The value of stepping forward, not hunkering down, when crisis strikes: Kaseya’s response to its ransomware attack
Jonathan Hemus, Managing Director, Insignia
Successfully responding to a crisis requires organizations to address the core problem and, at the same time, to communicate effectively with their stakeholders.
Fulfilling both requirements concurrently is no easy task for under pressure business leaders who are often tempted to fix the problem while neglecting to reassure stakeholders in parallel.
Cyber incidents present particularly acute challenges when it comes to communication. When Travelex was the victim of a ransomware attack in December 2019, it was heavily criticised for its tight lipped approach to communication. Conversely, aluminium company Norsk Hydro committed to swift, transparent, and frequent communication when it faced a ransomware attack and benefited from an increase in its share price as a result.
Kaseya, a provider of IT and security management solutions for managed service providers and small businesses, is the latest organization to fall victim to a ransomware attack. The incident which began on 2 July meant organizations around the world were forced to shut down their online systems. In Sweden, hundreds of supermarkets had to close because their cash registers were inoperative.
Kaseya’s communication response
With a monumental operational and technological problem to address, a lack of time and information, high stakes, and enormous pressure, it would have been easy for Kaseya to hunker down and de-prioritise communication.
Instead, it began communicating immediately. At 4pm (EST) on July 2 it posted its first notification to its website.
Doing so established Kaseya as the key source of information, as well as positioning it as responsible, aware of the incident, taking action to address it and demonstrating care for its customers.
Regular online updates
By close of business on 7 July (five days later), Kaseya had issued nineteen further updates. This volume and frequency of communication enabled it to shape the narrative and retain control over its own reputation and relationships with its key stakeholders.
To put this achievement in context, some organizations fail to communicate anything in the first few days after an incident. To be as pro-active as Kaseya requires leadership, courage, and a willingness to do and say the right things, knowing that doing so will invite further attention and scrutiny.
Kaseya’s updates were not only prolific, their content was well judged and included:
- Clear, simple status updates
- Expressions of empathy, care, and concern for the impact on customers
- An explanation of what Kaseya was doing to remediate the situation
- Guidance as to when systems are expected to be restored
- Actions customers should take to reduce the damage of the attack
- Materials to support Kaseya’s customers in communicating with their customers
- A commitment to on-going communication.
In parallel, Kaseya’s CEO Fred Voccola, stepped forward for media interviews with messages which reinforced those included in Kaseya’s online updates.
Furthermore, he was skilled in countering speculation, without leaving himself hostage to fortune should the speculation subsequently prove to be true. For example, when asked whether the attack could have been an ‘inside job’, he said that neither he nor the investigators had “seen any sign of that”.
He further built on the company’s commitment to transparency by saying that details of the breach would be made public “once it’s safe and OK to do that”.
On July 7, a ten minute video message from Mr Voccola was added to Kaseya’s website. This is a tried and trusted crisis communication tactic but its success depends upon its execution. All too many CEOs, guided by autocue, deliver word perfect but monotone, hackneyed corporate statements drafted by a coterie of consultants and vetted by lawyers.
Fred Voccola’s video is nothing like that. Within thirty seconds he apologises for what has happened: not the kind of carefully crafted legal apology which sounds empty, but rather a heartfelt, straightforward human apology.
He wastes no time in taking responsibility for what has happened: “I feel like I let this community down, I let my company down; our company let you down”. These words will resonate with customers and take some of the sting out of what they have endured.
He is honest in acknowledging the customer impact of a decision to delay bringing services back online in order to add further layers of security: “It was my decision to do this…it was probably the hardest decision I have had to make in my career”.
Great crisis leaders understand that all decisions carry downsides but accept the responsibility for taking those decisions, nonetheless.
He also goes beyond the typically trite message of “we will do everything we can to help our customers at this difficult time” by proving it through Kaseya’s actions. He commits to direct financial support for affected customers, the provision of consultants to help them recover and the option for them to delay payments if their businesses have been temporarily closed. No weasel words, no equivocation, instead a clear signal that Kaseya genuinely cares and is backing its words with deeds (and hard cash).
Finally, he commits to continued communication and to take whatever steps are necessary to improve the security of all their products.
In summary, Fred Voccola delivers one of the best CEO crisis videos I have seen. Ironically, its unpolished, gritty nature is one of its great strengths. It allows Mr Voccola to communicate with his customers in a personal way with passion, personality, humanity, and authenticity.
The one element of Kaseya’s communication which is questionable is its media statement published on 6 July. Strangely, the areas in which it fails are those in which Fred Voccola’s video so clearly succeeds.
The problems with the statement begin with its headline: ‘Kaseya responds swiftly to sophisticated cyberattack, mitigating global disruption to customers’. It comes across as inward looking and self-congratulatory. In any case, it is not up to Kaseya to judge the quality of its response: its stakeholders will determine that.
Equally, use of the word ‘sophisticated’ in the headline appears to be a subliminal message designed to communicate that Kaseya could have done nothing to prevent the attack. True or not, it hints at an abdication of responsibility (a trap which Fred Voccola so effectively avoided in his video).
In the first paragraph, Kaseya takes further credit for its response: ‘The company’s rapid remediation and mitigation measures saved thousands of small and medium-sized businesses from suffering devastating impacts to their operations and ensured business continuity’.
In my view, this is an ill-judged statement for a number of reasons. Firstly, timing: with the crisis still live and customers continuing to be affected, it is premature to claim victory. Not only that, to position Kaseya as the hero of the day carries a significant risk of infuriating customers who have suffered as a result of the incident. Finally, the message that Kaseya ‘saved thousands of small and medium-sized businesses from suffering devastating impacts’ may be true, but it ignores hundreds of other businesses who did suffer serious harm.
Kaseya talks about making a ‘rapid’ decision to shut down access to the software and how its team ‘sprang into action’. Again, the self-serving tone is inappropriate in a statement of this kind and is likely to be counter-productive. In any case, company statements (with the exception of quotes from company spokespeople) should be communicated in a straightforward, clear, simple, and factual style, with adjectives and flowery descriptions kept to a minimum.
A final contrast between the video and the statement comes in Fred Voccola’s words. The humanity and empathy so effectively communicated in the video is lost in the sanitised management-speak in the statement. Cliched and empty phraseology such as ‘The immediate action-oriented and solution-based approach…’ and ‘a collaborative effort to remediate the issue’ give no hint of Mr Voccola’s true passion and care for his customers.
The lesson here is to ensure consistency and alignment of tone and messaging across all communication.
A well judged crisis management response
Taken as a whole, my strong impression is of a well judged crisis management response with deeds and words in synch. Kaseya’s communication has been timely, pro-active, transparent, frequent, and empathetic, ingredients which will surely lead to the retention of stakeholder trust as well as reputation and value protection.
Jonathan Hemus is founder of crisis management consultancy Insignia and author of the award-winning book, ‘Crisis Proof – How to Prepare For The Worst Day Of Your Business Life’.