Monday, March 29, 2010

Crisis Management Part 2

Crisis Management Part 2

Crisis management probably cannot be distilled into a step by step recipe. Perhaps that is because the first ingredient may be rare. Winston Churchill said, "Courage is the first of human qualities because it is the quality that guarantees all others."

JettBlue's Neeleman exhibited courage and he demonstrated creative thinking during the Valentines Day Crisis aftermath. Every situation is unique. Take for example, the Tylenol crisis that Johnson and Johnson had to bear, the snow storm that plagued Jet Blue and the Taco Bell e-coli incident. The only thing these events appear to have in common are that they are crises. Even so, appropriate tactics must be developed based on certain core principles that underlie successful crisis management for an event that cannot be predicted. This preparation enables an organization’s leadership to remain focused and effective as crises unfold.

At the following web address I found a wonderful listing of the seven basic principles for effective crisis management: :

They are listed below with my additional comments added.
Seven basic principles underlay an appropriate and effective response to a crisis. They include:

Understand media interest in your story The media are the prime driver of most crises.... They are very much accustomed to the crisis environment in a way that executives are not. In fact, many reporters delight in the crisis environment in a way that executives do not. It is important to understand the media, much the way you understand your customers and competitors. Never rely exclusively on the media to deliver your message. I would add that it is vital to understand that the media’s mandate and the mandate of those managing the crisis for the company are very different. As long as the crisis is ongoing the media has a story and a motivation to keep it going.

Define the real problem and determine your strategy accordingly An organization must first make certain that it is addressing the core problem and not a vexing but ultimately tangential side issue. Once management has defined the problem, they can best determine the goals of the crisis management process and the strategy to drive it. The chosen strategy must be flexible and tailored to the problem management is trying to solve rather than be an artificially imposed standard of ‘good’ or ‘bad’ crisis management. To this I would add that it takes clear vision and a collaborative outlook along with fresh perspectives to ensure that the problem has been fully defined and that the path underfoot is the right path leading to the right solution. Course correction might be necessary at any point.

Ensure legal/regulatory compliance The appropriate response to a crisis is likely driven by SEC rules and/or guidelines set by other regulatory bodies such as the FDA. Securing in-house or external expertise on legal/regulatory parameters is essential prior to a crisis response. Obviously, the opinion must be solicited and obtained very quickly. Do not waste time consulting anyone on whom you will not feel confident in casting the entire weight of the dilemma. They must be informed of all the facts and then trusted for a reliable response.

Manage the flow of information The media often spread misinformation, deliberately or not. Such misinformation can flow back unchecked to internal audiences and distort internal perceptions and proper corporate decision-making. Therefore, aggressively managing the full flow of information is critically important in a crisis situation. This is a vital point. If the inner workings of your team begin to doubt the message or operate from a different play book the damage to the message and to the outcome could be incalculable. Just as dangerous is information that leaks from the company team in unauthorized versions. Every team member must understand who will do the talking for the company and abide by that decision faithfully.

Assume the situation will escalate and get worse Start with the understanding that the situation is likely to get worse before it gets better. Be careful not to be overly optimistic or make categorical statements early on in a crisis. This is a marathon and not a sprint. Rotation and adequate rest cycles must be implemented and enforced. Tired minds make mistakes and delegation is essential.

Remember all your constituencies Employ the best technology you have at your disposal to communicate directly and effectively to all constituencies. Caught in the pressure of a real crisis, companies often overlook direct communications to affected constituencies, such as employees and advisory boards. This is a key area where advance preparation can help.

Remember those who are most deeply affected and deal with them with particular attentiveness. Also remember marginal groups and those who maybe tangentially affected.

Ensure results in real time: Crises evolve. It is imperative that you continually measure the effectiveness of your crisis management tactics to evaluate the overall impact of your crisis management strategy. For large companies, omnibus surveys, select polling and focus groups can quickly generate useful data regarding the public perception of the problem even within the first 48 hours. For smaller companies, a few quick check-in phone calls with key constituents can provide appropriate feedback.

