Category: Organization Development

This is how you do crisis management right

Buffer, the popular social media sharing service beloved by power users and community managers, put on a clinic in crisis management after its service was hacked October 26th. Shortly after some Buffer users began to see spam posts go out from Twitter and Facebook profiles connected to the service, the techs at Buffer decided to pull the plug on posting, hiding Facebook posts made by the app and disconnecting Twitter accounts altogether.

Knowing stakeholders would be concerned and clamoring for information, the Buffer team started blasting out updates via its blog, email, Twitter account and Facebook page.

Here’s the mail we received within minutes of hearing about the problem:

Hi there,

I wanted to get in touch to apologize for the awful experience we’ve caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now.

Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We’re working hard to fix this problem right now and we’re expecting to have everything back to normal shortly.

We’re posting continual updates on the Buffer Facebook page and the Buffer Twitter page to keep you in the loop on everything.

The best steps for you to take right now and important information for you:

• Remove any postings from your Facebook page or Twitter page that look like spam
• Keep an eye on Buffer’s Twitter page and Facebook page
• Your Buffer passwords are not affected
• No billing or payment information was affected or exposed
• All Facebook posts sent via Buffer have been temporarily hidden and will reappear once we’ve resolved this situation

I am incredibly sorry this has happened and affected you and your company. We’re working around the clock right now to get this resolved and we’ll continue to post updates on Facebook and Twitter.

If you have any questions at all, please respond to this email. Understandably, a lot of people have emailed us, so we might take a short while to get back to everyone, but we will respond to every single email.

– Joel and the Buffer team

Sincere apology that kept tone in line with Buffer’s typical casual attitude, check. Quick, simple presentation of the most important information, including what we needed to do ASAP, check. Showing of compassion? Check. Option to interact? Check again.

As you can see from Buffer’s Facebook page, the company was even more active in communication there, releasing a constant stream of info for stakeholders, media, and whoever else wanted to know.

We’ll leave the technical explanation for others, but in short Buffer patched up the security problem and was up and fully functional by mid-day Sunday. The Buffer team wasn’t content to simply start back up again though, they made certain users were aware of what happened, and that they wouldn’t encounter frustration getting their accounts back in order. Here’s their followup email:

Hi there,

I wanted to follow up with you after yesterday’s hacking incident. For many of you this has seriously disrupted your weekend – I’m sorry we caused that awful experience. The Buffer team has been working around the clock and I’m glad to say we’re back up and running. We have also spent all of today adding several security measures.

There’s one key step to using Buffer again: You will have to reconnect all your Twitter accounts, even if you’ve already done so. Go to the Buffer web dashboard to reconnect.

• Other important things for you to know:
• Reconnecting won’t work in mobile apps, all Twitter accounts will have to be reconnected on the web dashboard.
• Your Facebook posting will have resumed normally, there is nothing you need to do.
• Signing in with or connecting a new Twitter account in the iPhone app won’t work until our new update is approved by Apple.

I want to apologize again and say that I’m incredibly sorry this has affected you and in many cases also your company. We’ve written a blog post with ongoing updates as we uncover the full details.

What is left for us right now is to complete our technical analysis and take further security measures. We will follow up with another update on this soon.

I want to invite you again to hit reply to this email or post a comment on our blog post. We will be sure to respond to you as fast as we can.

– Joel and the Buffer team

Nailed once again, and, as with other communications, this information was echoed across Buffer’s social media channels.

With high-profile hackings becoming a regular occurrence, other organizations could do much worse than to directly copy Buffer’s approach. Keep the information flowing, fix the hole quickly, and let your stakeholders know you’re aware of their frustration. That’s how you do crisis management when you’ve been hacked.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

Protecting your reputation is a prime crisis management concern

We’ve said for years that reputation is an organization’s most valuable asset, an assertion backed up again and again by real-life experience. In his Managing Outcomes newsletter, our friend and colleague Tony Jaques recently shared two real-world examples which directly support this belief. Here’s a quote:

It’s hard to demonstrate beyond doubt that the investment you make to help improve reputation will be consistently rewarded. But there can be no doubt at all that a major hit to reputation will surely damage shareholder value.

