Crisis strikes: What do you do next?

The corporate Web site is gone and a hacker has made off with the database. The company's reputation is at stake. What crisis management tactics should be employed?

special report Over the past few years there have been countless examples of companies waking up to word that they've been the victim of a security breach or discovering their Web site security is fatally flawed or at risk.

Perhaps customer data has been breached, or perhaps the front page of their Web site has been defaced or perhaps there's been a threatening e-mail from hackers warning their very Web presence is in jeopardy if they don't pay a ransom.

The problems are different but the underlying issue is the same - what the company says and does in the next 24 hours will communicate to customers, the industry and the media exactly what kind of business they are. The clock is ticking and the next 24 hours could make or break their business.

That statement is far from exaggeration.

Special Agent Ed Gibson of the FBI and assistant legal attaché to the US Embassy in London said: "Companies survive on their reputation."

Upon realising there is a crisis afoot companies must instantly address how they are going to deal with it, not just in terms of rectifying the issue from a technical perspective but in terms of who they tell, how they tell them and what the consequences may be.

"Their first thought may be 'what's this going to do to our stock price'," said Gibson but is there anything to be said for brushing hacks and attacks under the carpet?

Martin Langford, the self-styled 'Master of Disaster', has handled more than 350 crises worldwide in all manner of sectors in his role at PR agency Kissman Langford and believes skeletons tend not to remain in the closet for very long.

"I absolutely guarantee there is no such thing as a rumbling crisis within an organisation that will not make it into the outside world," he said.

And if the press get a sniff of a story, don't even think about pulling the 'no comment' stunt.

"If you decide to resort to 'no comment' it will exacerbate the negative coverage of your story," said Langford.

"If you don't communicate, others will," he said, warning that disgruntled employees, customers with an axe to grind or others within the industry will be all too willing to put the boot in.

Instead companies should demonstrate concern, be clear and consistent in their messaging, demonstrate control of the situation and maintain an air of confidence at all times - the breach has happened, that fact cannot be changed but from a customer perspective it is better a crisis in the hands of the confident than a crisis in the hands of the panicked and bewildered.

If the press are digging around or calling for comment don't stall them with waffle. Even if companies are not ready to issue a statement when the phone first rings - because that may even be the first they hear of the problem - they should still send the journalist away with an answer of sorts. Tell them when they can expect comment and guarantee them that their deadline will be met. It may be that openness and that willingness to cooperate that stops a few journalists digging further.

Langford warns such crises will always hit when companies are least expecting it and least well-equipped to deal. But sod's law is perhaps the only given in life - "expect the unexpected," he said.

And brief your PR team properly. It's what you pay them for.

Ciaran Nelson, an account director at Lewis PR, told "There is nothing worse when it comes to handling a crisis than keeping your agency in the dark, because for us it's like going into a boxing match blindfold."

"Admitting there is a problem is two-thirds of the solution," he said. "Alert all parties with a vested interest and all parties who can help you. Be completely open with your in-house team and your PR agency."

In medical terms this is the triage stage. If you want to find the best cure you need to describe all the symptoms in detail.

"We need to know all the facts. For example, if similar incidents have happened in the past then we need to hear it first from the client and not from a journalist," said Nelson.

Depending on the scale of the crisis, companies may also want to similarly brief their legal counsel.

Of course, one of the first actions in the event of any criminal activity should be to inform the police.

Going into your local police station may draw little more than faux-concern and blank faces but fortunately the police do now have dedicated resources for handling such enquiries. But be warned, these resources are critically over-stretched and under-staffed.

The FBI's Gibson warned that nobody benefits in the long run from a conspiracy of silence.

"The CEO may be saying 'we don't want this to go public, we don't want to report this hack, I'll just let it go' but the National Hi-Tech Crime Unit has a confidentiality charter and it really does work," he said, which is reassuring news for any company which believes a call to the police is tantamount to putting a call in to the newsdesk of the BBC.

DC Tony Noble from Surrey Police Computer Crime Unit said: "Any company's priority is to get their company up and running again profitably but often it's only once that's been done that their heads turn to the issue of 'whodunnit?'."

Noble said failure to report incidents in a timely fashion is often a major problem in chasing conviction. "At the end of the day vital evidence will already have been lost," he said.

"Evidence, evidence, evidence," is the priority said Noble. "What occurred at the time of the incident, what happened, what it looked like to the victims and what it cost. You have to save all this evidence."

Companies must start working on the case they will present to the police immediately and should provide some basic details which will aid the investigation and may even help secure a conviction.

Noble said companies should provide a written outline of what has gone on. They can prepare this by committee but must tell the police who put it together and who contributed what information. This outline may constitute part of the plaintiff's written statement and important evidence could be omitted if the details of who provided what is undermined at any time.

Companies should also provide a list of all staff involved and include details of who discovered the problem. The more detail the better.

For his part Noble ensured all enquiries will be discreet but he also said publicity is no longer such a bad thing.

"It sends out a strong message," said Noble. "Pursuing prosecutions shows an organisation will not stand for criminal activity."

Noble also urged companies to find out who their regional high tech crime officer is. During downtime these individuals will be happy to come in and meet companies, to look at their operations and spend time getting to know them.

"Like a fire brigade coming in to have a look around a factory so they know what they are dealing with in the event of a fire, we can come in and have a look around in case the company becomes the victim of a cybercrime."

And targeted attacks are likely to increase. Companies certainly can no longer assume it won't happen to them and must start to understand their level of risk and plan for the worst case scenario - from ensuring technical measures can be put in place to ensuring staff are trained and able to man the recovery effort.

Simon Perry, vice president security strategy at CA, said: "We will increasingly see targeted attacks, from the usual suspects such as disgruntled employees but also from those with a financial motivation."

Among the most common targets of cybercrime last year were online bookmakers who became the victims of extortionists threatening them with distributed denial of services attacks if ransom fees weren't paid. The majority of bookmakers were targeted in this way, with the approach seemingly based more on what they do than any specific knowledge of their systems.

The gangs committing these attacks appear largely to have been based in Eastern Europe and they generally threatened to bring down the companies' Web sites the day before major sporting events such as the Grand National or the FA Cup Final.

It's believed some took the 'brush it under the carpet approach' and paid up, effectively inviting the blackmailers, or others with same M.O. to return another day, but the majority of companies were open about the threats and reported them to the police, ensuring investigations could commence and arrests could be made.

Rorie Devine, director of infrastructure at Betfair, told "Within the online gambling industry, liaison and information sharing with both the National Hi-Tech Crime Unit and commercial rivals has proved very effective in helping mitigate these attacks."

If Langford was right and these things do always have a way of making it into the public domain, it's better a company is seen as proactively combating the issue and handling it confidently at the time than being outed down the line as a company who tried and failed to brush it under the carpet.

The cost of repairing a server or a system is pocket-change compared with the cost of repairing a reputation.

Langford warns: "If you don't handle your reputation in a crisis that will prove to be the most costly thing to put right."'s Will Sturgeon reported from London. For more coverage on, click here.