If crisis were to strike your company tomorrow, would you be ready? Melissa Agnes helps organizations prevent and manage their issues before they become catastrophic, with the aim of never having them become catastrophic at all. Her powerful, customized presentations provide tools and strategies that create a proactive, crisis-ready corporate culture, ready to respond to whatever may arise. In this column for Forbes, Melissa examines the Equifax cybersecurity crisis as a blueprint for your own crisis readiness:
Cybersecurity crises are a high-risk scenario that threaten every single organization today. It’s a scary scenario. One that is very difficult to manage, as it involves many grey zones and unknowns, which can be frustrating for both the organization and its impacted stakeholders, amplifying the crisis management challenges for the organization.
As I imagine you’ve heard, Equifax is the latest organization to suffer this type of crisis. Last week, the credit bureau announced that they suffered a cybersecurity incident, where over 143 million U.S. customers’ personally identifiable information (PII) was breached. This is a big deal. In fact, it’s being referred to as one of the worst breaches in history, considering the extent of the information that has been stolen.
I’ve been watching closely as this crisis has been unfolding publicly since Thursday. As this is such an applicable high-risk scenario to every organization, including yours, there are some important takeaways that can be learned from Equifax’s management of this crisis so far. So, let’s learn them, shall we?
Timeline Of Response
Equifax told the world that they discovered the breach on July 29th, though only announced it publicly on September 7th. That’s over a month later.
Now, before we continue, I want to address the complexity of this type of crisis. Oftentimes, an investigation into a breach, especially one to this extent, really does take months before the organization has any real answers to important questions. So, here’s the dilemma: how do you balance timeliness with accuracy? It’s a difficult, yet critical question.
On one hand, they could have come out with an announcement right away, and suffered through months of worried customer complaints, media frenzy, criticism and so forth. On the other hand, they could wait to have more information, develop a strong proactive response strategy, and get ahead of the story from the beginning.
The difficulty is how long do you wait? And to be honest, I don’t have all the information to be able to say what I would have recommended as a crisis management consultant. We don’t know how many answers they either had or didn’t have, and how long it took to get them. Did they have enough answers a month ago and just continued to wait for as long as they could for selfish reasons? Were they prohibited to communicate by law enforcement (because yes, that’s a possibility in this type of crisis)? Or did they only receive concrete answers on September 7th, and quickly came out with their announcement just as soon as they were able to?
There is a lot that we don’t know, but it’s important for you to realize the complexity of this type of scenario, for your own preparedness. However, what I can say, is that considering they had over a month to plan their crisis response, they could have done better with their messaging, their “check potential impact” service, and their call centers.
Adequacy Of Their Crisis Communication
As this is a serious incident with potentially dire consequences for their consumers, and as Equifax had the luxury of time to develop a strong crisis response, there really is no excuse for not nailing it.
To begin, it’s important to set goals and objectives. The organization’s goals for their crisis communications needed to be as follows:
• To demonstrate true, unquestionable, care and concern.
• To be informative and to address and answer, to the most extent possible, the key concerns of their stakeholders.
• To communicate consistently across all channels, stakeholder groups and regions.
• To communicate in plain English, not using corporate or legal talk.
• To comply with appropriate jurisdictional laws and regulations concerning breached PII.
While their strategy of executing their crisis response helped them attain some of these goals (which we’ll discuss in a minute), Equifax definitely missed some essential marks in their messaging. Namely, the part about demonstrating true, unquestionable, care and concern. When they broke the news and made the announcement on September 7th, they should have used stronger language to show that they know that this breach was unacceptable, that they realize it will (rightfully) lose them customer trust, and that they are committed to doing anything and everything to help impacted consumers protect themselves, first and foremost.
For example, in his video statement, Equifax Chairman and CEO, Richard Smith, said “while we’ve made significant investments in cybersecurity, we have more to do and we will.” This type of statement is appropriate in less consequential situations. Not in a case where millions of people are at risk of being direly impacted for an undeterminable amount of time. Millions of people who trusted you to protect them from this exact situation. How do you feel when you read or hear this statement? Do you want to say something like “if you realize you have more to do, why didn’t you do it? I trusted you to do it, and now I’m screwed!” Do you see where I’m going with this?
