Exercise your cyber security

Learn lessons the easy way and in your own time

Book your free consultation now

What Wolters Kluwer can learn from Norsk Hydro

The multi-billion dollar Dutch provider of accountancy software, Wolters Kluwer, has been experiencing a cyber incident since the 6th of May. Since then they have confirmed that malware was on their system but there has been a significant failure to effectively communicate much more than that to their customers and to the public. This has caused significant frustration and anger to their large user base, many of whom are facing looming deadlines.

Earlier in 2019 another multi-billion dollar company, Norsk Hydro, experienced a serious cyber incident. Unlike Wolters Kluwer, their response to the incident was widely praised as being one of the best examples to date of how to communicate during a crisis. How can one company get it so right, and another company so wrong?

The Wolters Kluwer incident is still unfolding but it is very likely that they will become the latest case study in how not to handle communications during a cyber incident. This failure is damaging to the company’s image, reduces trust and could potentially affect revenue. It also risks underselling what could be the significant efforts by their IT teams to try and get things back on the road; but we don’t know this because their communications have been so bad.

This is quite a long read so for those who don’t make it to the bottom these are the top tips that arise from this case study:

TL;DR: Recommendations

  • Focus on the impact of the incident and not the mechanics of it.
  • State facts as you know them and don’t speculate.
  • Do not provide promises or assurances explicitly — let your actions demonstrate your commitment and attitude.
  • Your customers need information so they can brief their customers and their hierarchy. If you don’t provide this they will get frustrated and angry.
  • Don’t be afraid to show off the hard work that your employees are doing to address the incident.
  • Most importantly, have honesty and transparency at the heart of your response. This allows for more engaging content to be produced from across your organisation without the need to centrally approve it all.

First of all, who are Wolters Kluwer and Norsk Hydro? Wolters Kluwer is a multi-billion dollar global information services company that, amongst other things, provides accounting software to a large number of accountancy firms. Norsk Hydro — often referred to simply as Hydro — is one of the largest aluminium producers in the world. Although they operate in very different sectors they both deliver services or products to customers and they both rely on IT systems to do help them do this.

The Wolter Kluwer response

The full timeline of Wolters Kluwer’s response is at the end of the article but essentially they issued a statement every working day on their corporate website and then advertised this statement on Twitter and Facebook.

Example of statement from Wolters Kluwer during the incident.

This communications strategy might seem reasonable for a business experiencing IT availability issues — routine updates provided across the key platforms of Twitter, Facebook and the corporate website. However, take a moment to look at any of the statements released by Wolters Kluwer.

Those 650 or so words are the total official communications that WK issued over the course of a week concerning a total disruption to their services. That’s an average of just under 4 words an hour. Some users of their software reported receiving emails directly from the company but this communication channel does not appear to have been universally effective. In general the tone of response from users was very negative and anger and frustration were clear to see.

Replies to Wolters Kluwer’s statements posted on Twitter.

Much of this frustration was around looming tax filing deadlines. Some users were now going to struggle to file their returns in time. Wolters Kluwer recognised this was an issue and managed to agree an extension to the deadline with the US tax authorities. This shows that Wolters Kluwer was taking actions to mitigate the impact of the incident on their user base. However the way this news was disseminated (by email and a bland 83 word paragraph at the bottom of an update) perhaps missed an opportunity to highlight some proactive and effective action that had been taken by the company.

The Norsk Hydro response

Back in March 2019 Norsk Hydro suffered a ransomware attack that affected almost every aspect of their business from the back office to the plant floor. Again, the full timeline is at the end of this article.

Norsk Hydro first detected the incident in the middle of the night of the 18/19 March. Their first information about the incident appeared within 2 hours of the start of the European working day on the 19th of March. As the incident affected their main website they used this communication to direct people to their Facebook page where they stated they would post updates.

Shortly after lunch that same day they held a press conference that was live streamed on the internet. The CFO, Eivind Kallevik, spent 5 minutes providing an update on how the company had been affected, division by division, and what they were doing about it. Also present was a representative from the Norwegian cyber security agency. They then took questions for a further 10 minutes until all questions had been answered.

