Author: Jonathan & Erik Bernstein

As with any endeavor, preparation greatly increases your chances of success

Can you imagine a squad of firefighters deciding to throw out their plans and training “just wing it” when they head into a burning building?

The idea is ridiculous of course, but why are so many who would scoff at that willing to charge into crisis headfirst without any sort of game plan in place?

Former EBay COO and current Yahoo! Chairman Maynard Webb is no stranger to crisis management, and in a Linkedin blog post he explained precisely what every organization SHOULD be doing to prepare for when a crisis hits:

Ideally, you want to be deploying a playbook rather than developing a playbook. Most often, people don’t do this in advance and then have to develop processes while in battle — that’s much harder. At eBay, when we learned that hours after 9/11 people were putting debris from the World Trade Center for sale on the site…we knew how to respond immediately because we had a policy in place that detailed that we would not profit from disaster. Because of this, we were able to respond immediately and take it down.

Most likely, EBay’s playbook for incidents involving users selling items related to disasters was something like a few lines of text in the Terms of Service and a canned message that was delivered to anyone posting such items.

It sounds simple, but without the advance crisis management work of creating a rule explicitly against profiting from disaster and a way to respond should such a situation arise, EBay could have become the center of a reputation-damaging controversy.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

Your social media presence is a valuable commodity, don’t leave it unguarded

We’re at the point where some social media accounts are worth serious dough. Some for the rich communities built around them, some for their brand association, and some simply because they have a unique, hard-to-obtain handle. Because of that, just as we saw in the days when the ‘net in general was really starting to take off, there are virtual pirates looking to take what’s yours and either make it their own or hold it for ransom.

A warning for security slackers

The story of app developer Naoki Hiroshima, owner of the Twitter username, @N, should serve as motivation for anyone who’s slacking on their own web security – a critical part of personal crisis management in the digital age. Hiroshima owned the @N account, for which he says he’s been offered as much as $50,000, when a hacker decided to take it for himself. Hiroshima says he began receiving account reset emails from both PayPal and GoDaddy, and through a serious of events detailed in his Medium blog, lost control of the GoDaddy account altogether.

In a scary twist, Hiroshima was actually emailed by his attacker, who extorted him into giving up control of the @N Twitter account by threatening to trash the data on the websites which he runs, all registered through GoDaddy. Hiroshima even managed to get directly connected with a GoDaddy exec at some point in the process, but they were unable to help secure his accounts before he felt forced to give up @N.

Even worse, the hacker provided Hiroshima with information about how he took over control of much of his digital life, and, if he’s telling the truth, PayPal and GoDaddy failed miserably in protecting a customer’s data. A quote:

I asked the attacker how my GoDaddy account was compromised and received this response:

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 19:53:52 -0800
Subject: RE: …hello

– I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)

– I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to
recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)

It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification. When asked about this, the attacker responded with this message:

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 20:00:31 -0800
Subject: RE: …hello

Yes paypal told me them over the phone (I was acting as an employee) and godaddy let me “guess” for the first two digits of the card

But guessing 2 digits correctly isn’t that easy, right?

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 20:09:21 -0800
Subject: RE: …hello

I got it in the first call, most agents will just keep trying until they get it

He was lucky that he only had to guess two numbers and was able to do it in a single call. The thing is, GoDaddy allowed him to keep trying until he nailed it. Insane. Sounds like I was dealing with a wannabe Kevin Mitnick—it’s as though companies have yet to learn from Mitnick’s exploits circa 1995.

The bottom line here is that, although many organizations make a big stink about how secure they keep your data, the vast majority are easy prey for anyone with a bit of “dark side” know-how (how-to instructions for tactics like the ones used in this case are readily available through a quick Google search) and a silver tongue. When it comes to protecting digital assets, always assume the burden of protection lies on you.

A happy ending, but not so fast…

There is a happy ending to Hiroshima’s story, as, likely thanks to the massive amount of publicity his blog post on the hack attracted, he regained control of the @N account over a month after he lost it. If you’re even entertaining the thought that those consequences weren’t really so dire, consider the damage someone could do if they had hold of your Twitter account for a full month not only to your organization, but also your contacts and followers through things like phishing or malware attacks.

A little more worried now?

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

Stop the negative sentiment before it goes public and you have a crisis management success

Online review sites like Yelp, Tripadvisor, Urbanspoon, Google and Yahoo Local (the list goes on and on) are being used heavily every day by your stakeholders. Doing things like reporting on a bad customer service experience or sharing a picture of the hair found in their lunch plate is second nature now, and, while you do have the opportunity to correct issues and hopefully work out a re-review or draw a retraction of a previous post, wouldn’t it be a lot better if you could catch them before they put you on blast in the public eye?

