Ghosts in the machine and the Marriott hack

Last week brought another large-scale security hack. This time it was the hotelier, Marriott that was the subject of unwanted attention. More precisely, it was their recent acquisition, the Starwood group, which was targeted. The business operates a number of well-known brands, including W Hotels, Sheraton, Westin and Aloft. The size of the operation goes some way to rationalise the scale of the breach, which is reported to have impacted as many as 500 million Starwood customers. To put the numbers into context, that’s second only to the 2013 attack on Yahoo, which affected 3 billion users. A distant second place, I recognise, but even so, these are astronomical numbers.

I don’t bring this up in terms of the crisis response; in fact, the Marriott actions to date have been laudable, including the neat idea of giving those who have been affected, the opportunity to use a web monitoring tool for up to a year to gauge whether there is unauthorised use of their personal details.

No, from a crisis communications perspective, the real interest lies in what was happening ‘upstream’. What I mean is that the Starwood hack is four year old! Its defences were breached in 2014, which is two years prior to the Marriott acquisition. The Marriott systems, apparently, are not affected. My point being – as is invariably the case with crisis communications – is that this is a crisis preparedness issue.

In short, mergers and acquisitions have always had their challenges for the reputation specialist, whether they were cultural differences, the inevitable job losses, or market volatility. The Marriott case, however, is illustrative of the inherent sensitivities of corporate acquirement in the digital age; principally the fragility (or not) of the systems, security and associated employee behaviours that’s characteristic of the newly purchased asset. To be clear, I don’t point the finger at Starwood, but make the point to best demonstrate the changing nature of reputational risk, and more importantly, to highlight a need to involve communicators sooner rather than later if an intrinsic threat – however feint - exists. The process of due diligence is tightly marshalled, typically, due to the sensitivities of the circumstances, but it’s vital that a link is established between those who delve ‘under-the-bonnet’ in the first place, and those of us who are tasked with managing the brand and any innate frailties thereafter.

This piece first appeared on the Mumbrella website:


Would a crisis by any other name make you click?

Being someone who supports organisations in terms of their respective reputations, I’m acutely aware that I have a rather slavish relationship with crises. To clarify, it’s in my professional interest to keep abreast of business mishaps, cynical misdeeds and product failings the world over. I gauge the context and privately evaluate the response. I tell you this as I feel I’m moderately qualified to say that crisis is getting too big.

That last point needs some explanation. Crisis, as a concept, has grown exponentially in recent years. For a simple illustration, check out the Google Books Ngram Viewer, which shows use of the term has virtually doubled since the end of the Second World War. The irony that crisis was less talked during the turbulence of D-Day and the Third Reich than it is today, can’t be lost on us.

To be clear, crises sadly happen, but not at the rate at which the crisis circus – namely the media, insurance firms and some aspects of the public relations industry would let us believe. Crisis has been industrialised as it can be inordinately profitable for those who purport to have the credentials to help. Crisis – as is the case with terrorism – is increasingly being applied with indiscriminate flair to a range of events and situations. In recent weeks, we’ve had the media refer to the crisis in Syria, the crisis afflicting German football, the Thai cave crisis and crisis talks in regards to the NEG – that’s the National Energy Guarantee to the unitiated. My concerns with the broad-brush approach primarily relates to the inherent associations with the word, crisis. Our understanding of the world is shaped by the way the world is labelled. We perceive crisis to be big, calamitous events, and subsequently, we expect big repercussions if they are not managed effectively, such as the loss of senior people and a plummeting share price. It’s a short step indeed from ‘crisis’ to that other favourite media omen, ‘embattled’. Crises call for accountability. The English language is fantastically accommodating in its breadth, and to that end, to read about the Thai Cave Accident, or the Plight of the Thai Cave Boys would have been as accurate a reading of the situation as we had, but I guess they’re not as exciting, nor are they as exacting in their demands if things go wrong.

This article first appeared on the Mumbrella website

The NAB Sydney move needs to be the start of something bigger.

National Australia Bank (NAB) – one of the country’s big four financial institutions – is moving its Sydney headquarters. The new home will offer staff the latest in “state-of-the-art offices” – you can read more here.

I bring this up as the bank has had its fair share of reputational woes in recent years; primarily providing customers with what’s been ruled as bad financial planning advice; in fairness, they are not alone here, with the same charges leveled at the Commonwealth Bank (CBA), ANZ and Westpac.