Screenshot from Norsk Hydro’s live streamed conference on day 1 of the incident

The content of the CFO’s briefing and of Norsk Hydro’s posts in general were concise, objective, and factual. They were almost entirely free of “we take security very seriously” type statements.

Snapshots of hydro.com taken by archive.org show that Norsk Hydro had a basic, temporary website online in under 3 hours after declaring the incident. They had a full website deployed in under 30 hours; this then became their primary online information source with Twitter and Facebook posts used to highlight new information.

Norsk Hydro’s temporary website hosted as captured on archive.org. It was replaced by a fully functioning site in under 30 hours from the start of the incident.

Another press conference was held the following day and was again streamed live on the internet. Twitter and Facebook were used to advertise the conferences beforehand and also to highlight the link to the recording after the conference.

The routine of daily updates on hydro.com continues for the following week. Twitter and Facebook are used to highlight the release of these reports. The main Twitter account was also used to retweet posts from their business units and plants. These tweets were typically informal photos of employees finding ways to get on with business despite the impact of the incident.

Norsk Hydro’s main Twitter account retweeted content originally posted by their subsidiary organisations.

Posts on Facebook and Twitter were also used to highlight a CEO “well done” message.

Norsk Hydro Twitter post using quoted imagery to highlight their latest update.

Norsk Hydro held a third conference one week after the attack. This would turn out to be the final press conference of the incident. This conference followed a similar format to the first two and provided more details on how the recovery was taking place. Norsk Hydro directly addressed the issues they were still facing in their most affected business area by having the Vice President from that area brief at the conference.

Two weeks after the incident started Norsk Hydro release a short, well produced ‘behind the scenes’ video. The 3:41 video includes informal but powerful interviews from factory floor workers, including the one who first noticed the attack. The video shows various shots of employees using work arounds to keep things working and includes visuals such as hand written tallys, employees going through numerous lever arch folders, and whiteboards.

The video has a clear narrative of people coming together to keep a business alive even at the expense of their own personal and family time. It also manages to balance the brutal truth of the magnitude of the issue they were facing with a dry, matter of fact, sense of understatement. The closing photo montage also highlights the international scale of the efforts with images from plants around the world.

This video, along with many of the communications produced by Norsk Hydro, received a lot of positive comment in the cyber security community. The general sentiment was that it was good to see such a rare example of a transparent response to a cyber incident. Norsk Hydro were aware of this positivity and retweeted some of the comments such as those made by an influential cyber security researcher/commentator Kevin Beaumont (@GossiTheDog).

Just under three weeks after the start of the incident Norsk Hydro posted that they were stepping back their updates as things were returning to normal. Their post avoided any sense of triumphalism and continued the theme of there still being much work to do. Further posts continued in the weeks after and provided additional insights into the challenges they had faced.

Content of communication

Wolters Kluwer and Norsk Hydro had a significantly different style to their communications. Here’s Wolters Kluwer’s statement issued on 7 May 19. This statement was updated twice during that day — this is the final version.

And here’s Norsk Hydro’s second post on the incident @ 1024 on 19 March.

For the sake of comparison, and fairness, it should be noted that Norsk Hydro’s response was approximately 12 hours after they became aware of the incident. Wolters Kluwer’s was anything from 12 hours to 3 days+ depending on when you consider they were first aware of the incident. These 2 posts have been used for comparison as they are the first detailed posts issued by each company.

Here are some points to consider:

  • Describing the incident. Norsk Hydro does not describe the mechanics of the cyber incident. Wolters Kluwer try and tell a story of what’s happened — in doing so they raise more questions than they answer.
  • Focus on impact. Norsk Hydro focus only on the impact to their business in priority order (safety and operations). Wolters Kluwer fail to provide any detail of what applications have been affected and how this is impacting their business and their customers.
  • Honesty Vs Optimism. Norsk Hydro openly say that they do not yet know fully what is going on. Wolters Kluwer make some bold assertions about the confidentiality of customer data and the risk to customer systems.
  • Apologies and excuses. Norsk Hydro does not apologise. Wolters Kluwer apologise for poor communications and provide excuses as to why they were unable to communicate. They also apologise for the ‘inconvenience’.

