8 communications basics the CrowdStrike outage highlights
Communications are critical during an emergency. This is especially true for highly unpredictable disruptions, such as the recent CrowdStrike outage.
The recent CrowdStrike failure highlighted the business world's dependency on tech -- and why outage communications are so essential.
When CrowdStrike pushed out a content update that caused a blue screen of death, the cybersecurity company disrupted business operations across the globe. This event should serve as a wake-up call to business and IT leaders on the importance of outage communications.
Outage communications include instructions to leaders and employees on what steps to take following an outage. They can also include updates to customers on impacts of the outage and status updates for recovery.
Modern crisis communications plans typically account for natural disasters and cyberattacks, but they must also include contingencies for technology or software outages. If day-to-day work programs are inaccessible, this might affect regular communications methods such as email or messaging applications, leaving employees and stakeholders in the dark when an outage occurs.
A lack of preparation leads to a confused, slow and ineffective response to an emergency. This can result in negative media coverage, reputational damage and even lawsuits. A well-organized emergency communications plan outlines specific steps to take from the onset of an incident. Effective communication requires that relevant stakeholders across the enterprise -- including leadership, crisis teams and IT -- work together to keep employees and customers updated and get systems back online. Stakeholders should also understand which technologies to use and in what order so that communications won't be completely halted if one system or platform is affected.
The following eight fundamentals can help ensure that a business's response to an outage is swift and organized, and includes the necessary parties from the start.
1. Senior management support
Buy-in for crisis management programs can be difficult to get. Upper management might not view disaster recovery and crisis communications as organizational priorities, or might not set aside the required budget. Without the executive team's approval, a recovery strategy might not have the resources, staff or prominence within the organization to enable an effective response. As a result, the organization might not have an outage communications plan.
To justify the need for a solid crisis management program, disaster recovery and IT teams might use the CrowdStrike incident as an example of what can happen if the business is not prepared.
2. Built-in flexibility
Outages and other tech disruptions do not conform to a plan. By nature, emergencies bring about unexpected events and impacts. Even the most advanced IT and DR teams can never know exactly what an outage will entail, so flexibility is a key part of every successful response and recovery. Specific disaster recovery plans can prepare for incidents such as floods or fires, but the most effective plans prepare for multiple scenarios. An "all hazards" approach to disaster recovery ensures that the scope of the plan is not limited to certain incidents and that the plan contains steps that can be adapted to face different challenges. This is also true for outage communications.
For example, a particular technology dependency can create problems if that technology is suddenly unavailable, as seen in the CrowdStrike event. A flexible outage communications plan contains workarounds, such as instructions for manual procedures if the network is unavailable or paper documents as backup for contact information that is kept online.
Establish clear roles for various incidents, ensuring that staff members know and are prepared to execute their responsibilities when an outage occurs. If the process an employee is typically responsible for is unavailable, outline alternative actions they can perform or list whom they can report to that might need assistance.
3. Defined cross-organizational roles
An effective outage communications plan depends on cross-organizational collaboration, and numerous departments have a role.
If an organization does not have a designated disaster recovery team, IT personnel are typically responsible for deploying communications technologies and executing a response plan. The employees responsible for DR and IT should have open channels of communication prior to an incident, as well as shared access to plans for communications -- especially for an emergency notification system (ENS) -- and backups of critical data, such as plans and contact lists.
Other employees will likely be affected by an emergency or outage in some way. IT and DR departments benefit from communication with human resources to make sure issues affecting personnel are addressed. IT also needs to coordinate with internal marketing or public relations departments. Those departments might coordinate all external and internal crisis communications, especially with social media.
4. Multiple ways to access communications plans
A communications plan is of no use if a network or software outage renders it inaccessible. If the plan is available on a smartphone or desktop system, it should be accessible wherever emergency team members or other necessary personnel are located. This also ensures access if company offices are unavailable. Some organizations use SharePoint and similar technologies as the plan repository.
Outage communications technologies for business
There are several emergency communications technologies available today. Options for outage communications include the following:
- Wireless communications. Satellite phones and two-way radios can be used in situations where the terrestrial communication infrastructure has been disrupted.
- Social media. Social media enables communication between the sender and the recipients. It is widely accessible through various devices.
- Television and radio. These options do not facilitate responses by recipients, but they can deliver emergency messages to a wider audience.
- Email. Email is widely available and enables responses, but a technology outage that affects internet connection or internal email software might render it unavailable.
- ENS. Automated emergency notification systems deliver emergency text messages to individuals and groups via their mobile devices, email addresses and home phones. ENS can also accept return messages.
- Paging systems. The paging feature available in most phone systems enables the sender to broadcast messages to all phones in the system.
5. Preprogrammed contact lists
When seconds count, it helps to have personnel contact information already prepared and stored in an ENS or smartphone. Preprogrammed emergency contact lists can be set up to quickly contact key individuals and teams. Copies of these lists should also be in a secure location so that there is a workaround if the technology storing the primary list isn't working.
6. Updates that use clear, concise language
Clarity is critical during a crisis. Communications to employees and customers should contain relevant facts about the event and timely updates as to the status of the organization. Follow-ups can keep stakeholders and senior management informed, as well as correct any erroneous information.
Customers might turn to social media for answers, so the organization's presence on major platforms is important. A poorly worded message could create serious problems for the organization. This is an area where collaboration with PR and HR departments is essential.
7. Technology contingencies
Emergency messages during an outage keep employees and their families, stakeholders, first responders, vendors and other important entities informed.
As seen with the CrowdStrike outage, organizations can never predict what software or systems will be affected by a disruption. It's important to have a decision flow chart in place to guide which technologies to use in the case of a disruption.
To avoid communications being rendered inaccessible by an outage, businesses should have the ability to deploy multiple methods. For example, if email is inaccessible, an ENS provided by a third-party service will likely be able to reach employees. While comparatively low-tech, paging systems can help contact on-site employees if notification or email services are down. For remote employees with internet access, but not internal email services, social media accounts can share relevant information and field responses from staff looking for information.
8. Regular tests and reviews
Once the outage communications plan has been completed and documented, schedule reviews and tests to confirm that the procedures make sense and technologies perform correctly. Testing is critical to any disaster recovery plan and can uncover areas of confusion or gaps in the plan. Tabletop exercises can help staff run through the plan from beginning to end, before an outage hits.
Unfortunately, even testing does not guarantee a response will run as planned. After an outage occurs, an after-action report or similar review process can help unearth things that went wrong or need additional attention.
Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.