Category Archives: Crisis Communication

American corporate espionage preparedness is unprepared

American corporate espionage preparedness, in a random sample and via anecdotes, is in bad shape. We are not prepared.

the-company-man

The video is 30 minutes but worth it for training your team. Now a question.

What is the technical difference between a Speaker (thump thump) and a Microphone (can you hear me now?)?

NOTHING. There is no difference between a speaker, headphones or microphones. No. Difference. At. All. None.

Significance:

Plug your headset into the microphone jack on the stereo and poof – you have a mic.

Why do you care? Because if your employees are relaxing after work, at the local vegan cafe. Just unwinding, spending 20 minutes at the salad bar. nearby people hypothetically might get bored. “Hackers aren’t vegans” you say, “so it can’t happen here.”

Mics vs speakers – the answer is anyone can just put their iphone down with the headphones in and record away. Especially if the marks are “extremely loud bar talkers” as these two were.

Identity? Well gosh, they left their credit card receipt detail side up so I could helpfully straighten their table and take a quick photo of their info on the way to the restroom

How does this impact you? Well these two gentlemen next to me are clearly in town for a conference. Still wearing lanyards with fortune 500 company logos? Accents. Of course, we’re either the first or second most diverse city in the USA.

Again, It’s Houston – we know what’s going on. Houston is all about the back channel. And once your dialed in? Well it’s kinda like the matrix. Seriously – why else would millions of people live in a paved over swamp with the moniker “The Bayou City”?

Back to the situation at hand. These fools spouting corporate secrets next to me because I have headphones on and my audio turned off.

I’m white hat so no, I did not record anything and will not inform their companies nor will I inform them. No I did not take a detailed photo of their receipt although it sits just to my right at the moment as it has for 10 minutes.

Honestly I have other battles to fight. And so do you. Yet make no mistake – if they had revealed some anti-American activity I would have arranged for them to meet up with some of my friends who love America as much as me and my friends know how to handle such matters delicately.

This blog post is simply an anecdote, a story that is true, of knuckle-heads who weren’t thinking before they spoke.

As for companies that employ people, what are our options? First the obvious – we can try to hire for common sense, Then you can train and test – I do drills to test our team,

Big picture? What will work best? Dunno. I do know ignoring the issue of human hacking /social engineering isn’t the solution.

To repeat, we know humans are the weak link because I’ve tested it with my own company and as a paid approved pentester at the request of some of our clients. I’ve unfortunately been 100% successful in finding security holes in my pre-approved and client authorized tests.

Even when the employees KNEW ahead of time that someone was testing the systems..I’ve yet to fail to find an opening and honestly I’m not that good at the whole pentesting thing … like I don’t have the best tools or a infinite budget or even a good lock pick set with a proper bump key.

In other words – I’m amateur at best and only to protect my own clients.

But sheesh, a little reality training would go a long way with folks like this. The humans are almost always the weak point. I was in one restaurant and they said “ya, the Internet has been spotty for days.” I said “well maybe I can help. Would you mind taking photos of the front, back, connections and the serial number on your router and I might be able to fix it.”

I still have the photos on an encrypted drive somewhere. My point is I didn’t misrepresent myself as a Comcast employee or whatever. I just said I was a customer and that I might be able to help.

Back to our main storyline. It is YOU, the management team and every employee who is handling YOUR company’s data. It should take more than sitting down next to two guys drinking IPAs for me to even have the opportunity to gather that type of intel.

And the router example where the waiter literally texted me all of the technical specs of the router? xOMG, no excuse.

In the various circumstances I fixed their internet, got their credit card processing systems working again, reset passwords with upper management’s permission. I did what I would do with my own family’s business. 

What did happen is that even with permission and weeks of advance notice, zero clients or friends have had any network my team has tested properly secured. It was not barriers already installed that blocked us. On the rare occasion we ere too impatient to power through something (which we can do), it was laziness, we simply were tired and wanted to go home. So we’d just ask a manager and say it was part of the test. Seriously.

Grok that. Leaders at a company who were specifically told who we were, that we were there to test network security, that it was serious and they were to block us in every way possible. Those managers would give u the keys to the kingdom if i asked the right way. (the “right way” is vague on purpose. I’ll do another post on that one later.)