Evaluation Of Equifax’s Crisis Communication Strategy
In his communication, Smith said “Equifax will not be defined by this incident, but rather, how we respond.” The truth is that they don’t get to decide this. They will inevitably be defined by this incident, whether they like it or not. And yes, they will also be defined by the way they choose to respond.
While their messaging was weak coming out, their strategy of communication dissemination has since been quite strong. Let’s take a look.
Equifax’s Crisis Website:
Equifax launched a crisis website as their crisis communication home base. This is a strategy I often develop with clients. It’s great because it provides a dedicated place to communicate with stakeholders. They also placed a big banner at the top of their corporate website’s homepage, pointing people to the crisis website for continued information and updates concerning the breach. I like how big this banner is, as no one can accuse them of trying to hide their news and updates!
Their crisis website is clean, organized and detailed. One thing that is often missing from organizations’ crisis response is clearly identified stakeholder groups and answers to each group’s individual questions and concerns. Equifax clearly understands the necessity of addressing and providing the relevant information to each of their stakeholder groups, not just to consumers, the media, or the general public, for example.
For example, on their crisis website, they have three dedicated FAQ’s: one for general questions that apply to everyone, one specific to consumers (the impacted stakeholder group), and one specific to investors. This is a strong, needed, and often neglected, strategy of response.
Equifax’s Use Of Social Media:
The organization has been quite engaged on social media. They’ve been using it to extend the reach of their communications, to listen and to respond to inquiries and comments. For example, many people took to social media in the initial days of the crisis unfolding to express their frustration with the crisis website and the designated call center. Equifax heard these complaints, addressed them in an update on the crisis website, and communicated what they were doing to remedy the issues.
However, I have noticed that they seem to be responding to each and every tweet with the same approved messaging. While it’s great to respond to individuals, these individual replies aren’t showing up on their main Twitter feed–and they’re important communications. It would be a much stronger, and less cumbersome, approach if they triaged the inquiries and responded to them accordingly, in a way that is easily accessible to everyone, rather than one by one.
From there, if they have the time and resources, they can choose to respond to specific individual inquiries. But when you’re seeing many of the same questions or comments being expressed, your best strategy is to make sure your response is seen by the maximum amount of people, in the least amount of time.
Equifax’s Use Of Video:
Video is always a tricky strategy to leverage correctly. However, when done well, it can be a brilliant crisis communication tactic. I liked that they leveraged video. Though other than the messaging being weak, as I mentioned earlier, I would have preferred for Smith to not use a teleprompter–or at least not use it so obviously.
Teleprompters make you come across as robotic and lacking human emotion. The whole point of choosing to leverage video in your crisis response, is to help you connect on an emotionally relatable level with your stakeholders. You want to express to the world just how much you care, and to show your dedication to righting the wrong. Considering the organization had over a month to develop their response strategy, this strategy could have been better executed.
Equifax’s Additional Means Of Communication
Millions of people have burning questions. While Equifax is doing a good job at leveraging their crisis website and social media to respond to these questions, they’ve also stated that they are directly communicating with impacted parties, as well as having set up a call center for those who prefer to pick up the phone and speak with a human.
Sometimes, organizations get so caught up with social media and the web, that they forget that there are other important ways to communicate with stakeholders. From what I can see, Equifax is dedicated to communicating with stakeholders in multiple ways, which is good. It is also legally required in this case, so hits the last bullet in the above stated communication goals.
What Should You Do With This Analysis?
This whole scenario is every organization’s worst nightmare. Or at least one of them. If you aren’t currently doing everything in your power to protect your systems and data, you should be. Unfortunately, however, nothing is impenetrable. Therefore, if you aren’t yet ready for a cybersecurity incident, you need to fix that. This means:
• Having discussions with your teams to better understand the risks, impacts and variables of this type of scenario;
• Developing escalation protocols, action plans, and communication strategies that will help you effectively manage all aspects of this type of crisis, in real-time; and
• Developing partnerships with the appropriate experts, whom you may need to call upon in the event of a breach.