How firms should best react to a crisis

When infidelity website Ashley Madison was the victim of a hacking attack in 2015, the affected 36 million global users were suddenly very worried indeed.

The business, a dating site for married people who wish to cheat on their spouse, had the data of its customers stolen and released on to the internet. All their names, passwords, phone numbers and addresses.

While it was a very bleak time for Ashley Madison's users, the company itself faced a major crisis, and it was found to be lacking.

As customer numbers and revenues plummeted, the Federal Trade Commission (FTC) - the US agency tasked with protecting consumers - ruled that the business had not done enough to protect people's information, both before and after the attack.

The FTC fined Ashley Madison $1.6m (£1.3m), and said that the financial penalty was only that low because it didn't think that the business could afford to pay any more, such was the impact of the hack on its earnings.

Where Ashley Madison failed was its insufficient crisis management - it hadn't prepared enough for something bad happening, and how it would react.

While the company tells the BBC it has subsequently overhauled all its systems, how should all firms best plan for and then respond to a crisis, be it a cyber-attack, financial scandal or other serious issue?

With the UK government confirming last year that two-thirds of large British companies had experienced a cyber-attack in the previous 12 months alone, businesses who have an online presence anywhere in the world simply have to prepare for how they would react to a hack that breaches their system.

A business can make its website as secure as possible, but being 100% protected is just not achievable, say IT experts.

Thankfully for UK employment agency Page Group it knew exactly how to react when it suffered a data breach of its cloud computing system in October last year.

"We have senior staff in place from across different parts of our organisation that form an issues management team who are well equipped to deal with a crisis, should it arise," says Eamon Collins, Page's group marketing manager.

"That is why when we were alerted to a data breach by our IT vendor Capgemini, this team was able to act fast, review the issue, and provide counsel on the best course of action.

"The most important part of the process is putting your customers' interests first."

He adds: "Once we had sufficient information around what had happened, and the impact, we could undertake a transparent and open dialogue with the customer."

At former US mining group National Coal, the crisis it faced was repeated protests in the early 2000s by environmentalists who objected to its opencast mining in east Tennessee.

Its then chief executive, Daniel Roling, said the company had plans in place for how it responded to everything it faced - from trespassers, to staff being threatened, entry roads being blockaded, and bomb threats.

"We held a number of run-throughs to test the effectiveness of both communications and operation responses," he says.

"The plan should, at a minimum, include an acceptable and effective means of communication, as well as an outline of who can and should provide direction."

Mr Roling, who left National Coal before it was sold to Ranger Energy Investments in 2010, adds: "We had everything planned right down to where we would hold a press conference, and how we would set it up.

"In crisis planning, you are looking to create an effective auto-response, so that everyone heads in the right direction, without too much deliberation."

At UK tourist attraction, the Jorvik Viking Centre, in York, its crisis was a major flood in December 2015 that caused significant damage.

Director of attractions Sarah Maltby says the team worked hard to remove precious artefacts before they were damaged.

"Every company needs solid staff to assist, offer advice, and manage elements of disaster recovery," she says.

The centre is now due to finally reopen in April this year.

Crisis management expert Jonathan Bernstein says it is vital that a company responds quickly to a crisis. "The crisis moves at its own pace, but you need to be faster."

He adds that firms should be honest about the crisis at hand, especially if it is something they are to blame for, such as a financial scandal.

"Be honest about how you screwed up, and illustrate how you are going to ensure this doesn't happen again," says Mr Bernstein.

"Provide clear information to customers on what happened exactly, and what new protocols will be in place."

Damon Coppola, founder of Shoreline Risk, a company that assists businesses with their risk management, says that when it comes to a firm preparing for a possible crisis "the public might not necessarily expect perfection".

But he adds: "[The public's] judgement will be hard if it is perceived that the company failed to act on an obligation to limit or prepare for a known risk, if they were dishonest in their communication, and perhaps in the worst case, if profits came before people."

These are views echoed by UK public relations expert Benjamin Webb, founder of media relations firm Deliberate PR, which specialises in Swedish start-ups.

He says: "At a time of fast-moving crisis, particularly when people's well-being is at stake, transparency to customers and their family members must exceed any responsibility to shareholders."

At Toronto-based Ruby Corporation, the owner of Ashley Madison, chief executive Rob Segal, says the company has worked hard to rebuild trust since the 2015 hack.

Mr Segal, who joined the firm after the attack, says: "We partnered with Deloitte's world-leading security team following the breach, and they've been helping the company with privacy and security enhancements and 24/7 monitoring.

"The go-forward lessons for chief executives is to always stay vigilant about cybersecurity, and to continually invest in privacy and security safeguards."