Perhaps the scariest part is that I personally was never impeded by even the most basic security training for these employees or their own intellectual “well duh I shouldn’t do that” factor. In every instance if I hit a roadblock they helped me bypass any remaining obstacles.

  1. Train. Train. Train your people.
  2. Know, don’t expect but know they will get in. So shrink the attack vectors and restore from a known clean backup regularly.
  3. Try not to get anyone fired. The business owner would have been just as clueless.

—————–

PS – for the curious, the fastest network break in I’ve ever done? 5 minutes. The owner asked us to test his network security. I agreed and we agreed on a  price (remember this guy didn’t know me from Adam). Then I said “of course we’ll need your login to monitor how the red team is doing. He then just blurted out his username/password for the network and for his email. And assured us it wouldn’t be a problem with anything else because he always “used the same password.” Gosh. We printed nice reports and pounded sand for a few days, but it was the fastest… whatever you want to call it.

PPS – I bet if you owned stock in that corporation and liked the CEO you’d call it a hack. Similarly if a black hat, you’d call it like it was.

H4CK3D: Why my web site? What now?

Your web site will be hacked. It is inevitable. It’s not a technology problem, it’s a people problem. Wetware is the weakest link and it is us.

H4CK3D: Why my web site? What now?

Motivations and mitigations when your site gets owned, because there is no true prevention. And if the OPM, Chase, Target, Ashley Madison and many more have fallen, then you will too. It is no longer sufficient to consider perimeter defenses. Your only consideration is to understand why you were attacked and how to limit, but not prevent, damages.

Questions to consider for SXSW Panel, or no panel, as regardless this is a topic worth of discussion.

Q1
Why did someone bother to hack my site in particular?

Q2
Is this a vendetta?

Q3
How can I prevent this in the future? (hint: you can’t, but let’s talk)

Egypt Social Media Activity Unexpectedly Small

I have been digging into the background story on the 2011 revolution in Egypt. Follow that last link for a good recap of how the police beating of Khaled Said created a maelstrom that has turned into massive protests and labor strikes in Egypt. A man named Wael Ghonim has emerged as a symbol of the revolution in Egypt after his CNN Interview as a rebuttal of Omar Suleiman, the General now promoted to a VP, did an interview with ABC News.

Regarding the politics of Mubarak’s autocracy, I think we can agree on some fundamentals:

  1. The killing of Khaled Said was unjustified and horrible.
  2. The government response to these allegations in Egypt was insufficient.
  3. The protests are right to object to 30 years of “Emergency Rule
  4. Mubarak should step down immediately
  5. The US historical support for Mubarak, while unlike the situation with the Shah in Iran, will likely not win us many friends in post-Mubarak Egypt.
  6. Social media has played a key role in the protests as evidenced by the Internet blackout implemented by the government.

Wait. I’m not so sure about number 6. The role of social media is unclear.

Working in social media I was curious and looked up the facebook group and the twitter accounts. What struck me was that for a country with a population of 77 Million, the page and the twitter account have relatively few followers. Right now Wael Ghonim on twitter has 46,035 followers

and the Khalid Said page on Facebook has 61,687 fans

Both of those numbers seem small to me given the scope of the protests. My first thought was “you must be looking at the wrong page. Surely there is an arabic page that is the real FB connector. I emailed a politically active Egyptian friend (Fayza!) and her response was:

I think that’s probably as good as you’re going to get. It’s a very active page, so my guess is that it’s the best resource for his supporters that Facebook has to offer. Lots of Egyptians speak fluent English because of the prevalence of tourism. It doesn’t surprise me that the primary FB presence is in English at all.

Perhaps Gladwell is right that the Revolution will not be tweeted. When Gladwell in his post talks about networks he says:

The drawbacks of networks scarcely matter if the network isn’t interested in systemic change—if it just wants to frighten or humiliate or make a splash—or if it doesn’t need to think strategically. But if you’re taking on a powerful and organized establishment you have to be a hierarchy.

So either social media isn’t the huge driver for change, or it is a very small subset of the population communicating through social media that is facilitating the action. But you certainly can’t say that hundreds of thousands are responding to direct tweets with a central call to action.

