The hack, as far as we know, committed by two British teens, that got TalkTalk yet again unwanted negative attention, has been deemed ‘unsophisticated’. So far, the handling of the case has displayed all the usual reactions: apologies, reassurances, wordy statements aiming at damage control – even pledges to make it better, to never let it happen again. It feels like a repeat of the cringe-worthy bits of romantic comedies, de-contextualised and uttered by senior management and spokespersons frightened by the drama.
The helpless and less than mature gestures have been employed during the recent emission-scandal at Volkswagen, the pilot-induced disaster at Germanwings, the data breach cases at JP Morgan, Lloyds or Royal Bank of Scotland, to name only a few. The knee-jerk response is striking – and insufficiently suited as means to handle severe reputational risk as it neither tackles the underlying problem nor the heavy blow dealt to public perceptions of competence at the top. Here is why. We are presented with a notion of deviant teens, whose parents had no idea what they were doing and lacked knowledge of the UK Computer Misuse Act 1990 (see here for global pieces of legislation in this respect) – so at least the mass media’s assessment of the situation. Yet, those teens helped deliver valuable insight into the weaknesses of extremely large (and powerful) organizations. Clearly, they also had the intellectual capacity and coding skills to succeed in their criminal adventure. Why was their obvious talent (minus the criminal potential) not spotted earlier and channeled meaningfully?
Why are senior management and their spokespersons not better equipped when it comes to providing more sophisticated and suitably targeted responses to the public who deserve better than lukewarm all-emotional apologetically-reassuring patronizing talk?
Internal governance processes, hierarchies, power struggles and generational divides (Millenials, i.e. the digital natives versus digital immigrants, i.e. the late adopters of social media at the helm of such unfortunate large firms) are not making it into the public sphere in such cases. Yet, a more transparent handling and a significantly more pro-active stance as to these aspects could have helped to restore trust and stakeholder confidence.
A closer look into these cases reveals deep-seated weaknesses which are rooted in corporate culture rather than in the lack of technology, skill sets or budgetary issues. Decision-making processes are at the heart of effective governance and the complex risk control machinery, yet all too often fear gets in the way. Challenging ineffective processes or raising potential risks observed by employees, contractors, customers or the general public are being stifled in and by a corporate environment that favors short-term orthodox thinking. For instance, despite the spiking number of cyber threats and attacks, why is there an absence of calls for hacking in a controlled environment as a preventive measure to spot the flaws and gaps in the existing systems?
Clearly, each aspect and approach entails its very own set of idiosyncratic risks. However, swift and adequate responses that convey genuine integrity and loyalty to the customer are needed when trust is at severe risk. One major step towards this critically important goal would be based on a rigorous and critical re-evaluation of currently widely adopted yet ineffective strategies and default statements provided to stakeholders, shareholders and the public.
As we have seen in the recent past, the damage done within narrow windows of opportunity post-incident is severe. Lessons are not learned from industry competitors but repeated and the overhaul of crisis handling strategies remains overdue. We need more sophisticated tools rather than yet another round of ad hoc blame-shifting towards [teenage] individuals. Embracing and harnessing legal and ethical hacking could be among those with a lot of potential in this regard.