Why are corporations inclined toward denials when embarrassing problems are discovered? Two cases in the past week offer some clues—and illustrate how companies can respond vastly better in such situations.
Both revelations involved technology companies. Lenovo had installed some awful third-party software on a number of consumer-marketed personal computers running Windows, resulting in a genuinely horrific violation of customers’ security. Meanwhile, according to a story in the Intercept based on the Edward Snowden leaks, U.S. and British spies hacked Gemalto, the biggest manufacturer of mobile-phone SIM cards, as part of a campaign to undermine the security of users’ phones.
In both cases, the initial reaction from the companies was, essentially, a denial that anything serious was wrong. But Lenovo changed that stance after being confronted, in often harsh ways, by people who knew better—notably security experts who pointed out the absurdity of the company’s what-me-worry claims. Now, in its latest public statements, Lenovo is saying it’s going to do everything in its power to ensure that it never lands in a similar position in the future.*
Gemalto says it investigated, and that actually everything is fine. A corporate statement includes the following: “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”
That was the rough equivalent of “move along, nothing to see here”—and it led to a more skewering from security experts. “This is an investigation that seems mainly designed to produce positive statements,” Matthew Green of Johns Hopkins University told the Intercept. “It is not an investigation at all.”
If the security gurus are correct, Gemalto doesn’t even realize the danger it faces. Let’s hope that company’s customers will demand more clarity, though the world’s telecommunications carriers are traditionally joined at the hip with spy-happy governments, and it may not bother them much that once again they’re giving their customers’ security little or no thought.
As Slate’s David Auerbach suggests, Lenovo’s worst offense was ineptitude, which isn’t something you want to see from a company that tens to hundreds of millions of customers want to rely on for their personal-computing platforms. (As Auerbach also points out, the third-party software companies at least as responsible for this debacle—Superfish and Komodia—are disgustingly unapologetic or silent.)
When the Lenovo story broke late last week, I tweeted about how bad this looked for the PC maker, and how that pained me as a longtime customer, because it had diminished the likelihood that I would buy from the company again. In an early email exchange with a senior Lenovo official, who seemed genuinely perplexed by my reaction, I expressed amazement at the company’s blatant misstatements about the security implications. He later acknowledged, as the company’s chief information officer did publicly, that the harsh reactions had been fair.
In doing that, Lenovo was taking a cue, though somewhat belatedly, from the school of public relations called “crisis communications,” and it’s mostly common sense when applied with integrity. The PR practitioners spend a lot of time helping clients prepare for what seems like inevitable crises, so one of the most important rules, of course, is don’t do stupid stuff that will get you in trouble. But since humans run enterprises, problems are likely anyway.
So how can companies handle these kinds of cybersecurity cases?
First, they should never, ever lie about the situations. If we know anything at this point, it’s that digital security is—at best—a moving target. Saying “We don’t know for certain, but we’re looking into this as fast as is humanly possible” makes a lot more sense. Perhaps lawyers are often involved in decisions to brazen it out in crises of this kind, because companies just hate to admit anything that might give class-action lawyers any ammunition.
Second, they should make public mea culpas if they screwed up. Again, the lawyers probably freak out at the possibility, but then again the lawyers work for the company, not vice versa.
Third, they should publicly explain how they’re going avoid recurrences. This is easier when the issue is malware you install yourself, and much more difficult when you’re fighting off some of the best-equipped spies on the planet.
Lenovo has taken a further, and valuable, step: It vows to “become the leader in providing cleaner, safer PCs”—eliminating “what our industry calls ‘adware’ and ‘bloatware.’” It would be great if this move sparked a race to the top, with vendors competing to offer systems that don’t compromise users’ security and privacy.
One of the most responsible admissions of a screw-up followed by strong action to prevent a recurrence came a few years ago from Consumers Union, the nonprofit that operates Consumer Reports. A report on car baby seats was deeply flawed, so bad that it threatened the magazine’s sole basis for survival: the trust of its audience. Consumer Reports retracted the article in a letter to its audience, and then, after a genuine internal investigation, published a long and instructive piece on what had gone wrong, and how it intended to prevent something like that from happening again.
I’m more skeptical now of Consumer Reports. But I still generally trust it. And I still buy it. There’s a lesson there.
*Correction, Feb. 27, 2015: Due to an editing error, this post originally misstated that Lenovo was saying the company would do everything in its power to ensure that it land in a similar position in the future. It actually said it’s going to do everything it can not to land in such a position.