Call Us! (972)-907-1100
Of the many well-publicized cyber-attacks that have occurred in the past decade, at least one was noteworthy because it failed to bring a company down. On the morning of Jan. 16, 2012, millions of people awoke to the news that every online shopper dreads: Zappos, a leading retailer of shoes, apparel, and accessories, had been the victim of a cyber-breach that captured information from as many as 24 million customer accounts. Major news outlets, financial websites, and security blogs all published headlines covering the crisis at Zappos, which had been acquired by publicly traded Amazon just three years prior in a deal worth US$1.2 billion.
The online retailer immediately announced the launch of measures to reduce the impact of the crisis. But the most critical factor in surviving the attack didn’t need to be launched. The company had already put preventive measures in place, long before the hack was discovered. For example, it had stored customer passwords and credit card information on a separate server from other customer details, a server that was ultimately found to be uncompromised by the cyber-attack. Zappos also had used hashtag encryption to conceal customer passwords. Had the hackers accessed the relevant server, they would have seen “##########” in place of the actual passwords.
These precautions were considered leading-edge practices for protecting customer information from cyber-attack, but they were most noteworthy for something that had little to do with technology. They were part of a comprehensive crisis response plan that articulated the capabilities that Zappos would need if a cyber-attack — or any other type of business-disrupting crisis — occurred.
For instance, Zappos had developed a protocol for notifying key stakeholders in a crisis. Thus, when the breach was discovered, the company immediately notified internal staff about the issue and the company’s planned response. Then, before news hit the press, Zappos sent an email to all customers with registered accounts, letting them know that it was proactively resetting all their passwords. The message contained an email address for questions or help creating new passwords. By providing this alternative to its call centers, Zappos ensured that far fewer customers would wait anxiously on hold; thus, fewer would develop a negative perception of the company. It also gave the call centers more time to respond to individual messages; it had figured out in advance that customers were more patient with email than with phone calls. Finally, having already given its staff readiness training, Zappos could easily shift people from other functions to surge support for customer service.
All this preparation paid off. Customers and security experts commended Zappos’ communications strategy and transparency throughout the crisis. Three weeks after the breach was announced, Amazon’s share price was higher than before it happened, and though the company was the target of a class action lawsuit from nine states as a result of the breach, Zappos ultimately settled for a mere $106,000.
Zappos’ approach and similar responses we’ve seen from other companies — including those affected by the WannaCry attack — demonstrate a basic principle: You develop the capability to handle a crisis long before you need it. This capability should be broad enough to cover any type of crisis, including an operational disruption, a cyber-breach, a terrorist attack, a major accident, a natural disaster, a crime, a pandemic, a food safety scare, a major labor dispute, a financial meltdown, a product failure, a sexual harassment case, or your company’s ethical scandals coming to light. It also should be focused enough to fit your company’s unique culture, practices, and strategy. Ideally it should help you not only manage crises but avoid some self-inflicted ones. You can’t put this kind of crisis preparation capability in place overnight — you need to develop it as a way of life.
Crises Are Inevitable
The likelihood that your business will be hit by a highly threatening, unexpected event has never been higher. In a PwC survey of 164 chief executives around the world, launched in 2017 and known as the CEO Pulse on Crisis, 65 percent of respondents reported experiencing at least one crisis since 2013; 15 percent had experienced five or more. Forty percent expected to experience a crisis in the coming three years, and an additional 33 percent expected to experience more than one or even many more during that time. According to another PwC survey (pdf), conducted in 2015–16 with more than 1,400 global CEOs, two-thirds believe that their businesses face more threats today than three years ago.