It used @DeltaNewsroom for incident-related communications; it also uses @DeltaAssist for passenger/customer communications, and @Delta for corporate communications and marketing purposes.

Finally, a bit of humor crept into the conversation a day after the incident, with one Twitter user noting:  “Apparently pilots from Atlanta can’t drive in the snow either.”

Crisis Communications Review – Santa Barbara Oil Spill

By Tom Mueller

(Reposted from my 2015 crisis archives) I’ve been watching the communications effort around the Refugio Oil Spill off the coast of Santa Barbara, California over the past week and how the effort has evolved over time. Here’s my take on the first week’s response and communications effort.

Plains All American Pipeline clearly had some crisis management plans in place in case of emergency.  That was evident in their initial response – issuing a press statement late on Day 1 (May 19), activating their emergency response plans, and mobilizing resources to begin response operations. They had a website domain name and a hotline telephone number in place and included in their first statement issued that first day.

Operationally, they clearly had plans in place to bring equipment and resources to bear in addressing the physical spill, and we saw boots on the ground fairly quickly, with a steady ramp up in the following days. The one question that seems to be hanging out there still, in terms of emergency response, is how long it took the system operator to shut down the line once a pressure drop was indicated. We’ll learn more about that in the subsequent investigations.

In terms of crisis communications, the company’s early effort at communications seemed to lag as the unified command structure was being put in place and the main command post set up. As part of this process, the company’s crisis website, plainsupdate.com, was replaced by a unified command site titled refugioresponse.com.

The unified command, operating from the Santa Barbara County emergency operations center, issued its first statement at 2:36 p.m. Pacific Time on Day 2. The release did not mention a crisis website, making it more difficult for stakeholders to find the unified command site.

Plains All American Pipeline did have knowledgeable spokespersons immediately available for press briefings from the early hours of the incident.

Both websites for the incident – the initial one set up by Plains All American Pipeline and the second set up by the unified command – were built on the PIER system, a response tool that allows quick deployment of a crisis website, high volume inquiry management, and push notifications to stakeholders.

Staff in the joint information center were obviously managing many incoming inquiries by telephone and providing information verbally. One of the key challenges in this situation is making sure staff in the JIC are then entering the name and email address of each caller into the PIER system’s database, which forms distribution lists that can be used to send out updated statements to those stakeholders.

In the Refugio response, it appears that the JIC wasn’t using the full capability of the PIER system to engage stakeholders. Instead, early communications efforts appear to have been focused on news media only. For example, news releases from the unified command were not widely distributed to stakeholders who had asked to be included – they went to media and were posted on the website.  In today’s media/social media world, that is a very narrow communications effort, especially given the ease with which one can reach hundreds or thousands of stakeholders with a few mouse clicks from the crisis website.

It wasn’t until Sunday – after the phone system in the JIC went down for a time – that they began using PIER to distribute updates to the many people who had visited the website and added themselves to the list to receive updates. (I don’t know yet if that outage was a catalyst for using PIER to communicate directly with stakeholders, but circumstantially it would seem so.) Since then, new updates and press releases have been pushed out to these audiences when the new information is posted to the website.

The company and the unified command ceded the social media space to the crowd early on, though not because they weren’t trying. The Santa Barbara County twitter handle (@countyofsb) eventually emerged as the credible source of information within the response, but that wasn’t immediately obvious to people looking for information.

As in many responses, choosing which hash tag (#) to use for a response can make a world of difference. The county used both #gaviotaoilspill and #oilspill in its initial tweets. It later switched to #refugiooilresponse, though few knew to search that hash tag name. Many, including major media outlets and some international NGOs, were using #plainsallamerican #santabarbaraoilspill, and some continue to do so.

These are parallel lines of communication that could be addressed by the social media team by using multiple hash tags, but limited characters on Twitter does make this a challenge. In the end, tying the Twitter feed to the response home page – as the comms team did in this incident – helps everyone find the right handle for the response, if they are looking for it.

Outside of the first press release and a subsequent fact sheet, there is very little company voice in the response communications, which is relatively normal for a unified command approach. There are at least eight state and federal agencies directly engaged in the response, and as many as 85 agencies in total (according to a Tweet from @countysb). Still, the company should be managing some communications directly with its key stakeholders, and I hope they are doing so.

The company should be prepared to stand up separate channels of communication – including a separate website and social media accounts – if they aren’t able to engage their stakeholders effectively through the existing unified command response channels.