9 February 2014

THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE... (2014 Edition)

I first wrote on this subject in May 2012 (The social media side of incident response).
Today, it is still my most popular entry on this blog with 5,430 unique views as I write. This means that in any given day since I published it, 6 people somewhere in the world have read that post... I am at once flattered and amazed that some musings derived from the good, bad and ugly of how businesses have tackled crisis communications in the past few years still very much resonate with a lot of you. So here’s the 2014 version...


First of all, let’s remind ourselves of the October 2013 breaches at both Santander and Barclays Bank and their pithy official announcement, intent of which was presumably to reassure customers (click to enlarge):


http://group.barclays.com/news/news-article/1329931386754

Four months later, the Daily Mail exposes another breach at Barclays, this time involving the loss of 27K files with sensitive personal information on customers of their now defunct financial planning business (information which was then allegedly sold by ex-employees to rogue City traders for up to £50 a pop). The official Barclays statement was not very different from their previous effort (click to enlarge):


http://group.barclays.com/news/news-article/1329931386754

As I previously highlighted, let’s look at the real victims here: the customers. They potentially have had their personal information stolen and were potentially the targets (at best) or victims (at worst) of scams. Or they might be at some point in the future. What will be done for them and what advice and help will be given? Time will tell.


And even if information is not at risk or stolen, the potential reputational damage can be vast, as we have observed with the DNS hijacking of EC-Council, ironically an ethical hacking certification organisation, and their lack of effective communications... (and also time will tell whether their old DNS registrar will follow the unfortunate path of Diginotar...)

In the meantime, let’s look again on the positive aspects of fully and effectively communicating important information to the public in the event of a crisis (and that’s for any crisis, not just data breaches)

The need for speed...
In the 21st Century, social media brings a new dimension to crisis communications: speed.
One of my older posts highlighted how to prepare for traditional media (training, mock interviews and press conferences, prepared statement structure, do's and don'ts, etc.). With social media and modern working practices, time is of the essence in crisis management: the first 24 hours are crucial. This is when people will cast out their digital nets and frantically search for information, whatever the sources. At this stage, the reliability of the sources is less important than their ability to disclose information at speed and many will speculate widely, until the authorised/ official/ recognised/ trusted/ influential sources have performed their validation activity and issued balanced statements. This usually happens within 24 hours and twitter is usually the means of disclosure and everyone will jump on the bandwagon with whatever axe they have to grind against the particular topic, organisation or industry sector...

Whilst we all know this is rarely true (see any report such as the Verizon DBIR highlighting the time it takes to discover a breach, or event the latest results of Operation Waking Shark II), I am assuming at this stage that an established and tested incident response plan and process are in place (if not see my previous posts - here and here - on the subject). The first thing to realise therefore is that you need to be prepared: the internet does not wait for your CEO to respond, the news will spread with or without your involvement, but you still have a chance to take control of the conversation. 
So assuming incident response is already well established in your organisation, you are in good shape as you have most of the technical and procedural building blocks in place.
One easy block to add (now!) is a web page dedicated to a potential crisis/ breach. Having this prepared with an easy structure to follow will enable you to control the flow of information very quickly. Since I wrote my original post nearly two years ago, I have noticed that many organisations have implemented this.
The structure of your crisis communication web page should follow what I call The Three As of Speed and it should include the following sections:

  • ACKNOWLEDGMENT: This early, you may not know much, but you could look at: Who attacked you? Why? etc. When did it happen? How did it happen? How widespread? What/ who does it affect? Was personal information exposed? How did you find out? But first and foremost, take ownership: passing the buck or blaming others is not an acceptable response. Of course, there will be instances where you cannot divulge much of the details (e.g. if law enforcement is involved and investigations are on-going), but don't let this distract you from the fact that you have to acknowledge something, even if you cannot share details. The result of no acknowledgement will be inflated speculation, which must be avoided. And in fact, it reminds me of this very well known quote from Winston Churchill: "A lie gets half way around the world before the truth has a chance to get its pants on". And let's not forget, it's not just speculation you have to worry about, but also, depending on what type of organisation you are, controversy, misinformation and disinformation (and we can talk about that at length, but that would make this post far too long...).

  • APOLOGY: all too often, organisations do not acknowledge that their customers/ partners/ stakeholders/ etc. may be worried/ could be inconvenienced/ need to be reassured. Even if you don't know much at this stage, show you feel the pain and that you are trying to make it go away... Acknowledgment that you are listening and seeking answers buys a lot of time and more importantly can quell anger and resentment. See The Power of an Apology.

  • ACTION: again, at this stage, you may not know a lot, but you need to share what steps you propose to take/ have already taken to 1) determine what happened and 2) prevent it from re-occurring and 3) Maintain the trust of your customers/ stakeholders/ partners/ etc. You also need to reassure your customers/ partners/ stakeholders and show them you understand the situation. For example, we all know that criminals will piggy-back on any type of newsworthy event or crisis (see here for Target breach), and we also know that this is an excellent opportunity to start social engineering attacks, especially if the crisis involves the loss of customer/employee credentials (e.g. phishing) which are always launched very quickly. Take this opportunity to warn everyone that this could happen and how you will communicate (e.g. "we will always..." or "we will never...") and make sure everything is consistent (e.g. if you send an email out, make sure the text of the email is included on your website so your customers can clearly see it is not a phishing scam, see the comments on the Dropbox blog - avoid including links in emails – also, if the crisis involves the loss of credentials, you may want to seek communication means alternative to email). In the US, this is usually when one year free credit monitoring is offered to affected individuals (but only because breached organisations are compelled to do so by law – this has yet to happen in Europe).