So to me the role of social media in the revolution is still a conundrum. And as I type this, it looks like the rumors of him stepping down tonight on 2/10/2011 were false.

More to follow….

students were four times as likely

Social networks were apparently a more significant means of transmission than seating arrangements. Students were four times as likely to play with children of the same sex as with those of the opposite sex, and following this pattern, boys were more likely to catch the flu from other boys, and girls from other girls.

and

“Our social networks shape disease spread,” said Simon Cauchemez, the lead author. “And we can quantify the role of social networks.”

(source and the full report is here.

PR 2.0 New Media Communications Model

New Media Communications Model from PR 2.0. An evolved version of Lasswell’s model per the book:

Who
Says what
In which channel
To whom
To what effect
Then who
Hears what
Who shares what
With what intent
To what effect

Explained in greater detail in PR 2.0, Solis, Breakenridge. pg 190. This is mostly a note to myself as I wonder about how to measure such things in the Personal Brand Era.

Technology and Crisis Communication Panel at SXSW. Vote?

SHORT VERSION:

Please vote for my panel at SXSW DON’T PANIC – The Geek’s Guide to the Next Big Crisis

LONG VERSION:

A little more than four years ago I wrote my first blog post. It was about the need for a form of Emergency RSS. We can share celebrity gossip headlines through feed readers faster than we could use technology to respond to a crisis. And this was an important point as I started blogging in 2005 right after and in response to a need to share after Hurricane Katrina. Katrina Lower 9th Ward PhotoCrisis response and crisis communication has always been a passion of mine, and seeing our government’s mostly failed response in New Orleans compelled me to start blogging and contributing where I could.

Running the company I chose to stay in town during the Hurricane Rita evacuation. While Rita did not hit Houston, instead crushing the gulf coast near Beaumont with little news coverage in the wake of Katrina, we did learn from the Rita evacuation. We used a wiki page on Tendenci (our software) to track down all employees. Employees on the road, which for some of them was 10 to 20 hours during the evacuation, would text their manager’s who then updated the wiki to account for everyone. We quickly knew everyone was OK.

Then last year we prepared for Hurricane Ike which went over our town. When the storm hit the ONLY thing that worked was SMS messaging. No power, no water, no data, no TV. Just radio and text messaging. Hurricane Ike hits at nightLuckily we had set up a product called Yammer, which is like Twitter for your company (and they have a business model) and we were able to keep in touch. Data services, which is what your cell phone depends on to get to web pages, went down. Voice went down. The only thing that allowed us to keep in touch with all of our employees and their families was text messaging sent directly and through Yammer.

We learned a lot about the role of tech in a crisis combined with human behavior. Example – an employee’s cell phone would die. They would use someone else’s cell to text a message to their manager saying “we are OK and staying near College Station”. Except that is ALL they would say. We didn’t recognize the number and had no idea WHO sent it! The solution was to train all of our people to put their NAMES at the end of each text message. Seems like a small thing. It is. But it makes it possible to do a head count!

Since 2005 our firm now does the web site for the Houston Red Cross and Reliant Park, both of which are key for Houston Emergency Response planning. We have the privilege of working with Firestorm Crisis Communications and Preparedness and long time clients like crisis communicator Dan Keeney. I have attended Netsquared Houston meetings when David Geilhufe taught us about People Finder Information Format. And I work with people like Jonti and Katie who have helped all of us set up our ICE cards for our families.

Now I need your help. I’d like to continue the dialog on Social Media and Emergency Response. What IS the role of twitter beyond updates? What are the alternatives for Yammer? Is there a cost effective solution for businesses and families? We have come a long way, so let’s talk about it.

PLEASE VOTE AND COMMENT on this SXSW Panel I hope to moderate. Without your vote and your comments the panel might not make. And I believe in this topic too much to see that happen. Spare a minute? Please VOTE!

DON’T PANIC – The Geek’s Guide to the Next Big Crisis

Are you and the people you care about prepared? Our panelists will share their crisis stories and tell you how to be ready, both online and offline. PFIF, Yammer, Facebook and iPhones – the technology and strategy is there and getting better, so let’s take it to the next level.

