Friday, April 29, 2011

Wake Up Call for Water, Gas & Electric Utilities

A wake-up call for public utilities across America and around the world should spur immediate action, but hasn’t.

A survey of 200 IT executives in charge of security at electric, oil, gas and water utilities in 14 countries, including the U.S. found 80-percent had already experienced some form of “denial of service” threats or attacks.

A report of findings, “In the Dark: Crucial Industries Confront Cyber Attacks” was unveiled April 21. It was commissioned by McAfee and prepared by the Center for Strategic and International Studies (CSIS).

About 70-percent of respondents confirmed they had found malware in their systems intended to sabotage their operations.

These utilities “all acknowledged being more worried, but they didn’t say they had done a lot more,” according to Stewart Baker, the lead CSIS researcher.

Almost 80-percent said their utilities had been targeted by at least one significant “denial of service” attack and 85-percent reported at least one network intrusion.

In spite of this alarming news, a third of the utility executives admitted they are not prepared and more than 40-percent conceded they expect an assault on their infrastructure within the next 12-months. The attacks, they say, could cause a loss of service for a day or more and possibly result in loss of life or personal injury.

Another recent study by the Ponemon Institute confirmed that electric, gas and water utility executives were more concerned about system glitches, downtown and regulatory and legal compliance than the safety and security of their operating and delivery systems.

What does this mean to you?

If you are a utility manager, systems manager, communications manager, or customer relations manager , you should be working to prevent the kinds of things the report highlights, AND you should be creating or updating your various functions’ crisis plans – operations, communications, continuity and recovery plans.

Don’t end up standing in front of the cameras with a bewildered look on your face and unable to explain why you can’t deliver safe water, or dependable gas or electric service or even when you will be able to restore service to your service area.

Thursday, April 28, 2011

You’re not gonna believe this! Oh, yes you will!

When Amazon’s EC2 cloud services system crashed a week ago, shutting down service to scores of client companies, it not only inconvenienced many of them for days, but somehow wiped out critical company data for some of them

That’s not the part you’re going to have trouble believing.

Here’s the unbelievable part.

Besides the fact Amazon still hasn’t explained what happened to its supposedly safe and reliable data storage system, it is now telling a few clients some or all of their stored data is gone and in some cases only partly retrievable.

But wait, it gets worse. One of their customers got an impersonal e-mail this week, which began: “Hello,” and explained that while trying to recover one or more of “your Amazon EBS volumes” Amazon was only able to recover an “inconsistent data snapshot.”

The e-mail did say, “We are very sorry, but ultimately our efforts to manually recover your volume was unsuccessful.”

Now here’s the really unbelievable part: “What we were able to recover has been made available via a snapshot….If you have no need for this snapshot, please delete it to avoid incurring storage charges.”

Wait, there is good news, in the last paragraph of this generic e-mail they did add, “We apologize for this volume loss and any impact to your business.” The message was signed “Amazon Web Services, EBS Support.

I know, I know, you didn’t expect much more.

Why didn’t someone personally call the client and apologize and explain what happened and what is lost and offer to help in anyway, rather than remind the client they would be “facing storage charges” if they didn’t delete the junk Amazon saved for them.

Just when I think intelligent and otherwise successful people cannot surprise me anymore, one does.

Wednesday, April 27, 2011

Sony and Amazon, Thanks for the Lessons

Wow! What Were They Thinking?

April 20 Sony shut down access to its PlayStation Network and waited seven days to tell its 77-million customers some of their personal information had been stolen.

In fact, when Sony finally did say something, they conceded they discovered hackers were in their system between April 17 and April 19. They didn’t shut down the system for another day and then waited until April 26 to tell their gamers/customers something had gone wrong and an unauthorized person or persons had got away with their names, full address, e-mail address, date of birth, PlayStation/Qriocity password and log-in information, and handle/PSN online ID.

Sony seemed to reluctantly add it is possible the thief also downloaded your password security answers and purchasing history.

You can imagine the outrage from PlayStation gamers. It’s a little hard to tell whether some of them are more irate because they can’t access the Network and play, or because their personal data has been stolen.

