Archive for the ‘Data protection’ Category

What I should have said about crisis management at our change communication event (Part 2)

Yesterday I started to follow up a question from last week’s panel discussion about the relationship between organisational change and communication, in particular the idea that internal and external audiences should be given the same information.

In this post I’m going to expand on the idea of information security.

This particular issue came up in the case of an organisation undergoing some changes to its workforce (it’s fair that most of the world’s companies probably are at the minute, so timely…). The challenge presented was around the implementation of the change program – if, as per my contention, we’re supposed to tell everyone the same thing at the same time, how can we expect the changes to be implemented with minimal external disruption?

Good question, and having had a week to think about it, the exact answer I keep coming up with is…you can’t. To clarify, I think you should share the same central theme with your stakeholders throughout, contextualised to suit their needs. And broadly speaking you should try to communicate in as timely a fashion with each audience as possible.

That’s not to say tell everyone everything, all at once. Rather, if you have information that’s sensitive to the change program internally, and relevant to external audiences (e.g. customers or suppliers), then try to coordinate the information flow so that the right people get the right message at the right time. I like to think of it as giving people the information they need to do the job they need to do with it. Knowing what that information is…that’s the job of the change manager. Sorry.

This isn’t an issue of trust. It’s one of effective project management, and it’s one of balance. If you’re asking a team to implement something, and there’s a clearly defined process for them to follow, then they need as much information as it will take to achieve the outcome. If, however, you have an outcome but want the team to devise the implementation, then they need different information (and probably more freedom as well).

As Scott McKenzie often says: “Your employees are adults. Treat them like it.” I agree, but adults also get speeding fines, take documents out of buildings when they shouldn’t, email things home that they shouldn’t, have affairs, go to the pub, leave stuff on trains, have the occasional brain explosion…whatever it is, chances are it won’t be all that life-threatening. But if incorrect or incomplete information lands in the wrong hands, or the right hands at the wrong time, then a day-spoiling phone call won’t be far away. Shortly after that is when many organisations go from a well-intentioned change program to a call to our Issues & Crisis Management team (usually about half an hour after news crews have already lobbed on the doorstep).

I think it comes down to being sensible with what you share, when, and with whom. You’ll always have a knowledge gap between the change manager and their team, and the rest of the organisation and its stakeholders. By securing information until such time as the organisation’s ready for it to be released, you’re just helping to streamline the process. It’s a question of balance.

Tomorrow we’ll have a look at the social media ramifications of change programs in Part 3.

Twelve tips of Christmas: #1 Protect your customers

In the lead up to the holiday season we’re rolling out the tried-and-tested “12 days of…” formula for our Hints & Tips posts. As today’s the first of December, it seems like a good time to start, and this story from Australia has provided the inspiration for this morning’s post.

JB Hi-Fi, one of the country’s most popular music and entertainment retailers, was the victim of a server hack. The result: users were reportedly re-directed from the company’s website to Chinese websites loaded with malware (for those non-techies who’ve never been infected, malware is malicious software – it does pretty much what it says on the tin). For this reason we’ve broken with convention and not linked to the site, as we’d hate to be responsible for exacerbating the problem.

In fact, most of the websites mentioned in the article on The Sydney Morning Herald website have experienced malware problems recently, including Whirlpool (a broadband discussion forum), Overclockers Australia (an online community for computer enthusiasts), and OzBargain.com.au (a discount online retailer). Each of these sites is frequented by tech-savvy visitors and in that respect the users are probably lucky in that they’re inherently better prepared for the trauma of a malware attack.

However here in the UK, online shopping is far more prevalent, and far less the domain of technophiles. Online commerce is easier and more pragmatic – products shipping from Birmingham to London arrive more quickly than they do in Sydney, for example, so the lesson for local retailers is clear. Protect your customers.

The holiday season increases the risk of infection many times over for three key reasons. Firstly, more trades will be conducted, so the law of averages says sooner or later someone’s going to get infected. Secondly, occasional users trade more during holidays, so you have a larger population of inexperienced users throwing themselves into the mix. Thirdly, with more trades, and easier victims, it’s a great time for hackers test their skills – it’s an opportunity for big, quick gains.

We’re not technical advisors, so in the first instance, check/flag any issues with your server manager. Send them this link (http://www.smh.com.au/technology/security/jb-hifi-website-served-malware-20091201-k2p3.html) if you need to.

From a crisis management perspective, here are five things you can do this week to help improve your chances of successfully managing a malware attack beyond the technical fix (should you be so unlucky):

Familiarise yourself with the Information Commissioner’s Office. As a regulatory authority it’s there to protect consumers, which means it’s in their best interest to help you do exactly the same. It also means that if you don’t manage a crisis well then you should expect a call, and it’s always better to know who you’ll be dealing with. In the first instance a visit to the Data Protection Act guidelines is a good idea as well. Dry reading, but important.

Increase your online monitoring. The great thing about malware attacks is they spike discussion forum traffic, and this can help you spot a potential issue well before it ever hits your system. So get your digital monitoring team or web agency to work enhancing your monitoring for the next few weeks. Suggested search terms to add (there’ll be plenty of others you can look for, including specific program names): retail, hacking, malware, data theft, data loss, server hack. Please post suggested additions in our Comments section.

Understand what your continuity plan is. In the event that you do experience a malware attack (or any other kind of online crisis really), it’s essential to know if and how this part of your business can continue to function. It’s time to buy your server manager that beer you’ve been meaning to.

Plan your communications in advance. Regardless of the nature of the problem, there aren’t really that many ways it can turn out. Among the most common are likely to be: infecting customers with malware, sharing of customer information, loss of customer information, loss of e-commerce functionality, loss of website. While it’s true that the details may be important on the day, you can save yourself a lot of time by planning in advance how your business is going to respond to each of these scenarios.

Put your crisis team on notice. This includes your agency support if you have it (and if not, now’s a really, really good time to get some). It’s holiday season – chances are half your team will be away. Know in advance who their deputies or alternates are, and make sure everyone’s briefed on management and contingency plans before you break up for the holidays. If you’re in a business that closes down between Christmas and the New Year, or runs a skeleton staff, know who’s going to be available to help fix any problems that arise.

As always, if you have any questions about the tips outlined above, or if you need a hand with preparing your organisation to handle a crisis over the holiday season, please get in touch. And happy holidays!