Cybersecurity company CrowdStrike more than lived up to its name last Friday, sparking global chaos when a faulty Windows system update hit millions of businesses and individuals in seemingly the biggest IT outage in history.
From airlines to banks, the NHS to media groups, supermarkets to train operators, few were immune from the “Blue Screen of Death” errors that caused computers around the world to crash.
But ironically for a company focused on risk prevention and management, not only did CrowdStrike’s software glitch provoke an IT meltdown of unprecedented proportions, but its own response to the crisis was found wanting, in communications terms at least.
Posting on X (Twitter) on Friday, CEO and co-founder George Kurtz’s initial statement began:
“CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed.”
After instructing customers to refer to the support portal and use official channels for further updates (without even linking to said channels), the post concluded:
“Our team is fully mobilized to ensure the security of CrowdStrike customers.”
Nowhere in the statement was there a hint of an apology, an admission of responsibility, a recognition of the magnitude of the multibillion-dollar disaster, which grounded planes, crippled businesses, and put lives at risk through cancelled operations. Nor did it explain what the issue was, what fix had been deployed, or when the issue was likely to be resolved.
Instead, Kurtz sought refuge in corporate language, devoid of humanity and accountability, and written in the passive voice – clearly to try to minimise the threat of litigation and financial collapse.
Yet in any crisis, and particularly one of a company’s own making, communication is paramount in controlling the situation, limiting the reputational fall-out as far as possible, and regaining trust.
Responsibility, transparency, clarity and empathy should be the guiding principles, with the company’s senior leadership providing regular updates across multiple platforms to address all stakeholders.
Customers, investors, employees, regulators, the media – all need to be reassured that the company is taking ownership of a crisis, that it is recognises the impact on its customers – and above all that it is sorry. Otherwise, the company risks inflaming tensions further and potentially provoking a mass customer exodus.
Only five and a half hours later did Kurtz finally apologise in a second tweet – albeit after a defensive opening:
“Today was not a security or cyber incident. Our customers remain fully protected.
“We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption. We are working with all impacted customers to ensure that systems are back up and they can deliver the services their customers are counting on.”
And in a third post, a few hours later, Kurtz committed “to provide full transparency on how this occurred and the steps we’re taking to prevent anything like this from happening again”.
Perhaps this change in tone during the course of the day reflects the appointment/briefing of crisis communications experts? While it remains to be seen whether CrowdStrike keeps its promise to be transparent and learn from its mistakes, the company seems, somewhat belatedly, to have recognised the importance of communications when IT hits the fan.
22nd July 2024
Written by Sarah Peters