But there is no question about the reason for the outrage from U.S. Sen. Richard Blumenthal. The Connecticut Democrat sent a letter to the head of Sony America demanding an explanation why Sony waited so long to alert their customers about the data theft. Sen. Blumenthal told Sony head Jack Tretton, “…it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised.”

To make matters worse, after public criticism when Sony finally did reveal some details, the company came back with an additional comment claiming they didn’t know personal information had been stolen until just the day before (six days after they shut down the network and 9 days after the attack apparently began.)

How could they not know? Why did they not check that first?

The same week Sony was turning off its phones and ignoring e-mail and tweets, Amazon’s EC2 “Cloud” Web-hosting service crashed and took down scores of on-line operations that depend on Amazon to host their services. Some were only getting back on-line 80-plus hours later.

Amazon had very little to say. In fact, a search of the www.aws.amazon.com/ecs website made no mention of the outage, and continued to display this reassurance on the home page:
“Secure – Amazon EC2 provides numerous mechanisms for securing your compute resources.”

I’m not a “compute” expert, so I don’t know if they have a typo on their home page, or “compute resources” means something special.

Amazon and Sony operate in their own world…for the rest of you…don’t do as they do.

If you have a data loss or meltdown, be prepared to acknowledge it as soon as possible, and at the same time, begin reassuring your customers, partners, employees or whoever may be impacted, that you are working on it.

If you’ve caused them harm, express your regrets, and offer to do what is reasonable to minimize the damage you may have caused.

Some lawyers will likely counsel you to keep your mouth shut and don’t take any responsibility for what happened. There may be rare occasions when that is good advice, but most of the time that advice will cost you more in the long run.

You can anticipate all the things that might go wrong with your data handling and storage systems and have a plan, including a communication plan, in place and ready to activate when the disaster strikes.

Friday, April 22, 2011

When Crisis Planning, Nothing Is Too Far Fetched

Nothing is too far-fetched when it comes to crisis planning.

So often, when we work with clients preparing crisis plans, they think in terms of fires, explosions, natural disasters or work place violence. We encourage them to consider all the “people” kinds of things that can go wrong, also, such as all the forms of harassment and discrimination, unethical behavior, criminal activity and mismanagement.

But there’s one other thing to consider – rarely is a business or organizational crisis just one “thing.”

When crisis planning, or anticipating a crisis drill or table top exercise, think “unrealistic” and you will more likely be “realistic” in your crisis anticipation.

A case in point: Japan.

You don’t have to imagine the complicated series of events, they really happened.

It started with a near record earthquake. Then came the tsunami, followed by massive fires and a nuclear disaster, then snow and miserably cold weather, followed by massive power outages, food, fuel and water shortages, and thousands of missing people.

Does your crisis plan have a section for that kind of crisis? It should.

I often joke with clients that their crisis plans should be like the old Sears Roebuck and Company line of children’s clothes, branded as Geranimals. The idea was that dads never could dress their young children properly, so Sears offered a line of clothes that had pictures of animals on a tag. If dad was to dress his three-year daughter for the day, he would look for a blouse that had a tag with a lion head on it, and a skirt or slacks that had a lion head on it and he was good to go.

Crisis plans and standby statements can be prepared well in advance of anything ever going wrong. Then, when “X” happens you look for those parts of the crisis plan and those pre-approved standby statements that go together, and you are on your way to taking control of even the worst situations.

Tuesday, April 12, 2011

Few Companies Are Crisis Ready: But We Knew That!

A new report out this week confirms that one of the biggest mistakes companies make in a crisis is a failure to communicate and be transparent with employees and other key stakeholders.

The report concludes the failure to communicate in a crisis contributes to a loss of value to the company.

The survey was conducted by the Canadian Investor Relations Institute (CIRI) and Fleishman-Hillard, Inc. in September, October and November of 2010 and included responses from 34 financial analysts and 78 investor relations officers in the United States and Canada.