From the information that I have gathered, one thing JetBlue lacked was a crisis Web site. Neeleman did however, enter the on line conversation with sincerity and humility. JetBlue leveraged new Web 2.0 tools like YouTube in a manner that was unprecedented. Neeleman turned the tide with this approach and started a dialogue rather than a lynching. It is wise for companies to create website to refer those affected by the situation to offline and have them ready to go in case a crisis occurs. An 800 number for customers to contact should be set up in advance and be ready to activate or publicize should the need arise. Ideally, the website would be updated every hour. At the following site I found the valuable information listed below:

Ed McLaughlin is vice president of e-business strategy at SVM E-Business Solutions. He can be reached at:

Here are six steps you can take to prepare and implement your organization’s “Digital Crisis Management Strategy”—before bad news strikes:

1. Identify your digital crisis management team. Digital crisis management is going to require a team that has technical know-how and digital media savvy. You can rely on internal or external resources, but recognize that the team will need to be made up of writers, digital designers, web developers, audio and video producers, and people with expertise in PR, crisis management and online communications. You should form that team now; don’t wait for a crisis to occur.

2. Prepare crisis information websites around potential crisis topics. Imagine what could go wrong—and get ready. For example, a fast food company might create a website that anticipated a crisis related to a food-born illness, such as an E-coli outbreak. A consumer product company might anticipate that one of its products is recalled for safety reasons.

Such crisis sites should be designed to answer this question: “If a certain type of crisis occurs, what information could we provide right now about that type of crisis that will help to assure the public that we are responsible and conscientious corporate citizens, handling the crisis proactively, honestly and openly?”
hese websites should be designed as templates, leaving open the space that will be filled with information on the “who, what, where, when and why” of an actual crisis. They should contain background information on your company related to the type of crisis the site addresses. Beyond informing the public during a crisis, these websites will help define your company on your terms, so the crisis and the media (new and old) don’t become the only defining factors.

In addition to background information, the sites should include a media center where the press can obtain information related to the crisis. And it should encourage visitors to sign-up for email notifications, keeping people up-to-date on the crisis and allowing you to establish a one-to-one relationship with members of the public, something valuable during and after the crisis.

Until a crisis strikes, these sites will be inaccessible to the public, locked behind a password protected login, but hosted on production level web servers, ready to be opened to the public at a moment’s notice.

3. Perform keyword research. When a crisis strikes, a company’s ability to communicate directly with the consumer is critical. Keyword research with tools commonly used by pay-per-click and search engine marketers will provide you with insights into the language of the consumer as it relates to your industry, your company and your products and services, which may be different from your “corporate” language. You will use that research to populate the content of your crisis website, optimizing it for search engines. And when a crisis strikes, you will also leverage those keywords to get top visibility and traffic from pay-per-click ads and social media sites.
4. Identify your points of distribution. You will need to know in advance where you will be connecting with the consumer and media: Google, Yahoo, MSN (through their pay-per-click and news channels); YouTube, MySpace, blogs, podcast sites and other social media sites; and online press release distribution services. All these, plus whatever new online outlets emerge between now and the time of your crisis, need to be identified.

5. Be launch-ready. The time to learn how to manage a pay-per-click campaign, or post a video to YouTube is now, not in the heat of a crisis. Start using an online press release distribution service for your day-to-day media relations and be sure to pick a service that posts to the news sites of the top search engines. Use podcasts, blogs and video casts now to promote your brand. Regularly review and revise your crisis website’s content. Incorporating these tools and practices into your work now ensures that you and your team will know how to use them before a crisis.

6. Launch! When a crisis strikes, your team rolls into action. The first step is to incorporate information on the actual crisis into the crisis website, including the steps your organization is taking to address it, and then to open that site to the public. You’ll then leverage your knowledge of digital media and your points of distribution to immediately propagate your information on the crisis online and drive people to your crisis website, where you can engage them on your terms. The process or revising, appending and distributing content will last until the crisis is over.

Ed McLaughlin goes on to add: “When a crisis strikes, your company will be on YouTube, on Google News, in blogs, popping up on cell phones and handhelds—emerging wherever digital media can be created and consumed. The question isn’t whether or not digital media will have an impact on a company during crisis—it might even be the cause of a crisis. The question is, during a crisis, will digital media manage your company or will you manage it?”