That truth was reinforced this month when two high-profile reputational crises took their impact straight to the bottom line.

The first was headline news across the country alleging bribery and corruption at the highest level at the international construction giant Leighton Holdings to gain contracts in Iraq, Malaysia, Indonesia and elsewhere. The result was $700 million, or more than 10%, wiped off the share value in a single day.

While some analysts claimed it was “an overreaction to allegations first aired more than a year ago,” there were further losses the following day before the market stabilised. As BRW columnist Leo D’Angelo Fisher commented: “As spectacular front-page headlines go, when it comes to media coverage of Australian business, this may prove to be the one to beat for 2013, and for some time thereafter.”

There were instant denials and angry letters from lawyers, and there is a long way to run before the truth will be established. But within a week three senior executives resigned and Leighton’s reputation has been hard hit.

The same happened to California “green car” maker Tesla when one of their electric cars ran over debris on the road and a fire began in the battery-pack. Unfortunately, a passerby recorded the blaze and the video went viral, with investors slashing $US2.5 billion, or about 6%, off the company’s value. Once again it was a media-driven reputational crisis, but the video rekindled concerns about the safety of lithium-ion batteries and that concern translated directly into a costly loss of confidence.

Public Affairs Council President Doug Pinkham recently wrote: “Reputation management is an inexact science because running a business is not a controlled experiment. The variables are always changing, and the markets often reward a company one day and punish it the next.”

Tony also shared a Weber Shandwick study, “Safeguarding Reputation,” that determined, worldwide, 63% of a company’s market value is directly tied to reputation, a fact perfectly backed by the two examples above.

Everything, from where you source material, to what you stock on store shelves, to what your employees post on social media, has the potential to impact your reputation. You wouldn’t leave the contents of your bank account unattended, so why would you neglect to prepare a crisis management plan that will help keep your reputation as strong as possible?

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

We’ve seen some big changes

The way we do crisis management, and PR in general, has changed so drastically that even those of us who were along for the ride are sometimes astonished. For those younger folk who never knew the non-digital version of what we do, this Inkhouse infographic will really blow your mind:

As you can see, a shift in the tools we use has changed the playing field dramatically!

The change that stands out the most to us is the move toward actively communicating in an open and honest manner. For quite a long time, while it wasn’t smart to lie, it was considered perfectly OK to completely avoid discussing any negative incident and only serve up fluff-piece-type news to reporters via press release. Of course that’s all changed now, and although many orgs have needed to be dragged kicking and screaming into the new era, those who have embraced the modern edict of “honesty, transparency, responsibility” are reaping the benefits.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]

Knowing the right steps to take is key to social media crisis management success

Social media crisis management was uncharted territory a few short years ago, but the sheer number of crises popping up in the social sphere meant best practices were ironed out pretty quickly by those in the trenches.

Given that just about every organization can count on running into some type of social media snafu, this infographic from social media coach Janet Fouts would be at home on any office wall:

We do feel it’s important to clarify one thing – “Don’t fight back” doesn’t mean that you shouldn’t take a proactive approach. What it means is that you should never engage in back-and-forth argument via social media, just like you shouldn’t in person. Share your point, allow others to share theirs, and acknowledge that they’ve been heard. It’s perfectly normal to feel that you need to battle to defend your good name, but if you take off the gloves and start in on a verbal slugfest you’re more likely to wind up like the infamous Amy’s Bakery than convince others to share your views.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Erik Bernstein is Social Media Manager for Bernstein Crisis Management, Inc. and editor of Crisis Manager]

The spike in visibility of crises has most certainly resulted in changes to how organizations operate, and alongside that trend another is growing, albeit more quietly – that of training people to fill the variety of emergency and crisis management roles that are emerging.