That’s the theme of a recent post from Software Advice’s Victoria Rossi, who covered this topic which fits in perfectly with the crisis management goal of minimizing the impact negative incidents have on your organization, its reputation, and its bottom line. Here’s a quote:

While angry customers are nothing new, the ability to vent online, where a bad experience can remain documented forever, makes negative reviews extremely risky for businesses.

“If guests are unhappy, they go to websites like TripAdvisor, and they voice their opinions. They go on social media and they trash the place,” says Robert Irvine, chef and Food Network host of Restaurant: Impossible. “Social media has such a far-ranging touch that it can make or break a restaurant—and I’ve seen it break restaurants.”

While it’s not always possible to prevent a frustrating experience, you can re-channel customer frustration. This is precisely what technologist Bernard Briggs had in mind when he created Humm, an on-premise feedback system that uses an Android tablet to survey guests about their experience before they leave the building.

Rossi goes on to cover two more organizations finding success with both high, and surprisingly low, tech tactics to intercept customer’s negative sentiment before it’s permanently etched into the web. This really is a great piece, and provides valuable food for thought when it comes to the often-tricky review sites and social media platforms that are driving reputation management today. To check it out, head over to Software Advice’s CSI: Customer Service Investigator blog.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

Perfect example of why ignoring media training is not an option

A weak media appearance can, and often does, make a bad situation soooo much worse. Take the press conference held by the Gary Southern, president of West Virginia’s Freedom Industries, the company responsible for contaminating local water supplies to the point where 300,000 residents were unable to use anything coming from the pipes in their homes for much of January.

As you’ll see in the video below, it’s the very definition of “hot mess”, with Southern’s flustered delivery compounded by condescending instructions from someone off-camera as to where to stand, who to face, and how to conduct himself in general. Making things even more awkward was a moment at right around 5:00, where a reporter actually demands that Southern return to the microphone for more questions, a demand to which he, in a move that left our crisis management-oriented brains screaming NO!, acquiesces.

http://youtu.be/dUVpmS8JXJ8

If the fact that Southern was sipping a lot of water stood out to you, just imagine how it felt to those 300,000 people whose water his company had contaminated? While grabbing for a water bottle is never good press conference behavior, in this case it was a move with unusually dire consequences in terms of reputation damage.

It only took eight days for Freedom Industries to file bankruptcy, allegedly due to the massive lawsuits it’s facing as a result of the spill, and it clearly won’t be recovering as an organization any time soon.

If you run ANY type of organization, you absolutely must be prepared to speak to the media. Sure you can get away with spokespeople when it comes to smaller troubles, but when the s#^@ hits the fan, the head honcho needs to step up to the microphone. Get ahold of a good media trainer, or even a friend, a camera, and some the multitude of tips listed on this blog and others, and start practicing now. After all, only practice makes perfect, and you’d better believe that’s what you need to be when you’re the face of an organization that’s royally screwed up.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

Government steps in to help contractors running critical infrastructure secure their systems

Experts have been warning for some time that hackers from criminal organizations and various nation-states with whom we don’t see eye-to-eye are targeting critical infrastructure, including power, water and nuclear systems, here in the States.

Recognizing the lack of understanding and preparedness among the organizations that run said infrastructure, the White House is putting crisis management tools in their hands with a new cybersecurity framework, described in this quote from a PCWorld.com article by Grant Gross:

The voluntary framework creates a consensus on what a good cybersecurity program looks like, senior administration officials said. The 41-page framework takes a risk management approach that allows organizations to adapt to “a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner,” according to the document.

Organizations can use the framework to create a “credible” cybersecurity program if they don’t already have one, said one senior Obama administration official. “The key message is that cybersecurity is not something you just put in place and walk away,” the official said, in a background press briefing. “There’s no prescription or magic bullet for cybersecurity. There are only well-conceived, proven ways of continuously managing the risks.”

Although it’s highly unlikely the framework provides a be-all, end-all solution to cybersecurity risks, hopes are it will serve to spark more discussion of and focus on the dire need to be aware of and protected from major attacks on our critical systems.

At this point it’s all but inevitable that someone out there is going to take over control of the systems we rely on for safety and security, either for financial gain, political motivation, or simply because they can. The better prepared the organizations who hold the keys to the systems that keep us safe and secure are to do crisis management for major attacks, the more quickly the impact can be mitigated, and the more protected we’ll all be.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

Was Under Armour’s crisis management podium-worthy?

Nobody’s quite puzzled out what exactly caused the underwhelming performance of U.S. speed skaters during the Sochi Games, but as the losses piled up many looked toward the company behind the team’s high-tech “Mach 39” skin suit, Under Armour.

With massive hype surrounding the suits and the team as a result of Under Armour’s own marketing and broadcaster’s repeated mentions, expectations were high, but after six days of sub-par racing the U.S. team actually swapped back to their old uniforms, dropping the popular sportswear manufacturer’s stock price some 2.4% overnight.

