My partner and I had a holiday weekend in a hotel in regional Victoria recently and enjoyed the walk-in, walk-out, no-need-to-prep-anything experience of our luxury hotel room.
I handed over my driver’s licence at check-in, which was photocopied. I didn’t think about what the hotel would do with my information and certainly didn’t ask about it. It was all very casual.
But following a raft of cybersecurity attacks – or cyberbreaches, or cyberfails, depending on your point of view – I’ve become very aware of how often we’re asked to hand over our identity documents to a stranger.
This past month I’ve been privy to both Optus and Medibank’s crisis communications with customers.
Yep, I’m a customer of both.
I’ve had two emails from Optus. The first was personalised (Dear Louisa) and signed by their CEO. It told me what they knew and didn’t know, what I should do, and how I could contact them. It apologised unreservedly. Fairly standard stuff.
The second email advised me that the breach had exposed my driver’s licence. It was impersonal (Dear Customer) and unsigned (Your Optus Team). I read the tone of this second email as less concern for me and more defensive.
And that’s it. I’ve heard nothing more for the past three weeks.
Meanwhile, I had four emails from Medibank in the week since their breach, each personalised and signed by the CEO. There is a lot of detail, and the tone is consistently concerned – for me. The first three emails asked me to go to their website for more information, but the last provided a phone number and a dedicated 24/7 mental health support line if I needed support.
Which company do you think I’m more inclined to stay loyal to?
Of course, there are other factors at play. The Commonwealth Government response has changed, and media coverage has shifted. Cyber-attacks are almost a dime a dozen in October. Did you see that the Australian Institute of Company Directors cybersecurity conference was hacked yesterday? Ouch!
To me it felt like Medibank had prepared its crisis response more rigorously. Stress testing messaging, channels, resources and responsibilities is essential to crisis management.
The US Centers for Disease Control and Prevention provide the template for most crisis communications approaches. They base their manual on psychological and communication sciences, studies in issues management, and practical lessons learned from emergency responses and emphasise these six principles:
- Be First. Crises are time-sensitive. Communicating information quickly is almost always important. The first source of information often becomes the preferred source.
- Be Right. Accuracy establishes credibility. Include information about what is known, what is not, and what’s being done to fill in the gaps.
- Be Credible. You can’t maintain trust without honesty.
- Express Empathy. Crises create harm. Show more than the facts; show you care.
- Promote Action. Giving people meaningful things to do calms anxiety, helps restore order, and restores a sense of control.
- Show Respect. Respectful communication promotes cooperation and rapport. It’s especially important when people feel vulnerable.
“It’s often said that ‘data is the new oil.’ Instead, we’d argue that it’s trust that will decide whether businesses — and the Fourth Industrial Revolution itself — succeed.” – Mark Hawkins, President and Chief Financial Officer, Salesforce
“Bad communication ends a lot of good things. Good communication ends a lot of bad things.” – Attributed to Nigerian singer and songwriter Yemi Alade.