Check out this description of one such course, from a Kansas City Star article by Mara Williams:

Any of your college classes go like this?

There is Stephanie Eiken, dangling 40 feet in the air from a rope attached to a harness strapped around her waist while she stages a mock rescue from a forest fire lookout tower.

Classmates, meanwhile, tend to people playing victims of an F5 tornado. An injured pregnant woman. A man buried under concrete. A person pierced by a metal bar. Complicating matters are burning buildings, closed roads and knocked-out bridges.

It all was part of a three-day training exercise for 50 students in Northwest Missouri State University’s new comprehensive crisis response bachelor’s degree program. Such training is becoming more common for college students as a growing number of schools nationwide offer degrees in emergency management and crisis response.

Many of today’s top emergency and crisis management pros learned on the job, but it sounds like the next generation may come equipped with skills and knowledge that used to take years of facing real action to master. We’re excited to see how they put them to use, and what new achievements they’ll be able to reach as a result!

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Erik Bernstein is Social Media Manager for Bernstein Crisis Management, Inc. and editor of Crisis Manager]

The most vulnerable point of access to your data isn’t a computer, but a human being

Cyber security has been a hot topic as of late, but few are discussing the fact that humans are actually the weakest link in the information security chain.

While hackers do employ some seriously powerful tools, it’s often just as easy to trick their targets into revealing too much information, or even unknowingly installing malware on their own systems.

For those of you new to the term, here are a few examples of social engineering tactics being used on the web today, from Consice-Courses information security expert Henry Dalziel:

1. Social Networks

Having your Facebook account hacked can easily result in having a friend (who is a genuine friend of yours) asking for cash because their “wallet was stolen” whilst they were travelling. Clearly, receiving an email from a friend is exactly that: from a friend, so the barrier of trust is completely open.

2. “Someone has a secret crush on you! Download this app and find out who it is!”

This social engineering attack also comes from social networks like Facebook. Facebook applications are for the most part free from any malware of bad intent, but some still contain nefarious objectives. The wording of the app is all too important and needs to touch some fundamental human emotional buttons, because, as the title of this entry states, who wouldn’t want to know who had a “secret crush on you!”

The “I love you” computer worm that attacked millions of Windows personal computers May 5th 2000 started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. The success of this download was due to the wording.

3. “Click this link!”

On the same subject of effective copy to entice a social engineering attack, social engineers title an email to solicit an action – i.e. getting the user to “click here”. Again, the attacker’s ideal set-up is to have gained access to a user’s social account or email account. The inherent trust that you will have to open and click on a link from someone you know is second nature. Visiting an infected site or page from an email can install malware on your machine, either by a Java drive-by or another means. Another good example is Twitter spam that we often receive which contains the subject “Did you see this video of you?” again it’s a play on words. See the 2nd “secret crush” scam and you’ll see how being able to connect on an emotional level will ensure a pretty decent success rate for the hackers.

4. Fake office IT Support

This is a pretty varied but very popular social engineering attack whereby someone pretends to be an IT Support Technician and offer to fix a “broken computer” or an “infected machine” that contains viruses and malware. All you need is confidence and authority in your voice and choice of words. Again, refer to back to our Hacker Hotshots event with Chris Silvers and listen to some of the calls that he and his team made to solicit passwords and other sensitive information. In some extremes examples the attacker will actually enter the business and pose as an IT Technician. We learned about a technique called “tailgating” when we compiled our Concise Courses ComPTIA Security+ Information Pack – which is actually a unit within section 3.0 Threats and Vulnerabilities of the syllabus. As the terms suggests, tailgating is when the attacker attempting access to a building will purposely wait near an office lobby waiting for real employees to enter the building with their genuine ID cards – as they open the door they politely hold the door open for the attacker. Appearance is vital for this to work. Being dressed like an IT Technician would for that particular organization will certainly greatly assist this particular social engineered scam.