The response

Under Armour wasn’t shy when the need for crisis management became obvious, telling anyone who would listen about the rigorous testing procedures for the Mach 39 and mentioning multiple other groups of athletes who found success in world events like the World Cup and even in other sports at Sochi itself wearing Under Armour gear.

With sponsors willing to put big money into speed skating in short supply and a team whose comments to the media had put a serious strain on the sponsor-sponsee relationship, nobody was quite sure how this one would pan out, but in the end Under Armour made a bold move to put the entire situation behind them, committing to another eight years of support for the U.S. skating squad.

It’s not all smooth sailing from here…

Although Under Armour got out in front of the situation much more successfully than the U.S. team did their opponents, a repeat in 2018 would be dangerous for the company’s reputation. You’d better believe there will be a lot of crisis management going on behind the scenes over the next four years as Under Armour works to perfect the suit, and athletes are better trained in what NOT to say about the people paying to support their Olympic aspirations.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

Cyber criminals hit University of Maryland

Despite a recent doubling in IT security staff, personal data including names, Social Security numbers, dates of birth and university ID numbers belonging to nearly 310,000 individuals was stolen from the University of Maryland’s computer systems.

In response, University President Wallace Loh (and, you can bet, his crisis management team) put out a clear and concise letter explaining the situation:

February 19, 2014

Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):

Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.

I am truly sorry. Computer and data security are a very high priority of our University.

A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.

With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.

The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.

University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.

All updates regarding this matter will be posted to this website. Additional information is provided in the FAQs below. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu.

Universities are a focus in today’s global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.

Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.

Sincerely,

Wallace D. Loh
President, University of Maryland

Even better, the university included a F.A.Q. section right below the page hosting the letter, a step that’s likely to reduce the volume of calls and emails officials will be wading through over the next few days.

We’ve been hammering this point in blogs, and it’s certainly worth repeating here – the question is no longer if you’ll face a hack-related crisis, but when. Include the possibility in your crisis management planning, and make sure to practice, because you WILL putting it to use.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

How hackers used a fridge to conduct a cyber crime campaign

It’s clear that an increasing number of the things we use every day can and will be connected to the ‘net. However, the same connectivity that allows us to turn down our thermostat or click off the TV while we’re away from home also leaves room for hackers to attack.

Their efforts are keeping them far more than a step ahead of your average business, and one of the newest tactics is taking advantage of the “Internet of Things” – our connected DVRs, televisions, routers, and, in a recent incident uncovered by security experts at Proofpoint, Inc., even a refrigerator, to power nefarious online activity:

The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location — and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.

Cyber crime is a profitable business, a fact which motivates hackers to constantly explore new avenues of attack, but, as with many other aspects of crisis management, many organizations fail to see the costs associated with not preparing before they’re paying dearly to recover.

At this point it’s safe to assume you will be hacked at some point. Whether it’s through your fridge, a phishing email, or just someone with a silver tongue and some knowledge of social engineering, the difference between a troublesome situation and one that costs you big time in terms of lost trust, reputation, business and time will be how much you cared beforehand.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

What are major sponsors like Coke and McDonald’s doing to prepare for trouble related to the Games?

This year’s Sochi Games are the most tense in many years for reasons related to everything from human rights violations in Russia to the frighteningly real chance of a terrorist attack. Our own Jonathan Bernstein sat down with CCTV America’s Michelle Makori to discuss the crisis management plans they have (or at least should have) in place:

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

VP Jay Rossiter’s message to stakeholders was missing something important…

Late last month, Yahoo joined the ranks of organizations to have been hit by hackers in 2014. Never good at any time, the fact that the company has already been under fire about an extensive downtime for its Mail service in December, as well as a Flickr outage that left users floundering, means this incident brought an extra dose of reputation damage.

While Yahoo is staying mum on exactly how many were affected, here’s what senior VP Jay Rossiter had to say about the situation in a blog post:

Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.

Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.

What we’re doing to protect our users

We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.

We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.

We have implemented additional measures to block attacks against Yahoo’s systems.

What you can do to help keep your accounts secure

In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks.

We regret this has happened and want to assure our users that we take the security of their data very seriously.

For more information, please check our Customer Care help page.

By Jay Rossiter, SVP, Platforms and Personalization Products

While the explanation of steps taken and the re-securing process are easy to follow for even the average user, can you spot the missing ingredient in Yahoo’s crisis communications?

If you said compassion, you’re on the ball. Not once did Rossiter express compassion for the stress, concern and confusion that affected users undoubtedly experienced. He came close with the “regret” statement, but fell short of actually commiserating with his constituents, a mistake that undoubtedly hurt Yahoo’s overall crisis management efforts.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]