From Managing Outcomes, Vol 13, No. 19, October 02, 2022
It’s not often we get to see a corporate crisis spiral out of control as quickly as happened when hackers struck Australia’s second-largest telecommunications operator.
Optus will almost certainly have paid expensive consultants to help them develop a crisis plan, along with rehearsals and simulations and media training. And the plan was likely not much different than what is in place for Telstra or TPG or a host of other companies. So why didn’t it work? And was there a Plan B to meet rapidly changing events?
While the Optus crisis is still evolving, there are already some important lessons, especially for other companies.
Media preparedness based on individual capability, not job titles. In any crisis the spokesperson must speak with confidence, even without having the full facts. Yet the Optus CEO was evidently uncomfortable dealing with the media, as was the Director of Communications sent out to speak on radio. Where was the personnel fallback plan?
Don’t play the victim. Rehearse planned crisis responses . . . but playing the victim should not be one. The CEO said“we are not the villains” but forgot, it’s not about you. It’s easy to assume a bunker mentality, but there are literally millions of people here who are in no doubt about who are the real victims. The plan should focus on your customers, not just on the crisis.
Plan to get the basic strategies right. Offering credit monitoring is now standard practice in large-scale data breaches where customer financial data is exposed, and that step should have been in the plan. Why did it take so long? Such protection was offeredonly after four days, only after the Minister demanded it, and only for “the most affected customers”. That distinction might make sense to Optus, but not to millions who fear for their personal cyber-security.
Get all the bad news out at once. The full impact of a crisis is seldom known at the start, but plan to avoid drip-feeding information which further corrodes public and political confidence. For example, it was a full week before Optus revealed almost 37,000 current and expired Medicare card numbers had been compromised.
Where there’s a crisis there’s a politician. There’s no crisis politicians won’t try to turn to their advantage – either to take control or blame the “other side” and they are a vital stakeholder in any crisis plan. The speed at which politicians entered the Optus debacle, and the speed at which a newly-minted government began promising new legislation was remarkable, though probably predictable. Has every other corporate crisis management plan been updated to reflect the change of government?
Every crisis provides an opportunity . . . for other companies. With cyber-security in the headlines, Australia Post, CBA, Binance and other organisations were quick to assure customers their online data is secure. But how many have already simulated how they would have dealt with a similar Optus-scale data breach?
The Optus crisis will surely trigger a flood of investigations and litigation, picking over everything the company did and didn’t do. In the meantime there are two immediate necessities for every company.
First, make sure you fully understand your corporate governance responsibilities with regard to data you hold. In May, for the first time in Australia, the Securities & Investments Commission successfully prosecuted a company for a data breach as a result of failure to manage its cybersecurity risks.
Second, develop and rehearse a robust crisis management plan, not just a consultant cookie-cutter, but a dynamic and flexible plan which provides for every specific scenario, for everything going wrong, and has been brutally tested by probing for any possible weakness.
It’s not enough to have a plan. It has to work when disaster strikes.
Managing Outcomes is published by Tony Jaques, Director of Issue Outcomes Pty Ltd, for people who work in issue and crisis management