A Happier Valentine’s Day

The ideal situation would have been to have a plan in place for dealing with an entirely unpredictable and yet inevitable event like a terrible winter storm. It should not have been an unanticipated event that in the winter storms ground planes. Contingency planning is simply responsible management. If they could prepare the customer’s bill of rights (Appendix A) on the spot mid crisis it is clear that it could have been done in advance. Several questions and their answers should have been determined from the start on the premise that excellent customer service is not optional at any time under any condition. These might include:

1. In the event of a delay who will be notified and how?
2. IN the event of cancellation, how will the customer be compensated?
3. How will they be compensated for long delays?
4. Should a plane be grounded with customers aboard, how will we care for those people?
5. How can we arrange for deboarding in such an event?
6. How will we provide for food, beverages, restrooms and medical care?
7. How will we care for the particularly vulnerable such as the frail elderly and the babies?
8. How will we house passengers stranded by our airline.
9. Can we provide any resources to provide communication to loved ones, to entertain or comfort our passengers?
10. Do we have a response team in place with the proper level of authority to ensure implementation of all of the plans that we have made?
11. How will the internal communication system work in the event of crisis?

 Right Way and a Wrong Way
In the final analysis there is no perfect way to handle a crisis but there are right ways and wrong ways to handle people and events. Here is a list of some of the most important.
  •  Crises require leaders. Step up to the plate and lead from the top. Any CEO who does not take visible leadership during a crisis should not be permitted to lead at any time in the future.
  •  Do not guess at what the problem is. Get accurate information from multiple sources. Make information gathering a priority. Delegate.
  •  Ideally there is a contingency plan to be activated. If not, be creative and think on your feet.
  •  Take responsibility. Denial, mitigating, justifying or diminishing responsibility in the early stages of a crisis while tempting reduces credibility and increases hostility.
  •  Sincerely apologize. No hedging!
  •  Silence is NOT golden. It causes people to speculate and catastrophize the situation building tension and anxiety. Tense, anxious people are more angry, more retailatory and less rational. Talk to people.
  • Say it loud, say it proud and then do it!
  •  Doing nothing is not an option. Do something in a visible manner to allay people’s fears. Provide for basic needs immediately especially for the vulnerable.
  •  Do not leave people in the dark. If help has been initiated tell people. People will wait and they will cooperate if they understand that the company “gets it”, that they understand the problem and that they will address it.
  •  Have you identified all of those who are affected by this crisis? Do not leave out or ignore some people. 
  •  Clearly state how you will make it right. Make the offer concrete. Lofty intangible promises of future changes have no value.
  •  Be media wise. You must shape your own message or it will be shaped for you and the outcome could be disastrous.
  •  Where possible deal with the vocal and the angry as soon as possible to prevent the building of discontent and hostility. Diffuse difficult situations and people as calmly and as quickly as possible.
  • Are you sure that all of your legal obligations are met? Get advice you trust from someone you trust and do not waste time in consultation with people whose input you are not prepared to go with.
  • Multiple messages are deadly. There should be one unified message coming from authorized speakers.
  • Do not panic if things get worse before they get better. This is the normal course of a crisis and this too shall pass!
Crises make it obvious who are the pretenders and who have the right stuff. With an understanding that crises hit most organizations at one point or another and a little advance preparation in thought and deed, you might just prove to have the right stuff on the day you are needed.

Crisis Management in Business

cri•sis (krī'sĭs) n., pl.

1. a. A crucial or decisive point or situation; a turning point.
b. An unstable condition, as in political, social, or economic affairs, involving an impending abrupt or decisive change.
2. A sudden change in the course of a disease or fever, toward either improvement or deterioration.
3. An emotionally stressful event or traumatic change in a person's life.
4. A point in a story or drama when a conflict reaches its highest tension and must be resolved.
[Middle English, from Latin, judgment, from Greek krisis, from krīnein, to separate, judge.]

The definitions above clarify and point to the solutions or opportunities within the crisis circumstance. In the final analysis, how a crisis is handled is how you and your company will be defined, separated from the pack and judged. If it’s a crisis: deal with it!

