Consider yourself hacked, or eventually hacked, is the mantra experts say companies and organizations would be wise to keep top of mind, in light of recent high-profile cyber-attacks. The spate of breaches at major entities gives pause to what challenges face communicators on multiple fronts.
“It's war games, if you will,” says Steve Rubel, EVP, global strategy and insights at Edelman Digital.
No one understands the “war games” analogy better than Sony, whose latest breach, this time by hacker group LulzSec, is now in full bloom. On Thursday, LulzSec posted on its page, LulzBoat, millions of user names and passwords of Sony's customers in the US, Belgium, and Luxembourg. LulzSec claims to have accessed the data through Sony's “primitive” system that leaves customer information easy to expose.
In April, Sony saw its online PlayStation Network temporarily crippled, leading its CEO Howard Stringer to say, that no one is “100 percent secure,” and to predict that global financial systems, power grids, and air-traffic-control systems are vulnerable to cybercrimes.
On Wednesday, Google blamed China for sophisticated phishing efforts that successfully hacked into the Gmail accounts of high-level U.S. officials, Chinese activists, and journalists. Over Memorial Day weekend, LulzSec, took credit for creating a false news story on PBS.org about deceased rapper Tupac Shakur being alive.
Among the more serious breaches was that of defense contractor Lockheed Martin, who counts the U.S. government among its clients. When it happened, news accounts reported compromised customer data, and President Obama was notified. Lockheed denied that customer, program, or employees information had been at risk, but noted the seriousness of cyberthreats.
“In this new reality, we are a frequent target of adversaries around the world,” said Sandra Barbour, Lockheed Martin CIO, in a statement to employees on May 29.
If this is indeed a “new reality,” Jon Newman, a partner with Hodges Digital Strategies in Richmond, VA, says some companies would be wise to prepare for the inevitable.
“There are incredibly smart people, meaning the people who are hacking,” Newman says. “I think it's naive for any company—even those with great IT departments—to think they won't be a victim. It's almost, shame on them.”
Experts in the field say it's best to prepare for the worst and have that plan well rehearsed and handy should your system be hacked. It's important also to make sure that IT, legal, and communications work in concert, so a company can act fast.
Amy Calhoun, MD of Stanton Communications' D.C. office, maintains that the same crisis-management rules apply: The company or entity must be the first to acknowledge the problem, then apologize to all concerned, and spell out what's being done both to correct it and to prevent a repeat.
But a difference nowadays, says Rubel is that there are more places to make sure your story is being told the way you want it told.
To address a crisis publicly, “you may start on Twitter, you may blog, or you give an exclusive interview to The New York Times,” says Rubel. Each situation is unique, he adds, and calls for a tailored response.
When criminal activity is involved, that may change your message and how you deal with the crisis, says Calhoun. You need to contact authorities and comply fully with the investigation, which dictates what information you release.
Whatever the situation, a “make-good” gesture goes a long way toward repairing any damage, maintains Calhoun. In the event of a breach of credit card information, for instance, Calhoun says one amends could be to offer free credit reports for a fixed amount of time.
And responses from the targeted company should be inclusive of all media platforms to maximize reach, according to Rubel.
“We'll see more and more [hackings] as more information is put into the Web," he says. "Companies need a plan that uses all four spheres: traditional media, hybrid media, corporate websites, and social media."