How to (and not to) Manage a Security PR Nightmare

Dave G. | December 27th, 2005 | Filed Under: Disclosure

After reflecting on 2005’s great security PR blunders, I am humbly offering the following advice to organizations that find themselves in such unfortunate circumstances.

*) Have a PR plan. The one thing you don’t want to be doing when dealing with a PR nightmare is to be strategizing while putting out the fire. You increase the likelihood that this happens. Your one goal should be: Make the story end quickly. Don’t have one and already in the thick of it? Proceed to the next bullet!

*) Hire a PR firm that specializes in Crisis Management. They exist. They have been through it before. They have probably helped people who have been in more hot water than you can imagine. Exxon’s negligence killed cute baby animals. You got depantsed by a 20 year old with a disassembler. I think they can handle it. They can also help with the first bullet.

*) React, don’t overreact. Don’t immediately get litigious on their ass. I understand your righteousness. This isn’t about right or wrong. This is about perception. Perception in this case is that the young security researcher is a whistle blower, or the reincarnation of Paul Revere. And if he is a patriot, guess what that makes you?

For example:

Don’t go to a security conference and start ripping sections out of the materials. Fahrenheit 451, anyone?

I don’t care if your stock symbol is GOOG, as soon as corporate weight is thrown around; you are evil.

*) Know the facts. Investigate internally and externally. Here is a wonderful place to bring in those legal folks that are no longer writing cease and desist letters. Make sure that you haven’t broken any laws or violated licensing agreements. Because it’s going to come out. Especially, convenient borrowing of GPL’d software. It’s easy to find and people who don’t like you are going to look. This might save you some embarrassing moments.

*) Inspire trust, not class action lawsuits. Fess up. Seriously. The story ends faster if you admit that a mistake was made. If you can’t do that (lawsuits et. al.), how about, don’t be smug. Here is an example of a poor response (from BetaNews):

Sony BMG’s Global Digital Business President Thomas Hesse downplayed the recent DRM fiasco saying he objected to terms such as malware, spyware and rootkit. “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” he said.

The worst Security PR Nightmares of 2005 were:

1) Sony DRM Rootkit. Had it all. Music Industry. Rootkit with hacker like behavior. GPL’d code. A fix that made things worse. Unapologetic media company. Hurt the already suffering DRM reputation something awful.

Outcome: TBD. Lots and lots of lawsuits. By far, the worst handling of

2) Ciscogate. Has the term ‘gate’ in it. Video footage of materials getting ripped (why not burn them at that point?). One whistle-blower/researcher against two large corporations. Federal authorities involved.

Outcome: Settled after weeks of bad press. Could have done this quietly.

3) CardSystems. 40 Million credit cards/identities leaked. Amazingly, much less press than the first two. I think its because CardSystems was perceived as a victim. Cisco and Sony weren’t perceived that way.

Outcome: Visa stopped doing business with CardSystems due to this incident. CardSystems assets were liquidated, erm I mean, acquired. Being a victim doesn’t mean that everything will be ok.