The Crisis
On Valentines Day 2007 Jet Blue, a company that was known for stellar customer service blew it. They really blew it. When a snow storm hit the East Coast of the United States they were forced to cancel 1,096 flights the result of which was that thousands of passengers and flight crews were stranded. In the first twelve hours JetBlue demonstrated that it had no contingency plan for such an event. People were stranded for up to nine hours on planes with nothing to do. Passengers were literally left out in the cold for hours on end without food, proper rest room facilities or basic necessities. People were not happy and with today’s technology they vented that displeasure onto the world wide web and in the media. Pictures from cell phones and blogs from stranded passengers became immediately available for anyone who wanted to commiserate. This blunder could have ushered in the end of JetBlue. This paper discusses how JetBlue failed its customers and how it redeemed itself. It also considers the methods for crisis management and how JetBlue could have done even better.

A Valentine’s Day Card (A report Card)

On the basis of the Service Quality model (Parasuraman et al. 1985), JetBlue has been rated for the purposes of this paper on the five service quality determinants as demonstrated in the first hours of the snow storm crisis.
1. Reliability: The company did not have the ability to perform the promised service dependably. Grade: failed
2. Responsiveness: The company appeared to have no willingness to provide help or prompt service in the early stage of the crisis. Grade: Failed
3. Assurance: Without a contingency plan the front line employees had no knowledge to share with their passengers and they lost the trust and confidence of the passengers. Grade: Failed
4. Empathy: While individual crew had and attempted to demonstrate great empathy, leaving passengers without information and without alternatives was perceived as indifference. Grade: Failed
5. Tangibles: Insufficient appropriate physical facilities, equipment, personnel and communication materials left passengers improperly tended. Grade: Failed

The White Knight Appears

One might argue that the situation was beyond JetBlue’s control. After all no one can control the weather. However, David Neeleman never took that approach publicly. Just when most CEOs would have been hunkering down behind closed doors or blaming others, Neeleman stepped up to the plate and said and did something surprising and very wise. He took responsibility. He took action quickly and in a highly visible manner. He calmed the storm of controversy by doing something profound. He communicated heart felt apologies on every major media. He diffused the situation with the basic human skill of clearly communicating that he ‘got it’, that he was sorry and that he would make it right. David Neeleman wrote a public letter of apology to Jet Blue customers. The letter was in response to what Neeleman refers to as the worst operational week in Jet Blue's history. It starts ' We are sorry and embarrassed. But most of all, we are deeply sorry.' The letter's last paragraph starts 'You deserved better — a lot better — and we let you down . Nothing is more important than regaining your trust... ' The letter is short, direct and sincerely remorseful. (2)

He promised to make it right. His actions would make it right not just for this time but by introducing a customer’s bill of rights he made it clear that his intent was to make it right for all customers in the future as well. He made it concrete too. He announced a detailed list of how the company would treat passengers in troubling situations including the monetary compensation for delayed flights that escalated with the length of the delay. Neeleman chose the right path to diffuse anger and mend relationships.

IN the next blog, I'll outline the steps to effective crisis management

Thursday, March 18, 2010

Hacker Series (Part 4)

Hacker Series (Part 4)

Every new innovation in networking speed and usability comes with an equivalent increase in risk, so companies must keep up with the onslaught of threats present throughout the web. The companies keep up by implementing a patch, or "quick fix" to the programming threat that exposes the Internet security of the company. Over the last 30 years there has been a rise in the use of firewalls, antivirus software, and spam filters as IT managers fight to protect the technology but it is a battle with a new front daily. This makes it critical for IT managers to be continually educated about the advances in threat and defense through journals, magazines and conferences.

A recent article in Business Wire Magazine (2009) indicated another threat to business. Hackers are able to steal contact lists and classified documents from smart phones like Blackberries. These phones have enhanced features, allow peers to communicate, allow Web browsing and have multiple voice and data interfaces. The article went on to say that the variety of interfaces make exploitation easier. For example: “Short Message Service (SMS) feature, available on just about any smartphone device, gives hackers a way to: Inject viruses ,steal user data, e-mails, contacts and data files, clone devices and create DOS attacks “. New software is being developed by a variety of companies to help the IT managers deal with this new arena of threat.

