I’ve been doing PR for the IT security industry for 16 years and there has never been such a major breach to an IT security vendor, as the one to hit RSA on Friday. And rarely has a PR disaster been dealt with so badly. From where I’m sitting, resellers, distributors, customers as well as bloggers, tweeters and journalists are running around speculating about what’s happened and panicking about what to do – with no clear advice or guidance from RSA’s internal or external experts. It’s almost like they’ve battened down the hatches, stuck their heads under their duvets and hoped this whole nasty incident would shut-up and go away, so that they could start the week afresh as though nothing had happened.
If you visit their website there’s nothing there apart from an open letter from Art Coviello their Executive Chairman http://www.rsa.com/node.aspx?id=3872 stating they’ve suffered a major hack! But what I want to know is where are the press releases with more statements and calming advice, where is the hotline general number for more information, how do you contact anyone with sane help as to what to do with your SecureID tokens – should you still use them or are they now defunct? When I spoke to the FT last week they said that RSA did not have anyone available for comment and another journalist said they were put through to an answerphone, as there were no official RSA personnel to talk to. So of course speculation as to the severity of the situation is now running riot with every security pundit coming up with their disaster theory. Take NSSlabs.com http://www.nsslabs.com/research/analytical-brief-rsa-breach.html who are recommending that “RSA clients who use SecureID to protect sensitive information should consider eliminating remote access until this is resolved ; perform an impact assessment of systems using this technology and identify critical assets and potential risks. Furthermore, RSA clients should consider alternative 2-factor authentication solutions”.
This is a huge PR disaster rolling out of control, especially now that other security professionals are advising customers to shut the systems down until the situation is resolved. Come on RSA tell us all when you’re going to resolve the situation! The longer RSA keep their mouths shut the more speculation there will be about the magnitude of this disaster. All companies should look and learn from this RSA’s situation, as, in time, this will surely be the sort of example that marketing and PR students are shown as a “text book” case in how not to “handle crisis management”. I’d recommend that RSA apologise and explain how this situation came about – immediately issue their users and partners with advice and a temporary security solution. It’s all about communication – come on guys there are enough channels to communicate through – just do it! Job sorted!