Crisis Management
Outline
• Definitions
― Crisis Management
― Incident Management
― Problem Management
• People in a crisis
― Reaction verses response
2
What is Crisis Management?
3
What is Crisis Management
• The plans for and actions taken to protect and defend the reputation of the organization, its brand and its products/services.
• A ‘crisis’ may be as a result of an ‘incident’ – but not necessarily. A crisis could be a result of rumours, product defects, adverse publicity, negative social media activities, or actions of employees, distributors or suppliers which reflect poorly upon the organization.
• Not every Incident will result in a Crisis (an operational disruption may be transparent to anyone outside the organization). Not every Crisis will be an Incident (adverse publicity, for example, should not disrupt day-to-day operations).
• Rarely will a Crisis become an Incident. However, operational disruptions that may require Crisis Management activities are too numerous to list.
4
What is Incident Management?
• The plans for and actions taken to respond to a disruption of day-to-day operational activities – aimed at returning to the original state.
• Need not be a ‘disaster’, but must impact the ability to operate.
• Severity of an incident may vary through time.
• The ‘management’ of an ‘incident’ focuses on determining the impacts of the disruption, developing a strategy for response, and managing the recovery of impacted systems or processes – and coordinating the efforts of Recovery Teams charged with carrying out that strategy.
• Incident Management starts when the ‘disruption’ is reported, and ceases when operations have returned to their original state.
5
Crisis verses Incident
• To assure an effective response to any unplanned event, Incident Management and Crisis Management plans should be developed, updated and maintained as separate entities
• Clear areas of responsibility must be documented in each plan.
• Process for invoking each plan must be clearly defined, and the whole organization should be trained – so that everyone understands the roles of these two separate plans.
• Don’t create confusion. Create clear goals, responsibilities and lines of authority for both Incident Management and Crisis Management – and document them in separate plans.
6
What is Problem Management
• Problem Management aims to manage the lifecycle of all Problems.
• The process of minimizing the adverse effect on the business of incidents caused by errors in IT infrastructure and systems, and to proactively prevent the occurrence of incidents and associated crisis.
• Not all crisis or incidents will constitute a problem. This sounds counter intuitive, but is correct for the formal definition of a problem.
• Problems look at incidents in a systemic way to determine underlying causes and look for common cause.
7
Immediate Responses
KAHNEMAN’S SYSTEM 1 VS SYSTEM 2
Kahneman, Daniel. Thinking, Fast and Slow. 1st ed. Farrar, Straus and Giroux, 2011.
8
Different approaches
• The main function of System 1 is to maintain and update a
model of your personal world, which represents what is normal in it.
• When System 2 is otherwise engaged, we will believe almost anything. System 1 is gullible and biased to believe, System 2 is in charge of doubting and unbelieving, but System 2 is sometimes busy, and often lazy.
• Understanding a statement must begin with an attempt to believe it: you must first know what the idea would mean if it were true. Only then can you decide whether or not to unbelieve it. The initial attempt to believe is an automatic operation of System 1.
• Unbelieving is an operation of System 2.
9
What does this mean for a crisis?
The initial stages of a crisis often bring chaos and confusion
10
What does this mean for a crisis?
• Unhelpful feedback loops establish themselves quickly:
― System 2 starts analysing the problem and becomes absorbed ― Now unchecked, System 1 starts believing falsehoods
― Group-think reinforces these falsehoods
― Results from System 1 start affecting System 2
Time wasted chasing false leads – And –
Bad information shared with stakeholders
• Often leads to a reaction to a crisis rather than a response.
― C.f. Russian Gerasimov Doctrine and Reactive Control
• Both of these outcomes reduce the level of trust and can make matters worse
11
Avoiding Reactions
• To avoid a crisis resulting in a reaction:
― Have a detailed crisis response plan prepared in advance.
― Have a crisis response team identified in advance.
12
Is Action Even Necessary?
• Some situations demand an immediate response
― E.g. house on fire – evacuate and once everyone is safe, fight the fire
― Aircraft engine failure
▪ Vital actions checklist, then think and work the problem
• Some situations do not
• In complex situations, the instinctive response is often the wrong one
• Advice to pilots: in case of doubt, do nothing
• Generally, the best thing to do is to gather more information
13
Crisis Communications
• Unified response
― Speak with one voice – your PR department
• Primary contact should be public relations
• Break bad news directly
― Coverups and delays are counterproductive
― BCP should cover approvals process for statements
• Use technology
― Mailing lists, web site, etc.
― Manage social media carefully
• Select a site for press conferences
• Record events
― Useful for insurance, legal, as well as process improvement
14
Case Study – Equifax
• Exploited via a vulnerability in the Apache Struts web development framework
• CVE-2017-5638
• •
•
• Information also includes password reset questions CISO had degrees in music composition, not IT/IS/CS
15
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
• CVSS Score: 10.0 – Critical Apache released a patch in March 2017 Equifax was breached in mid-May 2017
• Credit history information of 143 million US citizens compromised • And an unknown number of international subjects
What Makes Equifax Worse
• Company waited six weeks before disclosing the breach
• Executives sold their shares during this period, collecting $US 1.8 million
• Including the CFO, who a spokeswoman claims was unaware of the breach at the time
• Why not?
• Company set up a website to allow people to check if their data was compromised
• But required entry of their last name and last 6 digits of SSN
• Would you trust Equifax with this?
• And then tried to sell them a “TrustedID Premier” credit monitoring service • Which would charge $19.95 per month after a free first year
16
Case Study – Norsk Hydro
• 160 sites hit by Lockergoga targeted ransomware just after midnight, March 19th, 2019.
• Rapidly infected Windows PC’s – both desktops and servers
• At 5 am, administrators disconnected their WAN and posted notices asking employees to unplug their computers (including at home)
• Notified the stock market they were under attack and reverting to manual production processes
• Email was already in cloud (Office 365) and unaffected
• Communication with external stakeholders via Facebook, hydro.com redirected to a very basic temporary website in Azure
• Lots of frank external communications, including accepting questions from external webcast viewers
Result: their share price went up.
17
Strategies for Reputation Repair
• Denial
― If it really wasn’t your problem or nothing really happened
• Evasion of Responsibility
― “We were forced to respond”
• Reducing Offensiveness
― Assist victims, e.g. with credit reporting, replacement of credit cards, etc.
• Corrective Action
― Undertake to correct any deficiencies
• Mortification
― Fall on your sword
• Four Pieces of Wisdom
― Avoid “no comment”
― Be quick
― Be accurate
― Be consistent
Benoit, William L. “Image Repair Discourse and Crisis Communication.” Public Relations Review 23, no. 2 (June 1, 1997): 177–86
18