Techotel crisis communication

The case of Techotel on its crisis communication

Nota: excerpts from Techotel’s paper have been faithfully transcribed, including typos and grammatical inaccuracies.

Crisis communication remains one of the most sensitive and critical dimensions of crisis management today. Often endured, communication can actually be a real tactical lever if it is mastered and thought out.

The communication of Techotel, a company that publishes IT solutions for hotel management that was the victim of a ransomware cyberattack in early June 2020, has the merit of being quite unique in its kind.

While many companies choose not to communicate at all or only rarely about the cyberattacks of which they are victims, Techotel’s communication breaks completely with this habit.

The company provides us with transparent and real-time communication, taking us on board with its side in the management of the crisis.

Nevertheless, this transparency, perhaps to an excess, raises questions about the ability of the Techotel teams to qualify the event, to record the transition to a severe crisis and to adapt its communication and organization if necessary.

We offer you an analysis of Techotel’s communication, which we could find in free access on the organization’s website until a few days ago.

Usual and adequate transparency at the stage of a simple incident

The first point to note is the speed with which Techotel’s teams decide to communicate. As soon as the first technical disruptions were reported, for what was still a simple incident at this stage, the communication was launched, in the middle of the night.

Indeed, in the form of a “chat” accessible to all, usually used to describe the state of operation of the services provided by the company, the person in charge of communication immediately reports problems with certain servers.

« We have problems with Danish, Swedish and Irish Picasso. Our technical staff is looking at the issue. We will update information later »

This transparency is not unusual, nor shocking, since we are still at the stage of the incident and it is common, especially in this professional field, for teams to communicate quite quickly.

Continuing to play the card of total transparency, as soon as the technical teams understand that it is a cyberattack that hits the servers, the information is transmitted to the general public, on the same channel, at 6:52 a.m., three hours after the first communication.

« We have been attacked by virus. »

At this stage, still nothing shocking. It is difficult to reproach Techotel for its honesty, a position often advised. Indeed, unlike Techotel, many organizations that are victims of cyberattacks generally choose not to communicate for as long as they can.

It is therefore not uncommon to see companies communicate only when they are forced to do so, whether because the group of attackers has publicly claimed responsibility for the attack, or because the pressure (from the media, the ecosystem, the authorities, etc.) becomes too strong.

What’s more, the communications are sometimes clumsy or blurry, referring to a “technical incident”, a “computer problem” and/or only belatedly admitting to having been the victim of a cyberattack.

Continuing its desire to quickly inform the general public once the type of attack has been clearly identified, a new communication, barely an hour later, tells us:

« We are hit by ransomware. You have to be prepared to not have access to your date the next hours. Before we got openeded access to files again. NB this is not an Techotel error »

Thus, we are faced with an extremely rapid start to communication that can undoubtedly be perceived as reassuring by the general public. Indeed, nothing is hidden from him, he has access to information in a transparent, fluid and fast way. The company seems to be in control of the situation.

However, this reassuring effect will quickly be broken by too much transparency. As the technical problems have become the result of a clearly identified cyberattack, we are now going beyond the simple incident. The transition to a severe crisis must be acknowledged.

During a crisis, a wealth of information reaches the internal teams and it is important to learn how to organize it and to disclose only what is really intended to be disclosed, an aspect that has not been mastered in the case of Techotel. This evolution in communication must take place once the qualification of the crisis has been achieved.

Throughout the management of the event, Techotel seems not to have taken note of the passage into a severe crisis and adapted its communication, as well as its organization in the light of this new reality.

The company is continuing with the same modus operandi as incident management. If the company seemed to be in control of the situation just a few hours ago, it now seems overwhelmed by the situation.

An excessive transparency, caused by a failure in the qualification of the crisis, which quickly reaches its limits

The first limits to this transparency and this failure in the qualification quickly appeared. A sign that communication is too fast, we very quickly start to see statements that contradict each other in just a few hours.

Indeed, a first statement was made, at 4:51 p.m. on June 9, according to which the situation should be resolved within 5 to 10 a.m.

« We (…) expect that tonight (…) to be contacted by an Eagleshark negotiation informung us the amount »

« Status this morning : We (…) were informed about the amount we have to pay, it is much more than we expected! »

However, the next day, at 6:27 a.m., i.e. 14 hours later, this assumption was contradicted by a new communication to inform the public that the situation was in fact far from being resolved. The company is trying to backpedal. The reassuring effect that the public could feel at the beginning is thus swept aside and questions the real control of the situation by Techotel.

« Status this morning : We (…) were informed about the amount we have to pay, it is much more than we expected! We have pay in Bitcoins to get access to the data. It is large sum that we need to transfer. I will update when we know more and how long it »

If we take the communication sent at 4:51 p.m. on June 9, it is important to see that Techotel has chosen to announce its intention to pay the ransom even though all the information necessary for its payment has not been collected.

Moreover, often discouraged, this choice appears surprising at such an early stage of the crisis and in the absence of all the information.