  1. How does emergency response and communication relate to the Web? Do developers and small business owners really need to care about Crisis Communication?
  2. How can our emergency teams (fire, ambulance, police, etc.) benefit from standardized data sharing? What can I do about it?
  3. What does the rise of Mobile Web mean for the next natural disaster or other catastrophe?
  4. What tools (Web, mobile and otherwise) are out there right now that my family, friends and company should be using now?
  5. As a geek, what are 5 things you should do TODAY to keep your family safe and your business running when disaster strikes?
  6. If practice makes perfect, what kind of drills and regular training should your business be doing right now that won’t break the bank or kill your billable hours?
  7. What are some of the technical lessons we learned from Hurricane Katrina?
  8. Tech and communication stories and lessons from Virginia Tech, Hurricane Ike and beyond…
  9. What is a crisis to you and how do you strategically and technologically deal with it internally and for the rest of the world to see?
  10. How can you best identify your strongest and most reliable communicators and rock stars during times of crisis? How do you deal with employees that book it and vendors that disappear?

Why am I doing this?

Well, it isn’t for business as I have no financial ties to yammer or twitter or any other messaging services. Tendenci is a content management system that powers associations and sites like the Houston Red Cross, but they are already customers. And ANY emergency response technology must be open source for maximum adoption long term. I just believe passionately in our need to share information and I think technology can help with crisis communication. Social media sites like Facebook and Twitter bring a lot to the table. If you, like me, are passionate about this, please vote for the panel “DON’T PANIC – The Geek’s Guide to the Next Big Crisis” and I hope to see you in Austin next March!

Chron Post: The roaming chainsaw gangs of Houston

Recent post on the Chron: The roaming chainsaw gangs of Houston.

Hurricanes bring about unexpected responses in us humans. It’s like the first time you see your dog or cat catch a squirrel and they go all primal on it. And you are looking at your little FeFe thinking “WHERE the $#(@ did they learn how to do THAT!?” And of course the answer is instinct.

And the morning after Hurricane Ike went over our house, once we accounted for our loved ones, our instinct was twofold.

  1. Clean up!
  2. Stay put

This makes little sense to me why these desires were so strong, but they were. Arguably a third response was “find a way to make coffee” but coffee is probably more an addiction than an instinct (and YES, you CAN make coffee on a gas grill). I’ll talk about the “stay put” instinct in a future blog post, but for now, let’s talk about that “clean up!” stuff.

So that morning we all wandered out of our houses, the wind from Ike still blowing, and began to assess the damage and clean up our yards. Yup, first response after a hurricane was yard work. Really. Dog instincts are much more interesting if you ask me. In instinct-heaven dogs are throwing squirrels 20 feet up into the air waiting for the bounce while I’m raking the yard. Baroo?

Anyway, there we were cleaning up the yard. Stacking branches by the curb. And cutting up the bigger ones with an axe left over from my Totin’ Chip days. Because I didn’t own a chain saw.

Then from elsewhere in our neighborhood emerged a strange phenomenon. The men who had the forethought to purchase chainsaws, once they finished cutting up their yards, moved to the neighbors’ yards. A small group of three of four would go in and cut up the tree limbs. And another larger group of men and teenagers followed and stacked the wood by the curb. What I observed was they did this for all comers responding to both requests and simply walking to a neighbor’s yard and getting started if they were in town or not! With no money changing hands.

Definitely the first self-organizing philanthropic chainsaw gangs I had ever encountered.

Read complete post here. And of course comments are encouraged on the Chron site!

Mitigated Speech and Business Communication

DudeRecently finishing Outliers, I was really struck by the section on mitigated speech and airplane crashes. Gladwell‘s definition of mitigated speech on page 194 is:

Mitigated speech – any attempt to downplay or sugarcoat the meaning of what is being said.

In short, co-pilots may not communicate clearly with captains out of deference. They hint at things instead of speaking directly. Which leads to crashes and death. From page 193 of Malcolm Gladwell’s latest book:

Fischer and Orasanu found that captains overwhelmingly said they would issue a command in that situation: “Turn thirty degrees right.” They were talking to a subordinate. They had no fear of being blunt. The first officers, on the other hand, were talking to their boss, and so they overwhelmingly chose the most mitigated alternative. They hinted.

