Paul Holmes 25 Jun 2006 // 11:00PM GMT
In August of 2005, a fast-moving computer worm called Zotob was unleashed upon unsuspecting computer users. Most computers were immune. But others, particularly those that had not installed the latest security upgrades, were vulnerable—and because they included several major U.S. media companies, Zotob became a big news story.
The Microsoft Security Response Center, in partnership with public relations firm Waggener Edstrom Worldwide, responded quickly. Adopting a strategy of unusual transparency, the PR team opened Microsoft’s operations center, or Situation Room, to key media, providing an intimate view of how the company handled security incidents.
As a result, a news cycle that began in crisis mode was transformed into an opportunity for the company to deliver prescriptive information to computer users, and allowed Microsoft to educate the media about the steps it had taken to protect its customers.
More than 90 percent of the world’s computers run on the Microsoft Windows operating system, making Windows the most tempting target for viruses or worms that hackers devise to exploit vulnerabilities. Those worms and viruses can replicate and spread across the Internet unless computer users download regular software updates and install security measures such as firewalls and anti-virus software. Microsoft releases monthly updates to fix vulnerabilities so customers are less vulnerable to attack and provides prescriptive guidance about how customers, developers and others can keep information secure.
On August 9, Microsoft released an update for Windows. Soon after, a hacker released a worm named Zotob that exploited the vulnerability addressed in this update. Computers running older versions of Windows to which the update had not been applied were vulnerable to this attack.
The MSRC team became aware of the exploit code—the precursor to a worm—on August 11, and began monitoring it by watching newsgroup chatter, media coverage and computer network traffic, which spikes when a worm is propagating. The Center released an advisory that day to alert customers to the heightened threat and provide prescriptive guidance.
When the worm itself appeared on August 14, the MSRC modified its advisory, describing Zotob a low-level threat because businesses, rather than consumers, were the major users of Windows 2000, and most businesses were aware of the need for regular updates and had followed Microsoft’s repeated guidance to protect themselves with the updates, firewalls and anti-virus software.
So it came as quite a surprise when key media organizations, including CNN, ABC and The New York Times, reported an “Internet meltdown” as a result of the Zotob worm. These organizations were vulnerable to the worm because they had not applied the latest updates, and their own experience led them to believe the problem was much more widespread than it actually was.
Early in the evening of Tuesday, August 16, CNN’s Wolf Blitzer went on the air live and reported “a major computer worm affecting computer users around the world.” The public relations team was forced into crisis mode.
Given the widespread use of Microsoft’s products around the globe, and the frequency of hacking in the software industry, the PR team was well-prepared to deal with such a crisis. However, Microsoft has been criticized in the past for mishandling security. In recent years, a number of incidents—the Code Red virus in 2001 and the Slammer and Blaster worms in 2003—led to media criticism.
Over time, Microsoft and Waggener Edstrom Worldwide have worked together to improve their crisis response efforts, preparing for future crises by reviewing those of the past, learning from mistakes, and recommending actions that would lead to better outcomes. With each incident, the team gained experience and established best practices to improve crisis response, including the creation of a dedicated Situation Room where security engineering, PR and communications staff could work side by side.
The primary goal in any crisis to communicate with customers, and Microsoft has recognized that PR plays a crucial role in helping protect customers by rapidly informing them.
To prepare for crises, the security team regularly performed drills anticipating how to respond if a worm or virus struck, and tested the responses of different divisions of the company. Of particular relevance to the Zotob crisis, at a drill in 2004, the PR team had recognized that an attack on a media organization would pose a different kind of crisis, and incorporated that scenario into subsequent drills. The team also developed crisis template documents, pre-approved by Microsoft’s legal team.
The crisis response was driven by four major objectives:
• Communicate prescriptive guidance to protect Microsoft customers;
• Demonstrate responsibility, transparency and leadership during the crisis
• Persuade key audiences that the number of computers vulnerable to attack was minimal;
• Maintain customer confidence in Microsoft’s products and ability to protect customers.
Because the media reporting the crisis were affected, the initial stories took on an alarmist tone, obliging the PR team to be creative and take unique risks to best achieve its objectives.
The critical target audiences included the media affected by the worm, especially CNN, ABC and The New York Times; computer industry trade publications reaching information technology and security professionals; IT professionals, including security specialists; business computer users, especially those who had not downloaded the update or did not use a firewall; and third parties such as industry analysts and other “influentials” who affect Microsoft company valuation.