The additional requirement of security on the Web has created a number of regulations that companies must put into practice such as the Sarbanes-Oxley Act, but there are several additional regulations that exist to promote security over the web. For example, the Health Insurance Portability and Accountability Act (HIPAA) were enacted in 1996 in part to protect healthcare information on the web. Section 501 of the Gramm-Leach-Bliley Act (GLBA) requires financial services firms to implement and enforce a written "information security program" to protect non-public customer data. Sarbanes-Oxley (SOX) requires that companies implement an internal control framework which includes implementing appropriate information technology tools and processes to ensure internal control (McNamara, 2005).

IT managers must lobby companies to set aside more money and resources to implement controls in order to comply with these regulations, or their employees could be legally responsible for fines or imprisonment. Legislation and regulations governing HIPAA, and SOX include criminal penalties: up to 10 years in prison with HIPAA for "obtaining or disclosing protected health information", and 10 to 20 years with SOX for "destruction, alteration or falsification of records" (McNamara, 2005). The IT manager would certainly be in line for any discipline if these regulations were not complied with so they have the right and responsibility to be informed.

Wednesday, March 17, 2010

Hacker Series (Part 3)

The shift toward doing more over the Web, a practice known as "cloud computing", means that mistakes employees make in their private lives can do serious damage to their employers, because a single e-mail account can tie the two worlds together. Stealing the password for an individual’s Gmail account, for example, not only gives the hacker access to that persons personal e-mail, but also to any other Google applications they might use for work, like those used to create spreadsheets or presentations.

Email systems are a serious source of ingress for hackers. False e-mails in the name of a legitimate company or institution are sent to acquire sensitive personal information, such as usernames, passwords, and credit card numbers and often come to company email addresses. Phishing is cost effective for hackers and sometimes yields results that damage more than just the individual. An IT manager should block any emails from a questionable source and educate their users to delete any spam that makes it through the filters. It has been reported that 89.7 percent of all business email is spam. Trojans can be used to assume control over the infected PC and can cause damage such as a Key Logging application. Key Logging refers to the process of capturing and recording user keyboard strokes to obtain passwords or other encryption keys. Given the sheer volume of employees in large corporations, even one or two password or encryption captures could bring about great damage and loss.

The biggest threat to databases is Web applications according to experts and the business logic vulnerabilities within them.

“Close ties with Web applications can make databases vulnerable to SQL injection attacks, whereby attackers input strings of SQL code into weak Web applications fields. They can then raid the database linked to a specific Web application, and also use the link between the Web application and the database to launch more expansive attacks on entire database servers. According to IBM's ISS X-Force security research unit, SQL injection flaws last year were the Internet's most commonly exploited Web application vulnerability, growing by 134% over 2007” (Chichiwski, 2009)

In reality a large percentage of the security threats potentially go after the database. According to a Verizon report, database breaches accounted for 75% of all records reported breached. Many database security vulnerabilities are caused by simple lapses in security. In a 2008 poll, the Independent Oracle Users Group found that 26% of organizations take more than six months to install security patches on Oracle databases; 11% have never patched them.. Companies often make mistakes that leave databases vulnerable, such as leaving test databases on production servers or linking sensitive data to easily hacked Web-facing applications.

Tuesday, March 16, 2010

Hacker Series (part 2)

A final but perhaps unworkable solution to many problems is to ban the use of social networking sites from a company computer. IT security and data protection firm Sophos has published new research into the first six months of cybercrime in 2009. They reported existing and emerging security trends and identified that criminals have increased the focus of attacks on social networking sites. Several major recent attacks have been made because of information that was taken from an individual’s social networking site like Facebook or Twitter. IT teams are worried that employees share too much personal information via social networking sites even on their personal computers, putting their corporate infrastructure - and the sensitive data - at risk. The findings also indicate that a quarter of organizations have been exposed to spam, phishing or malware attacks via sites such as Twitter, Facebook, LinkedIn and MySpace. Internet security is a critical factor in an organization's performance, impacting everything from business continuity to cost management. The challenges with Internet security and privacy include hackers, worms, Spyware, firewalls, spam filters, object request brokers, authentication of users, encryption of data, security architecture, limits on protection from threats, and government regulations.