One of the disappointing conclusion of the survey is that many companies are aware of the potential damage they face to their sales, reputation and share value, but many still do not have a crisis plan, and if they do, they admitted it was very likely outdated.

The report confirmed that half of the respondents from financial services and the health care industry don't use a crisis plan, even if they have one.

Recalling the financial crises that slammed the world since 2008,Tom Enright, CIRI President and CEO concluded, "...companies need to be armed with a plan." Amen! That's what we've been arguing for more than 20-years.

If you don't believe us, then heed Enright's words, "No sector or company is immune to a crisis. Having a crisis communication plan in place is simply prudent."

Thank you, Mr. Enright.

Another short-coming underscored in the report -- Of the few companies that have a crisis communication plan, only 29-percent update it annually.

Another disturbing finding -- More than 50-percent of respondents say they only have a crisis plan for an operational issue such as a fire, storm or perhaps workplace violence. Never mind that two-thirds of all business crises have nothing to do with "sudden events" and almost everything to do with human mistakes.

Another frightening finding -- Less than half of the companies surveyed monitor social media during a crisis.

Friday, April 8, 2011

How Would You Like to Be Head of Corporate Comms at Chase?

How would you like to be the head of corporate communications for JPMorgan Chase & Co.?

Chief Executive Officer Jamie Dimon’s total compensation skyrocketed almost 1,500 percent to $20.8 million in 2010 from $1.3 million a year earlier, based on a U.S. Securities and Exchange Commission compensation formula regulatory filing.

By comparison, real median U.S. household income was just $49,777 in 2009, according to the U.S. Census Bureau and certainly did not jump 1,500 percent in 2010, at least mine didn’t.

With all the negative news about U.S. banks during the past two years, and the hike in bank fees and the precipitous drop in bank interest rates, it will be challenging for the Chase PR folks to justify their boss’ pay, perks and bonuses.

I’m a Chase customer, and my savings account interest rate is almost a negative number, now, and on top of that, I got an e-mail from Chase a few days ago, explaining their vendor, who sends out all of their irritating marketing e-mail, had not encrypted my name and e-mail address, and millions of my co-customers e-mail addresses had been stolen.

The thieves probably sold our addresses to spam merchants who will soon be bombarding our in-boxes with more unwanted junk e-mail – at the best – and just as likely filling our in-boxes with programs that can take over our computers and infect them with viruses.

If you read the story about Dimon’s humongous pay increase, you probably did feel sorry for him, at least for a moment. He changed jobs and moved from Chicago to New York City, and had trouble selling his house in 2010. But don't worry about him, Chase reimbursed him $421,458 for some of his "moving expenses."

Tuesday, April 5, 2011

Watch And Learn From New Google CEO

If you work for a CEO or President or chief administrator that is uncomfortable dealing with the media and/or the public, OR if you are the CEO, President or chief administrator that avoids the media and dealing with your key publics, then pay attention to what happens next at Google.

Larry Page, co-founder of Google, was elevated to the CEO’s job this week.

He took over at a time when the search engine giant is trying to cope with a series of anti-trust investigations, some privacy issues and regulatory challenges. Now he must lead the company through increasingly negative public perceptions and growing media attention.

People who know him say he is a genuine brainiac and the father of many of Google’s most important technical innovations.

They also describe him as “awkward, aloof and dismissive” of people who don’t think the way he does, which apparently includes most of us.

It is also widely accepted that Page does not like to deal with the media.

Rob Frankel, author of “The Revenge of Brand X,” cites Google’s slipping image and says when you link that “with a guy like Larry Page, who may not be the most skilled or motivated person to deal with it, there could be trouble.”

At ICM we consistently preach against the CEO being the on-going spokesperson in a crisis, but Google is not in a crisis. Not yet, anyway. However, it is facing significant challenges, and an enthusiastic and committed CEO needs to be out there talking up the “positives” about his organization.

Robert Enderle of the Enderle Group was quoted in the San Francisco Chronicle saying Page needs to be the public face of Google, “and he doesn’t seem to want that.” Enderle added, “…he has to do that job. Right now, Google has a horrible public image, and he’s got to fix that.”