Wolters Kluwer’s opening paragraph is focused on explaining and excusing their poor response to the incident. Compare this to Norsk Hydro who instead focus on the impact to the business and to their customers.

Norsk Hydro clearly highlights the scale of the incident and the fact that they have lost IT services across a significant portion of their business. Given that this statement was at the start of the incident it is unlikely that they yet had the full picture. Instead of waiting for the complete picture they broadly, and honestly, state the magnitude of the incident as they know at that time. Wolters Kluwer’s statement reads more like something that gets issued after maintenance overruns and not when potentially your entire corporate system, and that of you connected customers, is being rolled over.

Wolters Kluwer seem intent on setting themselves up for failure. Claiming that you have seen no evidence of X, Y or Z provides zero confidence unless the efforts that have taken place to establish that lack of evidence are detailed. The historic trend of companies slowly releasing the true extent, and horror, of an incident has led to the public being very cynical about any assurances given in the wake of a cyber incident. Unless you can backup the assertion with details of how you reached it — don’t bother. You’ll just look silly in the coming weeks as your assertions get proven to be incorrect.

Norsk Hydro’s communications throughout the incident maintain the focus on the operational impact of the incident and not on the mechanics of how it happened. In later updates they provide details of how the incident is affecting them business area by business area. They also clearly state what the impact is at that point on their customers based on levels of supply and the efficacy of manual workaround solutions.

Wolters Kluwer at no point detail the status of any of their services nor the impact that the incident has had on them. Despite researching this article for some time, I am still not entirely sure what applications they even provide never mind how they were affected. In comparison, I now feel I know a significant amount about a vertically integrated aluminium business and why profile production was hit harder than other areas (very specific customer orders that need to be entered into production systems exactly as intended).

Tone of social media response

Here are some comments on Norsk Hydro’s social media posts.

And here are some from Wolters Kluwer.

It should have been clear very quickly that Wolters Kluwer’s communication strategy was not going well. While it is perhaps understandable for their initial communications to miss the mark, the failure to note the negative reaction from social media and make changes is inexcusable.

Conferences

The use of the traditional press conference, albeit streamed live on the internet, was a bold decision by Norsk Hydro that paid off. It succeeded because it was done quickly and because the CFO was knowledgeable or had been briefed to a high level. By not focusing on the technical aspects of the attack he avoided getting drawn into the cyberz and potentially exhausting the limit of his expertise. Instead he focused on what he is, presumably, a world class expert in: the impact on business performance.

During the first conference, and despite being at the very start of the incident, the CFO was able to list the impact business area by business area. He did not seek to downplay the incident and instead clearly stated that they were facing significant challenges. The clear statement of priorities, although broad, gave the audience an insight into what mattered to Norsk Hydro but without them having to detail their exact steps over the next 24 hours.

The presence of an executive from the Norwegian cyber security agency at the conference also indicated how seriously Norsk Hydro were taking the incident. This may be a standard response by Norway’s cyber agency but getting an outside speaker to attend your conference with only a few hours notice is an impressive display of power and influence by Norsk Hydro. (Norway’s government is apparently a major shareholder in Norsk Hydro so there are other factors at work here.)

The third conference saw the addition of the Vice President from the most affected business area. By this point the impact on most other business areas had been minimised and so by highlighting where they were still suffering issues they again highlighted their honesty and transparency. At this point it could have been very tempting to say “the vast majority of services are experiencing no issues”.

By having the Vice President specifically brief on how his business area was still affected it showed that they were still taking the incident seriously. The inclusion of someone (slightly) lower down the hierarchy also lent more credibility to the anecdotes that were told (retired workers coming back into work without being asked). These comments gave you a genuine impression of teamwork and corporate values in a way that whole reams of official statements never would.

The follow up video

Norsk Hydro released a short video 2 weeks after the incident. This was the highlight of what had been an impressive communications performance. It’s hard to say too much about it — it’s professional and yet personal and you really feel an affinity with what they went through. It avoids any corporate-speak and instead tells the simple narrative of how their employees came together to deal with the attack.