5. Phishing lures

Receiving an email that claims that you have not paid for an item on eBay can very often solicit an action from an unsuspecting victim. You might think that that is a ridiculous scam that will not affect anyone, but as long as the attackers are sending out millions of messages like that – their success rate can be low but yet profitable. Like several other social engineering attacks listed in this post, the eBay Phising Lure Scam also works on a human emotion. EBay users are very aware of the impact of receiving negative reviews, therefore any message that arrives in their inbox from someone who seems to be from eBay often will result in an action being taken. When the user falls for this attack they can be send to a spoofed eBay page that looks just like the real login page with the user’s login information being captured and then used against them to withdraw funds etc. Withdrawing funds from eBay is often possible owing to the fact that many users login information for their eBay and PayPal accounts will be the same. One solution with this particular scam is to manually open up a browser and hit your account yourself – is there a message in your eBay inbox? If yes then it is genuine. If not, then ignore your other message.

6. “You have been dismissed” or “Help victims of ‘fill in the blank’ natural disaster”

Social engineering tactics are becoming increasingly specific. Sending out blanket emails to hundreds of employees saying that regrettably their position at the organization has been terminated and that they must download a certain form etc can have a decent success rate. Why? Because perhaps there was a rumour circulating that redundancies were inevitable owing to the financial crisis. Timing is everything with this scam.

Unfortunately, every time there is a natural disaster there is an associated social engineered attack. Again, as is consistent throughout this blog post, the natural disaster scam along with the redundancy email is associated to human emotion for curiosity.

7.Hijacked Twitter hashtags

Social engineers just need to look at what is trending on Twitter to fabricate or hijack a hashtag that has an embedded link to a malware site or Java Drive-by.

With studies showing that under 1/4 of all organizations do any type of social engineering training at all, most targets are an easy slam-dunk for a skilled manipulator. Mark these words – as we base more and more of our operations around a digital model, preventing social engineering attacks from being successful WILL gain traction as a must-have component to any crisis management plan.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Erik Bernstein is Social Media Manager for Bernstein Crisis Management, Inc. and editor of Crisis Manager]

Incident demonstrates why Twitter is ideal for quickly spreading information to your stakeholders

When your organization is in crisis, Twitter is now the go-to platform for disseminating information to a wide audience as rapidly as possible. Never was this more apparent than in the wake of the chaotic shooting at LAX airport, where a steady stream of posts went out from the official LAX and LAPD Twitter accounts.

Here’s a sampling of tweets that went out early on in the crisis, compiled by PRDaily’s Matt Wilson:

Crisis communicators took to Twitter after at least three people, including a TSA agent, were shot in Los Angeles International Airport’s Terminal 3 on Friday morning. Local news reported that the suspect was in custody.

The official LAX account confirmed that in a tweet sent around 10:50 a.m. local time:

Suspect is now in custody. Multiple victims. Press conference at 11:30 am at Sepulveda Blvd/Century Blvd w/ Airport Police & LAPD Chiefs

— LAX Airport (@LAX_Official) November 1, 2013

The managers of the airport’s account focused primarily on tweeting information about air traffic and keeping travelers away from the area where the shooting occurred. The first tweet about the shooting went out just after 9:30 a.m.:

There is an incident underway at LAX. Law enforcement is on scene. More information to follow.

— LAX Airport (@LAX_Official) November 1, 2013

By about 10:15, the airport announced a ground stop was in effect and that traffic headed toward the departures area was being blocked by police.

Other than arriving flights, flight operations have been temporarily held.