The Internet allows a company to potentially expand its customer base to any Internet enabled area of the world, but outside threats such as worms and viruses could potentially corrupt the data being transmitted to customers. Also, employees are able to conduct business from anywhere in the world, but unauthorized users can "hack" into confidential company data being transmitted over the web to or from the employee. When a corporation begins exchanging any type of business transaction over the Internet, the Internet becomes part of the "corporate computer network". Access is now available not only to the customers or employees, but potentially to anyone else on the Internet, so the scope of concern for security expands significantly (Bunton, 2005). The techniques used by the attackers highlight the dangers of a broader trend toward storing more data online, instead of on computers under your control.

Saturday, March 13, 2010

Hacker Series Part One


“Cyber attacks pose the greatest threat to the United States after nuclear war and weapons of mass destruction -- and are increasingly hard to prevent” said Shawn Henry, assistant director of the FBI's cyber division. Of the six billion dollars that Microsoft spends annually on research and development, approximately one-third, or two billion dollars, is directly spent on security efforts (Talbot, 2005). IT managers are on the front line of a guerilla war when it comes to protecting computer technology from hackers. It is a continual game of one-upsmanship as one vulnerability closes another seems to appear. There are, however, a number of basic things that an IT manager can do to protect her company and it all starts with vigilance.

McNurlin et al 2006 indicate that security has five pillars. They are: authentication, identification, privacy, integrity and non-repudiation. Authentication means verifying someone’s authenticity: They do this by supplying information such as a password, answer to a question or the number from a digital token. It can also be done using biometrics. Current best practice suggests using two of the three methods, which is called two-factor authentication. For example, in order to get into my company computer I must enter passwords and the number from a token. However, that only gets me to a certain point. I must be identified to go into various areas of the company system. I am not authorized to go into certain areas and a notification will appear on my screen if I attempt to access them. Data privacy and integrity also have to be preserved. Not all data is for all eyes. Some is read-only format so that it may not be changed. Data is also encrypted when sent so that it cannot be intercepted and read from the Internet. The final method is non-repudiation which means that the actual sender and the actual receiver are authenticated and that fact is not deniable. All of this security has no purpose if it is not used and thus it must begin with the user.

Internal users should be included in the defense of the company through timely and repeated education. Everyone who has access to company computer systems should be taught and reminded that they are very important to the security and well-being of the company. While every company should have the very latest protection software and its current update, users should be reminded to update it frequently or better yet, it should be automatically updated. Taking human memory out of the equation as much as possible is wise. In addition “cookies” should be cleared frequently.

Users should be instructed on how to choose strong passwords. IT managers need to remind people to change their passwords frequently. It is natural and comfortable to choose a password that is easy to remember. That normally includes dates of important events in the individual’s life or other obvious words. Unfortunately, strong passwords are ones that have no mnemonic significance. Passwords that are strong are often hard to remember so the temptation is then to write them down somewhere where someone else might find them. Even then, when the user takes these precautions, hackers can use brute force for uncovering passwords if all else fails. Users need to be warned not to answer a phone call from anyone who says that they are from IT and that they need their password to perform maintenance. More and more biometric entry to computerized systems appears to be the way to go.

Friday, March 12, 2010

Problog to a Series of Postings on Hackers

Problog (Prologue) to the Hacker Series

In future blogs I will discuss the ongoing challenges that a vigilant IT manager must face to keep a company system safe and one blog will be on the psychoological profle of hackers. The five pillars of security are: authentication, identification, privacy, integrity and non-repudiation. The IT manager must educate the users as to their important role in keeping a system safe. While an IT manager should implement a two-factor authentication process, users must choose strong passwords, avoid social networking sites, exercise special care with email, never forwarding spam or opening messages from unknown senders and regularly update their anti-virus software. These policies must be clear and reiterated often by IT staff. IT managers must also ensure that databases are kept secure through prompt patching, The blog will also mention government regulations that have sought to keep Internet data safe yet have added stress to the IT role. It also mentioned the surprising security that a flash drive can offer and the surprising threat of a humble laser. Finally, it is recommended that IT managers be allowed time to keep up to date by education, reading, seminars, and conferences such as the Black Hat events. Overall, the job of security is a never ending battle of wits in which vigilance and persistence must be practiced.