It is not clear if the target audience of the video was Norsk Hydro’s employees or the wider public however its release provided a focal point for further positive media coverage on their handling of the incident. Several influential cyber commentators based articles and comments on the video and so magnified Norsk Hydro’s good media performance.

Other points

This is a collection of other observations that are worth noting

  • Norsk Hydro responded very quickly on social media to the incident. Wolters Kluwer were much slower.
  • Norsk Hydro’s social media posts used photos of real employees dealing with the incident. This brought their communications to life. They avoided stock images and instead showed a reality that was easily understandable. This helped increase sympathy and affinity.
  • Wolters Kluwer apparently used direct email to their customers as a communication channel. This is not an ideal communication tool particularly in the non-consumer space where the email on the account may not be the person using the software. Going public is the only way to get your message to your users.
  • Norsk Hydro managed to avoid accusations of poor security (e.g. “were you running XP?”) largely by their honest handling of the incident and by focusing solely on the impact. They didn’t try and overplay the sophistication of the attacker and instead just spoke about the reality they were dealing with.
  • Norsk Hydro’s retweets were more informal and gave a real feel of how workers around the world were getting on with things. The photo of workers going through paper records is particularly powerful and is both honest and positive. Similar photos show offices getting their IT restored/tinkered with.

Recommendations

  • Focus on the impact of the incident and not the mechanics of it.
  • State facts as you know them and don’t speculate.
  • Do not provide promises or assurances explicitly — let your actions demonstrate your commitment and attitude.
  • Your customers need information so they can brief their customers and their hierarchy. If you don’t provide this they will get frustrated and angry.
  • Don’t be afraid to show off the hard work that your employees are doing to address the incident.
  • Most importantly, have honesty and transparency at the heart of your response. This allows for more engaging content to be produced from across your organisation without the need to centrally approve it all.

Conclusions

These two cases have highlighted what a good and a bad incident response looks like to the outside world. What is frustrating from an outside observer’s perspective is that arguably Norsk Hydro’s response didn’t need to be so good, while Wolters Kluwer’s needed to be so much better.

This is potentially an oversimplification but a customer in the aluminium business only cares about product quality and timeliness of delivery. They do not need to have any greater trust in their supplier beyond these two factors.

In contrast, a customer that relies on a service, such as accountancy software, that is fundamental to the daily running of their business needs to be able to trust their supplier at a much higher level. The customer also needs to trust the supplier as the software is being run on the internal enterprise network. Incidents with the supplier can therefore have a very large impact on their customers.

Wolters Kluwer have undoubtedly damaged this trust and it will be interesting to see if this leads to any changes to their user base. In the meantime, this case study has hopefully provided an opportunity to learn what a good communications response looks like during a cyber incident. This understanding should be used to develop the communication aspects of your organisation’s incident response plans.

Full Wolters Kluwer Timeline

WK = Wolters Kluwer

Fri 3 May 2019

  • Cybersecurity journalist Brian Krebs contacts WK via an intermediary and informs them about a security vulnerability he has become aware of. A Vice President at WK tells Krebs that they’re going to look into it

Mon 6 May

  • Accounting Today report that users of WK’s accounting software suite, CCH, are having issues starting 13–1500 UTC+1.
  • WK issues a vague statement at 1600 UTC+1 saying they are experiencing issues.

Tues 7 May

  • 0303–0316 UTC+1. WK post statement on Facebook and Twitter saying that they have taken a number of applications offline out of an “abundance of caution”.
  • Accounting Today receive statement from a WK PR rep stating that ‘technical anomalies’’ had been detected and that they then took services offline.
  • 1544–1546 WK post update on Facebook and Twitter. They note that they have no evidence of data being lost.
  • Customers complain of lack of information and highlight how useful anything would be.
  • 2212–2016 UTC+1 WK post on Facebook and Twitter that they have found malware but reiterate that they have no evidence of data compromise.

Wed 8 May

  • 1600 UTC+1. WK statement released providing a temporary support line to North America companies.
  • 1829–1830 UTC+1. WK post on Facebook and Twitter about temporary support line to North America

Thur 9 May

  • 1700 UTC+1. WK statement released concerning the restoration of some services.
  • 2018–2025 UTC+1. WK post on Facebook and Twitter about restoration of services.