Design your web page with this structure in mind so content can easily be dropped in when needed (an example of a good structure, albeit quite old now, can be found on the Stratfor site). Keep the webpage uncluttered and easy to use.

Head for spread...
With your web page, you now have a single, simple, point of referral. But having a web page doesn't necessarily mean people seeking information will listen to you or find it... You need to become the central hub for information on the crisis. As with everything in life, you can't do this on your own. Again, I offer another set of As: the Three As of Spread:

  • AMPLIFICATION: use all the social media avenues available to you: twitter, facebook, YouTube, Google+, LinkedIn, blogs, etc. Use these to direct information seekers to your crisis communication web pages (see here how Heineken diffused a dog fighting disaster). Do this often (at least two or three times a day to cater for the different time zones, and be under no illusion: the world is watching you even if you only operate in one country or time zone). Keep your web page updated as and when you know more and amplify it by using all the tools at your disposal (e.g. create your own hashtag first). Offer advice when you can but be careful not to be patronising.

  • ADVOCACY: it is not new that in any kind of crisis communication, third party experts (these can be industry commentators, journalists, experts in your field, etc.) will be the most trusted group: seek out the influencers and give them the information. Also seek out your allies and partners and keep them informed. And finally - take a deep breath - trust your employees to be your advocates. There is limitless untapped value in personal social networks... If you want your employees to be your advocates, don’t treat them as a communications risk and be sure they know first (i.e. before the media and external parties) what messages are going to be delivered, and where possible, draft messages that they can use if they so wish. They can not only alert you to opportunities but also to crisis issues via their own networks. The key words here are trust and enablement (see What Can Employees Do to Help Their Company During a PR Crisis? and also what a Miami college did with a mobile app). And it's also a good idea to offer training, after all, even the NYPD is sending its officers to twitter school...

  • ADHESION: facing a crisis situation does not mean you have to surrender your corporate values. Be sure your messages are constructed within the framework of your corporate image as now is not the time to surrender caution and governance. In addition, be clear about your limits: you cannot solve every problem for everyone, so you'll have to think of way of pacifying part of your (unhappy) audience when solutions cannot be found quickly. In addition, now is not the time to lapse on customer service: you can be speedy and achieve spread successfully, if you don't follow through with good customer service and deliver on your promises, all this would be in vain...

Stack the odds...
So now that you've achieved speed and spread, you've got a couple more things to do before you become the de facto information hub for the crisis at hand. This is perhaps the scariest step because this is where you have to open up... Yet again, I have Three More As for you and these are about stacking the odds in your favour:

  • ANALYSIS: you have to monitor real time content on the various social networks in order to categorise and prepare the type of content needed on your web page. I found a useful infographic giving some statistics for the education sector in terms of social media crisis management (this easily applies to other sectors in my opinion).

  • ANSWER: invite comments and answer them (on your web page) but also reply appropriately to comments on the various social media channels that you monitor (see above) and again redirect people to your web page. Yes, very scary, but bear in mind that not inviting comments will have a negative impact on your brand. It is however possible to manage comments very successfully by remembering a few things: not every comment requires a reply and you must know when to disengage; if a hostile ring leader emerges, it is sometimes best to take the discussion out of the social media sphere and engage directly; there is never any harm in specifying your rules of engagement (e.g. no foul language allowed); Keep up with the Joneses: if a negative blog entry is posted, respond with a positive entry from your CEO, etc. An excellent example will be the way Shell dealt with the Greenpeace campaign against arctic drilling. As far as I know, they decided not to engage, but in the article mentioned, they issued a very dignified reply. They even overlooked the fact that Greenpeace used the Shell logo without permission. Greenpeace also affected the public at large by forcing the closure of 74 UK Shell petrol stations. Public opinion always decides which brand comes out on top...

  • AGGREGATION: as you're getting the hang of it, you are now ready to become the de facto information hub for your crisis by posting all related stories on your web page (positive or negative). You will rapidly realise that you only have some amount of control over the conversation. You are however in complete control of where the conversation appears on your web page: make sure your opinion and your content has prominent and favourable placement.

Here we go, a successful social media crisis response strategy can be summarised by
1) The Need For Speed
    ACKNOWLEDGMENT
    APOLOGY
    ACTION
2) Head For Spread
    AMPLIFICATION
    ADVOCACY
    ADHESION
3) Stack the Odds...
    ANALYSIS
    ANSWER
    AGGREGATION

And don't forget, suffering a crisis is not the end of the world, you might just be able to turn it to your advantage... After all, Rahm Emanuel once said "You never let a serious crisis go to waste. And what I mean by that it's an opportunity to do things you think you could not do before."

For my webcast on the topic of this post, see here.

To see the infographic associated with this post, see here.

As ever, the best line of defence is being prepared... (and maybe I can help you prepare for the inevitable crisis or raise awareness in your organisation, I do love a good workshop!...)






As always, I thank you for taking the time to read this post, and if you know of any scared executive out there in need of a bit of help, I will be running an exclusive by-invitation-only master class with my friend Dan Haagman on 10th and 11th March 2015 at Stoke Park (fantastic venue, easy access and only a few miles from Heathrow). It is entitled “Building Your Digital Brand and Becoming A Social Entrepreneur” and will equip the willing (or reluctant) senior executive with many (free) tools and time saving tips. Thank you for spreading the word!



Until next time,
neirajones