Tech PR: Safeguarding Reputation in the Era of Cyberattacks

Recommended reading within Chinese intelligence circles this month: sensitive U.S. military data, courtesy of an American made password-protected security system meant to safeguard vital national secrets, but which instead proved a little too easy to hack.

Such is the worst case scenario that likely played out following recent network breaches at major defense contractors Lockheed Martin, L3 Communications and Northrup Grumman. While the U.S. Department of Defense denies that vital military secrets were compromised, all doubt might have been eliminated had the security system’s manufacturer followed a proper crisis PR strategy when the first hint of a problem came to light — more than two months ago.

The culprit in this unfortunate incident is EMC’s RSA Division, maker of the SecurID token used by all three contractors to secure remote computer access. The problem originated in mid-March with a successful spear phishing attack on a single RSA employee, enabling hackers to duplicate  tokens, paving the way to the nation’s latest hack-fest. Who did the hacking is anybody’s guess, but given China’s recent history with Google, the signs point to Beijing.

The remarkable — and arguably inexcusable — aspect of this drama is the way that RSA low-balled the problem from the outset. Rather than issue an announcement or media alert or otherwise provide adequate public warning of the imminent danger, RSA became the latest of several high profile tech organizations this year to make the mistake of using social media as a substitute for traditional crisis pr. RSA responded to its crisis by posting a blog.  On Friday April Fool’s day, no less.

Alert trade media such as InformationWeek and eWeek quickly spotted the blog post and had coverage up the following Monday. And no doubt, RSA notified all its customers.  However, the fact that no public siren went off at multi-decibel levels meant that neither RSA nor its customers, whose networks are charged with guarding some of the nation’s most sensitive secrets, faced national media pressure to take strong preventive measures.

The weeks passed. RSA appeared to have contained its embarrassing problem. Behind the scenes, however, hackers quietly did their thing, culminating in successful penetration of defense contractor networks beginning in mid-May.

Upshot? First and foremost is the damage to national security. We’ll probably never learn the full extent. Second, trust in EMC’s RSA Division has likely suffered irreparable damage that will be impossible to “patch.”  Defense contractors took a reputation hit, too, particularly since they might have foreseen greater problems on the horizon following the initial red flags in March.

Lessons:

1. Be Prepared. Training employees on how to recognize and foil spear phishing is a good investment for all companies, not just defense contractors. Lives may not be a stake over loss of the average company’s confidential info — but competitive secrets may be.
2. Don’t Go Cheap on Security. Incredibly, nearly a decade after the tragedy of 911, many enterprises still balk at biometric security measures because they’re more costly than password-protected systems. Sooner or later companies are going to get wise to measures such as voice authentication which are nearly as reliable for proving ID as the fingerprint.  Trade Harbor is a good place to start [full disclosure -- they're not a client, thus there's no conflict of interest here].
3. Have a Crisis PR Plan. More on how to get started here. Remember that the most important “must do” of crisis pr is to be up front with and available to press immediately. Communicate directly and personally, and use social media as a supplement to PR, not its replacement. Above all, do not avoid, ignore or downplay the problem as RSA tried to do. When you stick your head in the sand, you’re begging for a kick in another part of your anatomy.
4. It’s Not Paranoia if They’re Really Out to Get You. Everyone’s vulnerable to cyberattacks.  The “other guy” that bad things only happen to could turn out to be you some day.

FOOTNOTE: Go there at your risk. In reviewing Chinese graphics for this post, Jim got some uninvited company on his PC — 3 Trojans and other assorted malware. Given today’s topic, he nearly fell out of his chair laughing. No damage done: For a great firewall of China, try Norton Security.