— LAX Airport (@LAX_Official) November 1, 2013

The airport’s account also tweeted this alert to the news media:

As soon as law enforcement allows, broadcast equipped vans will be allowed to park between terminals 1 and 2 upper/departures level

— LAX Airport (@LAX_Official) November 1, 2013

The Los Angeles Police Department tweeted that the FBI was on hand to help with the incident, a notice that the central bureau was on tactical alert, and a photo of officers on the scene:

#LAPD on scene of major incident at #LAX. #poltwt http://t.co/EUkN5Wtzze pic.twitter.com/9mAguPtcll

— LAPD Communications (@911LAPD) November 1, 2013

There was also this warning to people headed to the airport:

The #LAPD & @CHPsouthern is requesting that the area around @LAX_Official Airport be avoided so resources can be deployed. #LAX #poltwt #CHP

— LAPD Communications (@911LAPD) November 1, 2013

LAX didn’t stop using social media for crisis management after the immediate crisis was abated either. Updates regarding delays or closures, and information to help passengers reach their gates quickly or find luggage left behind in the chaos were constantly pushed out for over 24 hours after the shooter was in custody.

Unfortunately, this situation led to a loss of life, and our hearts go out to those affected. We must give kudos to LAX and LAPD, however, for their efforts in not only protecting, but informing the public, no small task when faced with the stress and confusion that accompany any sudden crisis.

The BCM Blogging Team
http://www.bernsteincrisismanagement.com

Social Impact Bonds are finally moving from idea to reality, in a few states. These “pay for results” government contracts are a new form of financing where payment only occurs if the agreed-upon social results are achieved. No results, no money. Financing comes from a private sector financing intermediary, which secures funds from private investors and selects a nonprofit service provider. Often payment is based on how much government saves if the program succeeds. If the project is successful, investors get their principal returned plus interest.

Currently only “evidence-based, proven” programs carried out by large, high-capacity nonprofits qualify, although this will probably change as more SIDs are released. So far, three states — New York, Minnesota and, believe or not, Utah — have announced or launched SIB transactions, and ten others (most notably California, Texas, Illinois, Ohio, Pennsylvania and Colorado) are in the process of exploring or developing them.

Here’s an excellent summary of the current SIB situation by state, and what kinds of nonprofit qualify, risks and challenges, from our colleagues at Social Impact Architects. Their newsletter is also the source for the graphic in this blog.

Quick update from that article:

“President Obama launched Pay-for-Success pilots in criminal justice and workforce development through the Departments of Justice and Labor, respectively. The Department of Labor awarded fund to Massachusetts and New York; awards from the Department of Justice have not yet been announced.”

Good luck!

Surprising number of states not requiring schools to prepare for disasters

We send our kids off to school every day trusting those responsible for their care are properly prepared for disaster crisis management, but the frightening reality is that most aren’t. Aid group “Save the Children” is working to change that, and as part of their efforts they’ve released a report blasting states across the nation. The AP’s Andrew Miga has more details:

Eight years after Hurricane Katrina, most states still don’t require four basic safety plans to protect children in school and child care from disasters, aid group Save the Children said in a report released Wednesday.

The group faulted 28 states and the District of Columbia for failing to require the emergency safety plans for schools and child care providers that were recommended by a national commission in the wake of Katrina. The lack of such plans could endanger children’s lives and make it harder for them to be reunited with their families, the study said.

The states were: Alaska, Arizona, Colorado, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Iowa, Kansas, Maine, Michigan, Minnesota, Missouri, Montana, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Texas and Virginia.

After Katrina exposed problems in the nation’s disaster preparedness, the presidentially appointed National Commission on Children and Disaster issued final recommendations in 2010 calling on the states to require K-12 schools to have comprehensive disaster preparedness plans and child care centers to have disaster plans for evacuation, family reunification and special needs students.

Attention State officials and educators! How many warning signs do you need to see before you understand you’re heading for a catastrophe? How many times can you watch as devastating disasters place students in danger and think, “it won’t happen to us?”

It’s a common trap, and one that costs lives every single year. Your duty as a school or child care center is not only to educate, but also to provide a safe and secure environment for the future of our nation. Don’t neglect disaster crisis management until it’s too late.