So, it begs the question did the bank – NAB – make its move to address its difficulties? The bank’s problems signal a need to examine the organisation’s culture; the CEO, Andrew Thorburn has, rightly, said as much, commenting that it would take 5-10 years to get “true integrity and consistency”.

Moving office presents businesses the opportunity to change, or reinforce the dominant culture. Smart companies get this; there’s enough smart people at NAB to identify the prospects that’s been afforded by the change, I’m sure.

Management guru, Edgar Schein came up with the idea of ‘cultural artifacts’ which are the tangible manifestations of corporate culture, such as buildings, uniforms and logos. So, in simple terms, the NAB state-of-the-art offices need only be state-of-the-art if the behavioural values sought by the bank, dictate that it be so – an open office arrangement would suggest an open culture, for instance.

However, it has to go further than that; a new building needs to mark the start of a process, not its culmination. The NAB move needs to be the catalyst to evaluate all aspects of the business – from recruitment, to employee benefits. If the process is limited to the seating arrangements, then the bank has already lost.



Etihad's 5 Star U-Turn

Abu Dhabi’s Etihad Airways took occupancy of the back page of The Australian’s Business Review last Friday to tell the paper’s readers that it’s “official – our service now comes with 5 stars”. A resplendent air hostess stands beaming under a quote from the Skytrax Audit Report, which describes how the airline’s premium rating is a “testament to innovation, high-quality service and comfort”.

Skytrax, for those who demonstrate a healthy disinterest in such aviation ranking exercises, is a UK-based consultancy, which runs reviews of commercial airlines and airports. You can read more about them here.

So, what’s the story? Well, Etihad didn’t used to be so enamoured with the Skytrax ratings; oh, no. They were the constant recipients of four Skytrax stars – even after new cabin products had been introduced – but alas, that fifth star remained out of reach. So much was the irritation at Etihad,   that the carrier announced its withdrawal from Skytrax, including its Audit and Awards, in 2014. As Skytrax pointed out at the time, the airline cannot opt to withdraw, as results are decided directly by customers, which is clearly Etihad’s good fortune as they crow with delight at finally achieving equal status with the likes of Garuda Indonesia and Hainan Airlines.

The Etihad situation does beg the question, how much is an award worth to its winners? That is a question that’s clearly open to interpretation – does Bob Dylan’s Polar Music Prize win carry as much value for the performer, as his recent Nobel Prize success? We can hazard a guess.

It is, though, a question that needs to be asked from a corporate perspective in view of the amount of energy that’s being expended in merely submitting the award entry, together with the growing sense of fatigue that surrounds some of those lesser accolades.

I won’t, however, let cynicism completely cloud my judgement, as I believe that awards to be a good thing from a number of perspectives. Firstly, they offer a vital benchmark for any organisation; a measure of collective progress. Then there’s the inherent recognition of the people involved, and of course, the brand awareness that comes with such plaudits. Lastly, the incentivising quality of such prizes to set even higher standards for the business, shouldn’t be overlooked – according to some, there’s a gulf between four and five stars, just ask Etihad.








Can hacking be good for us?

Dropbox – the cloud storage supplier – has been hacked. To be more precise, it’s just been reported that up to 68 million usernames and passwords were stolen back in 2012. Now, that’s a statement which probably bemuses the reader on two points; firstly, the scale of the breach, and secondly, the speed of the news – that’s 4 years ago. In fairness, the company made it known that they had been compromised in 2012, but the size of the incident had apparently been underestimated.

It’s said that Dropbox was completely unaware of the full extent of the attack, which leaves me in a flux – exasperated by their state of oblivion, while being gently encouraged by the fact that nothing has changed. As a Dropbox user (Darn, have I compromised myself?), I read the story with an air of resignation in light of the increasing regularity of such breaches – not just at Dropbox, I hasten to add. However, there lies the nub of the issue – my lethargic response, which is no doubt shared by others, is indicative of the consumer mindset that these attacks are a corporate problem and subsequently need corporate solutions. Not so, as corporate stakeholders we are all part of the problem and the solution. Specifically, the public’s attitude towards passwords is casual at best, with our encryption bordering on an ‘open door’ policy – Pass 1234 anyone?

Hack fatigue would appear to be setting in among the public, leaving them perilously indifferent to the issue. So what to do? In entering the spirit of Sydney’s Festival of Dangerous Ideas, maybe we need the castle defences to be brought down occasionally to best appreciate our enemy's strengths, and give priority to investing in bigger and better walls. Only when we have a full grasp of the impact, will we recognise the threat.