…a hint is the hardest kind of request to decode and the easiest to refuse.

Gladwell goes on to explain this is more of a problem in cultures with, using Hofstede’s Dimensions, have what is called a higher “Power Distance Index“.

Power distance is concerned with attitudes towards hierarchy, specifically with how much a particular culture values and respects authority. (pg 204)

A culture with a larger power distance index will have more hints. The west, and I’d agree speaking as an American, is “what linguists call a “transmitter orientation” – that is, it is considered the responsibility of the speaker to communicate ideas clearly and unambiguously.” (pg 216)

Working at a small company we have to train people how to write a decent email. The biggest part is helping people understand the burden of communication is ON YOU! Our email help file is linked  and the short version is:

  1. Subject Lines – all emails need a well articulated and relevant Subject Line.
  2. Links – ease of use changes behavior. (link it!)
  3. Numbered Lists – organize YOUR information. Bullets are evil.
  4. Short Paragraphs – with rare exceptions
  5. Nickel words – save them for scrabble

Going back to Gladwell, part of the solution for one airline was to switch to speaking English. By using a different language their learned subtleties of their native tongue were reduced thereby reducing accidents. Inter company email isn’t anywhere near as dangerous as piloting a jet. But nonetheless in a recession who has time for coworkers burning money with lazy communication skills?

And Gladwell isn’t alone. In the book The Influencer there is a case study on positive deviance for villages that did NOT suffer from Guinea Worm in Africa and Asia. The two “vital behaviors” that prevented the outbreak were:

  1. “In the worm-free village, the women … took a second pot, covered it with their skirts, and poured the water through their skirt into the pot, effectively straining out the problem-causing larvae.” (pg 360
  2. “The vital recovery behavior, then, was that friends and neighbors had to speak up when the Guinea worm sufferer was unwilling to do so. Only when the community took responsibility for compliance could the entire village protect itself from the failure of a single villager.” (pg 38)

Again we see the second critical issue is speaking up with candor. And basically turning your neighbor in for the good of the community. Communication is so critical airplanes crash and villages live in a painful cycle of disease without people who are willing to speak up.

And the importance of communication is more grave than ever. From The Rise of the Network Society pg 357.

Because culture is mediated and enacted through communication, cultures themselves – that is, our historically produced systems of beliefs and codes – become fundamentally transformed, and will be more so over time, by the new technological system.

Communication matters. And culture is part of that communication. I am unaware of any evidence that supports “hinting”, “deference” and other weak forms of communication as good for anything. Maybe in a medieval court, but it clearly has no place in modern society. Speak up, take care of the people you care about.

Hurricane Ike hits Houston Hard

Hurricane Ike hit Houston this last Friday night. And he was deadly.  And very damaging to say the least.

First and foremost my thoughts and prayers are with those in Galveston and south of the city who lost the most.
Lives were lost, homes destroyed down to the foundation, businesses
closed for good and the corresponding jobs were lost. Families and
friends are hurting.

I am typing this on a Tuesday September 16th and power at my house is
still out. The office is back online and, if only for Air Conditioning
and to charge our cell phones, quite a few folks are already back at
work.

The city has a week long 9:00 PM curfew so we are working short days, 9:30 to maybe 4:30 to allow time to get home without most traffic lights. We are talking a lot.

Hotels are full of evacuees and downtown is closed and in bad shape. The Chase tower in particular was transformed into broken glass on the streets.

If you want to help, this one client reached out to us to help spread the word.

If you would like to help out a strong organization in the Houston community, Catholic Charities (a non profit organization client that serves over 100,000 Houstonians) is in need of donations as they are trucking out water, food and supplies to hard-hit Hurricane Ike areas in Texas.

The psychological impact
of witnessing 100+ mile an hour winds, having our houses shake, hearing
the explosions of transformers at 3:30 in the morning, these things are
challenging. People experience grief, but learn to cope and move on.

"There is a common misperception that people are going to fall apart
and they are going to have lifelong psychological consequences," said
Herrmann. "But the reality is that most people who experience traumatic
events are psychologically resilient.