The BCM Blogging Team
http://www.bernsteincrisismanagement.com

Often the transition time between Executive Directors is a difficult and caretaker time for nonprofits. But if a Board lets it be just that it may not be taking advantage of an important opportunity. The transition – or interim time – can be a valuable, building block and stepping stone period for the next Executive Director’s success.

In my work, a favorite project is assisting small nonprofits in their search for a new executive director. I have developed a cost effective process that is very effective in identifying outstanding ED candidates and efficiently choosing finalists. But frankly, I haven’t thought much about the interim period for nonprofits between permanent EDs…until now. I currently chair the Search Committee for a new pastor for my church congregation. This truly a huge and humbling responsibility and fortunately I am part of an extremely capable Search Committee. The Church’s governing body has hired an interim pastor and he is not involved in nor can be a candidate for our next permanent pastor according to our church rules. However, reconciling the past and preparing for the future are part of what is in his contract. I have read his contract over and over and I am impressed with some of the listed responsibilities. Here are some highlights:

The interim period is seen as prime time for renewal, re-energizing the parish in its life and mission.

Specific tasks include:

1) Coming to terms with the history of the congregation and its relationships with previous clergy.

2) Discovering the congregation’s special identity, what it dreams of being and doing apart from previous clergy leadership.

3) Dealing with shifts in leadership roles that naturally evolve in times of transition, allowing new leaders to come to the fore constructively.

4) Renewing and reworking relationships with the Diocese, so that each may be a more effective resource and support to the other.

5) Building commitment to the leadership of the new rector in order to be prepared to move into the future with openness to new possibilities.

That’s a tall order. But step back a moment and think about it. If done right it lays a lot of groundwork for the future success of our new pastor who will be called to lead our congregation.

All of this has made me think of how important this interim phase is to nonprofits – especially small and midsize organizations. This is a time of uncertainty and it can me marked by anxiety, impulsive change by temporary leaders, reduced fundraising, etc., etc.. Or it can be a time of understanding who you have been, who you are now, and what are your dreams of becoming. It should be a time of “renewing and reworking” your relationships with major funders and key supporters. And it should be a time of preparation for willingness to adapt to a new leader with a new approach, personality, style and goals.

I have seen a wide range of transitions to new executive directors – both as a consultant and as a Board Member. And for the first time, I am learning how valuable this phase can be.

Each transition to a new Executive Director is unique and therefore the plan for each must also be unique. You may be hiring a first executive director or replacing a founder who ran the place “his way” for the last 25 years. The ED may have quit after a short tenure or may have left under less than ideal circumstances. The ED may have just left for a better paying job closer to home. Whatever is the case the Board should plan to make the interim period be a valuable time rather than just a caretaking period. Here are just a few thoughts on this matter for boards to help with the transition.

Conduct and Exit Interview

There are basic HR functions that should occur with an exit process but in addition at least two Board members should interview an exiting ED in order to gain insight that will be helpful with the next ED. You should ask about any key concerns that the person has with the organization and Board and what they see as the organizational priorities, strengths and weaknesses.

What Needs to be Accomplished in the Interim

Based on the unique issues facing your organization, develop a clear list of responsibilities and goals for the Interim ED. Make it more than just “keeping the ship afloat.”

Communication

Communicate the Board’s commitment to the mission and the future to all constituents including staff, funders, volunteers and supporters. Share the search process and hoped for timeline for a new ED to be in place. Encourage contact with the interim leadership.

This is a good time to hold meetings with your various constituents to see how they view the issues and priorities for the organization. This information can be helpful as you get further into your search process and what you are looking for in a new ED takes on more clarity.

The Right Welcome

The Board needs to take a leadership role in welcoming the new ED. Make sure it is announced with fanfare – press release, email blast and reception. Board members should accompany the new ED on a first visit to funders and major donors.

I am considering developing a model for a “Transition Retreat for Boards and Other Constituents. What do you think? What do you suggest I include in such a model? Please leave your comments.