« We Techotel group expect that tonight (…) to be contacted by an Eagleshark negotiator informing us the amount, we are going to settle for recovering us from the attack. But the bandits do not accept bank transfer so we need to change the amount to Bitcoin. This will take us 3-7 hours »

Firstly, it raises ethical questions about financing illegal activities and can therefore be poorly perceived by some partners and/or customers. This is one of the reasons why companies avoid publicly boasting that they have paid ransoms, even if they sometimes concede it at the end of the crisis.

Secondly, it shows a lack of preparation on the part of Techotel’s teams, who probably did not find out enough about the attackers and their modus operandi beforehand and even during the crisis.

Transparency then becomes clearly detrimental to the company by revealing the company’s internal weaknesses. Techotel thus began to gradually submit to communication rather than to make it a tactical lever.

These errors continue as we then learn all the difficulties encountered by the teams in deciphering the data. Here again, this information is not intended to be relayed as such to the general public.

« The bandits gave us keys to uncrypt the files, but the keys does not always function, so we don’t have access to the hotel data yet. To night an Eagle Shark consultant writes a program to scan all 259 servers for more keys ».

By communicating extensively, the company has delivered a significant amount of information, certainly useful at the beginning for the understanding of the situation by the entire public, but it has also ended up flooding its communication targets with contradictory and unreassuring information.

Moreover, from a tactical point of view, it is legitimate to question the relevance of this choice. Publicly showing the internal disorganization and stress that grips teams is valuable information for attackers. They are free to adapt their strategy according to the information they deem useful. Confidentiality is therefore the order of the day on this type of topic.

It is therefore important not to say too much. Unfortunately, this is something that Techotel has not been able to implement properly. This means that the customer or the company’s partner may wonder whether there is really a pilot in the aircraft and whether a course is well set. This transparency reflects a lack of (evolution) of (the) strategy, due to a lack of qualification at the right time.

A communication revealing a lack of a crisis management strategy

Several elements reflect a lack of communication strategy or even crisis management and shortcomings in terms of mobilization of expert resources.

By opting for communication via the “chat” used daily to describe the state of operation of the services provided by the company to specific targets, it probably found itself a prisoner of the latter.

If Techotel had chosen to switch to traditional channels such as press releases, social media or the activation of a dedicated page on the company’s website, communication would most likely have been better controlled.

The choice that was made to continue on the traditional channel of communication was certainly not adapted to such a crisis.

This leads to communications such as the one presented below, where the various audiences of Techotel do not get any useful information. This gives the impression of communicating for the sake of communicating.

What is more, the communication does not seem to have been led by the organization’s communicators but by an employee who is certainly of good will, but not seasoned in the handling of communication.

Without a strategy, the employee relays information as they go, without filter and without objective. The personal opinion expressed behind this message reinforces this impression of improvisation and has absolutely no place in crisis communication:

« People producing virus should be in jail !! »

This kind of comment has no place in crisis communication and is not part of the elements expected by a partner or a client: it does not provide any useful information and testifies to the lack of maturity of the organization on these subjects.

This impression of non-conformity is also reinforced by the presence of multiple spelling and syntax errors throughout the communication, as you may have already noticed in the quotes we have transcribed.

In addition, the alternation of the “we”, focused on the company or its teams, and the pronoun “I”, which recurs several times in the exchanges, reinforces the feeling of confusion that reigns at this stage of the event within the organization.

The use of the first person singular breaks the codes and can give the reader, the customer or the partner a bad impression: they don’t know who is behind this communication.

This choice could have paid off if it had been explicitly indicated who was behind this “I”, especially if it was a qualified manager and/or known to customers and partners.

These elements can give the impression to the different target audiences that there is no real strategic direction. On the contrary, we have the impression of being faced with a constrained, endured and improvised communication.

It was only 12 days after the first messages that the company published a press release, clumsily trying to adopt the codes of a more traditional crisis communication.

To conclude, although original and commendable, this choice – if it is a choice – of total transparency and chat quickly turns out to be limited.

It is not very reassuring for customers and partners. In addition, it highlights the difficulties of cyber crisis management and communication.

After a promising start, the communication of the company concerned suffered from a lack of strategy, thus sending a rather unreassuring image and an impression of confusion between information and communication, between mastery and improvisation.

This lack of strategy is most likely attributable to a lack of preparation and anticipation by the teams and a real failure in the transition from incident management to crisis management.

In brief

An effective start and transparent communication, which gives a sense of control and a well-oiled organization to the exercise of crisis management,
The company is quick to talk about a cyberattack rather than leaving doubt by resorting to the “computer incident”, like many organizations,
A few hours later, the apparent mastery of the first few hours gives way to improvisation,
The confusion and panic of the teams can be felt very clearly in the various publications,
The lack of preparation of the teams for crisis management and the lack of mobilization of experts (communication, legal, etc.) are most likely responsible for these approximations and failures in the management of the event.