The hacking of 77 million personal files held by Sony PlayStation, followed by a second Sony breach involving another 24 million files, is probably the worst ever data loss by an organization. Exceeding even the 26.5 million personal files famously lost by US Veteran Affairs in 2006 when an analyst took a laptop home.
It’s a reminder of how easily computer glitches and data losses can trigger crises and shred reputations. And also a reminder not to allow a focus on business continuity to overshadow the much more strategic questions – how to minimise damage to reputation; how to ensure effective crisis communication maintains proper messages: and how to integrate potential IT risks into the broader context of corporate crisis preparedness and prevention.
The greatest damage from a corporate crisis often comes not from the triggering event but from how the organization responded, so effective crisis management demands thinking beyond technical response to the triggering event. This is a particular challenge when it comes to computers. Although IT departments are notoriously protective of their own turf, IT crises are never just technical problems. They are often business and reputational and communications crises as well.
When Virgin Blue’s electronic check-in system suffered a high profile crash in September 2010 which stranded thousands of travellers for eleven days Virgin stressed that it was another company’s fault. The airline also emphasised that they had lost up to $20 million and would pursue legal action against their contractor. Both statements were true, but neither did anything to appease angry passengers.
Just weeks later, NAB’s funds transfer system collapsed, causing enormous financial difficulties, as well as public outrage. However, this technical crisis was made worse by media reports constantly quoting the bank saying the problem was almost fixed, or about to be fixed. But it wasn’t, and the pain continued for days. And the banks reputation wasn’t helped when the message got out that the entire fiasco had been caused by “one corrupted file.” Predictably the radio shock-jocks asked: How could a single corrupt file bring down a major part of the entire banking system?
Maybe it was exaggerated. Maybe it was just plain wrong. But it certainly highlighted the need for effective management. When NAB was struck by a similar funds transfer problem again in April this year, customers were once more badly impacted, but at least the messaging seemed to be more under control.
St George Bank had a computer glitch early last year, albeit on a much smaller scale, and demonstrated in textbook fashion that in any corporate crisis there are five basic things which must be done . . . right away.
• Apologise – we are really sorry for what has happened
• Empathise – we do understand how you feel
• State the facts – this is the situation as we currently understand it
• Take action – this is what we are doing to deal with this
• Provide assurance – we are taking every step to help you and to prevent this happening again
Sadly, computer mistakes keep being made and IT security is a major crisis risk. Of course, it demands a proper business continuity plan. But as these recent events highlight, a business continuity plan alone is not an effective crisis management plan.