The crisis team began to consider a risky scenario it had planned for but had never before implemented: opening up the MSRC Situation Room to the media to provide them with an insider’s view of the way the company responded to a crisis.
The PR team believed that if it opened the company up and allowed reporters inside, it could demonstrate its integrity and ultimately turn CNN’s coverage from hype to reality.
Still, there were several critical challenges. The PR team had to get the facts out—that only unpatched Windows 2000 networks without the security update and firewall could be affected—while avoiding any perceived criticism of the affected media organizations that had not taken the proper precautions. These media outlets were Microsoft customers and a key PR audience; therefore, diplomacy and straightforward, factual delivery were crucial.
Moreover, the media covering this story were part of the story themselves, and because their computers had been infected, they couldn’t use their computers to do their jobs. The PR team had to be sensitive to their needs and frustrations, and communicate with them without relying on modern conveniences such as e-mail or Web sites.
The PR team first worked to counter the CNN reports on Tuesday evening, through repeated and consistent delivery of clear, factual messages. That afternoon, after the crisis team spoke the phone with numerous producers, CNN sent a camera crew to the Microsoft campus.
The PR team recognized the potential for producers to edit footage to support the “worldwide crisis” angle, and to minimize the risk negotiated a live interview that would give Microsoft the chance to deliver its information free directly and without editing. Two hours after the initial Wolf Blitzer report, CNN viewers saw a live interview on Paula Zahn Now with Microsoft spokesperson Debby Fry Wilson.
Wilson calmly provided guidance for customers, despite the tone of Zahn’s questions, which were laden with hype and occasionally inaccurate information. The live interview was so effective that an hour later CNN anchor Aaron Brown was describing Zotob as more like a flu outbreak than “computer Ebola,” and suggesting that part of CNN’s interest in the story was because of its own experience with the worm.
Meanwhile, the PR team was conducting briefings with influential West Coast analysts Rob Enderle of The Enderle Group and Michael Cherry of Directions on Microsoft, and the next morning briefed analysts from Gartner and Forrester, who were then able to serve as important third-party references to reinforce Microsoft’s messages.
The PR team invited several media outlets into the Situation Room on Tuesday night to observe firsthand the company’s response to a security crisis. By early Wednesday, CNN had run a live report from Microsoft, accurately noting the low impact of the worm. The network ran footage of the Situation Room and Wilson’s interview several times that morning, and the tone of reporting clearly shifted from alarmist to factual.
Microsoft and Waggener Edstrom also worked closely with the MSRC technical team to released frequent updates, which were posted on Microsoft.com and other outlets, including the MSRC team’s widely read blog chronicling various team members’ experiences during the attack. The team conducted e-mail outreach to more than 80 security influentials with relevant updated information during the crisis, provided Microsoft subsidiaries worldwide with information for use with their local media, and seeeded in-depth stories on the MSRC’s handling of Zotob among trade and business media, culminating in the August 17 announcement that Microsoft engineers had developed a Zotob removal tool
The inside look at Microsoft’s security response was the key to turning around negative press coverage, earning Microsoft unprecedented praise for its handling of the crisis.
More than 140 unique stories were posted in top-tier print and online business and trade publications reaching key IT audiences, with coverage 94 percent “neutral” to “positive” in tone, according to a Waggener Edstrom Worldwide analysis. Many stories contradicted the assumption that the worm was a worldwide crisis. Numerous leaders in the security industry wrote blog posts about Zotob, many describing the story as over-hyped.
The Zotob blog written by the MSRC team was read more than 11,000 times.
Industry analysts provided numerous supportive quotes and reports, including a Forrester report titled “Limited worm impact shows Microsoft’s security strategy is working.”
Only two years after customer confidence hit an all-time low because of the Blaster worm, and despite the potential for long-term damaging repercussions, the PR team’s calculated risk-taking strategy turned the crisis into a positive, confidence-building experience for Microsoft’s customers and the influencer community.
The look inside the Situation Room gave Microsoft a broad platform from which to communicate with customers about the measures the company takes to protect them from worms and viruses while giving them tools to make sure they are protected, earning the company crucial points for its leadership in security and ultimately the trust of its customers— including some who are members of the media.