There are so many blog posts and photos that should have been taken.
Having no power or Internet at the house somewhat limits my self
expression.

What I do know is that Houston and the surrounding areas is one amazing
community. That our people are strong down to earth people who look out
for each other. What I do know is that Houston, Galveston, Bolivar and
our entire community will rebuild. We will get back on our feet. We
will be back.

Yammer Default Configuration not Ideal for Crisis Communication

Day 2 of our experiment with Yammer for internal crisis communication with Hurricane Ike coming down on us. This is the default configuration even after you set up your SMS.

The default config will NOT work – SMS is off and after hours pings are off.

Yammer_emerg_config_before

You have to change it to this (below) or it won’t work. For example, Ike is supposed to hit Houston around 1:00 AM tonight. Realistically with our employees out of the office, it is likely too late for me to get everyone to change this setting. Is there even a way to change it via SMS if they only have mobile?

Yammer_emerg_config_after

There needs to be a magic button where the network owner for a yammer domain can edit settings for the team as a whole in response to a crisis? I realize it is a brand new product, just thinking out loud.

Schipulites test Yammer for Crisis Communication during Hurricane Ike


Prepare for Hurricane Ike
Originally uploaded by eschipul

It’s about 5:33 AM on Sept 12, 2008 as I type this. As a company we have been through numerous hurricane preparation drills. Katrina was a scare, Rita was an evacuation challenge, but this time with Hurricane Ike we are finally going to get hit here in Houston. Not a good thing.

The office is of course closed today. We’ve tweeted about it. Client newsletters sent. Email exchanges with our crisis communication firm Firestorm and our PR firm. Discussions with vendors and critical web sites in case of handling emergencies in Houston. Our employees are all safe and accounted for.

One thing we are doing different this time is we are testing Yammer for crisis communication with the team. It is like twitter, but restricted to just company
email addresses. So we can have a more private conversation about how
we can stick together during the crisis using text messages, following,
and longer than 140 character conversations. And that last part is
important, in a crisis I just need to paste in the URL like http://www.chron.com/disp/story.mpl/headline/biz/5995981.html. I do NOT have time to go make a tinyURL during a crisis. Right? Who does?

The hurricane hasn’t hit yet, but I can share some lessons learned on pre-hurricane preparedness and communication.

  1. We already knew this, but it is all about if the FAMILY has an emergency plan. Just make sure people HAVE a plan!
  2. People are available or not depending on where they live. Know this
    ahead of time. Some people have to evacuate based on their location,
    which is fine, just insulate the company from them as part of the
    response team because they will not be available.
  3. Spouses and significant-others are a major factor. And they will
    talk about the leadership of the company publicly if they feel you
    aren’t being responsive. Don’t take it personal. Even if they don’t
    have their facts right.
  4. Parents are a major factor. Especially for Generation Y
    (Millenials) they get panicked calls from their parents. Like 50 of
    them. (seriously) So even if they are prepared are level headed, the
    pressure is pretty strong for them to react without necessarily
    following the Mayor’s advice.
  5. The local news will always be reckless and sensationalistic.
  6. Emergency binders only work if you have them updated.
  7. IT plays a big part, suddenly everyone says things like "oh ya, my
    blackberry hasn’t been syncing lately" and this is a REAL problem when
    everyone goes into the field.
  8. Specs will be crowded. Expect this. Ahhh, humans.
  9. Long lost relatives and friends will call to say "what are you
    doing? I saw it on the news!" while you are either evacuating or
    preparing to shelter in place. Luckily yammer provides a semi-private
    forum to vent about this.

The biggest new technology we are using for Ike Hurricane Preparation versus Rita/Katrina prep are:

  1. Twitter. Many of us are on twitter and the community is definitely larger than the company alone.
  2. Yammer – we have hopes this will be a valuable employee only crisis communication tool.
  3. MXLogic – disaster recovery for email in case our building loses power (client email is not on site).

Technology that we already depend on that we expect will continue to be critical include email and text messaging.

Hopefully Ike will chill out and people will stop with the Tina
Turner jokes. But if not, we are prepared and I’ll let y’all know how
the new technology works as part of a comprehensive crisis response and
communication plan. Wish us luck!