Sat 11 May

  • Bloomberg article includes content from WK CIO Martin Wuite.

Mon 13 May

  • 0900 UTC+1. WK statement released. Covers the restoration of services — vast majority have been restored — and detailed the IRS approved deadline extension.
  • 0923–0925 UTC+1. WK post statement on Facebook and Twitter.

Full Norsk Hydro timeline

NH = Norsk Hydro

Tues 19 Mar

  • “Early hours”/around midnight UTC+1 Mon/Tues night — start of attack according to NH. “Started in the US”.
  • 0842 UTC. NH announce attack in Facebook post. Declare Facebook as main source for updates as hydro.com is offline.
  • 0844 UTC. NH post on Twitter. Directs people to Facebook page for more information.
  • 0845 UTC. NH post on Twitter link to stock exchange announcement.
  • 1024 UTC. NH post on Facebook providing details of what is affected and what their priorities are.
  • 1140 UTC Archive.org snapshot — Hydro.com 301 redirecting to temporary webpage hosted on Azure with basic details and contacts about the incident.
  • 1158 UTC. NH post on Twitter linking to Facebook updates.
  • am UTC+1. Norwegian national cyber security agency contacted.
  • 1400 UTC. Facebook update.
  • 1200–1344 UTC. Press/analyst conference advertised on Facebook and Twitter.
  • 1500 CET. Press conference held — streamed on web. A representative from the Norwegian national cyber security agency is present.
  • 1625 UTC. Facebook update with link to recording of press conference.
  • 1403 UTC Archive.org snapshot — Hydro.com now resolving directly to Azure but getting 404 Error. (Comment: presumably site was in process of being brought up.)

Wed 20 Mar

  • 0659 UTC. Archive.org snapshot now showing hydro.com properly resolving to Azure temp page.
  • 0751 UTC. Facebook update.
  • 0757 UTC. Twitter post linking to Facebook highlighting updates.
  • 1123–1127 UTC. Facebook and Twitter posts advertising press/analyst meeting to be held at 1400CET.
  • 1300 UTC. Press conference. Streamed on internet.
  • Statement update released — link.
  • 1324 UTC. Twitter post advertising recording of press conference.
  • 1514–1515 UTC. Facebook and Twitter posts advertising their new website (launched early in response to the incident) and identifying it as being their primary comms channel for the incident.

Thu Mar 21

  • 1329–1347 UTC. Twitter and Facebook posts linking to latest update on hydro.com.

Fri 22 Mar

  • 1205 UTC. Retweet about how a part of Hydro was handling the incident.
  • 1557–1605 UTC. Twitter and Facebook posts advertising CFO statement on hydro.com and latest update.

Sun 24 Mar

  • 0912 UTC. Retweet of media report covering the attack.

Mon 25 Mar

  • 1240–1251 UTC. Twitter and Facebook posts advertising Head of Information Services statement and latest update on hydro.com.
  • 2111 UTC. Retweet of tweet showing workers using paper based work arounds.

Tues 26 Mar

  • 1239–1247 UTC. Twitter and Facebook posts linking to hydro.com latest update and advertising analyst/media update at 1430 CET that day — streamed on internet.

Wed 27 Mar

  • 1402–1408 UTC. Twitter and Facebook posts linking to hydro.com latest update.
  • 1850–1908 UTC. Twitter and Facebook posts advertising CEO statement. Posts accompanied by “quoted”/inspirational image of CEO.

Thu 28 Mar

  • 1448–1503 UTC — Twitter and Facebook posts linking to hydro.com latest update and highlighting the return to normal service (more or less) of their hardest hit area.

Fri 29 Mar

  • 1908 UTC+1. Retweet of Spanish Hydro Twitter post of photos of workers dealing with incident and highlighting the value of the people in the business.

Mon 1 Apr

  • 1617–1814 UTC+1. Twitter and Facebook posts linking to hydro.com latest update and highlighting the return to normal operations.

Tue 2 Apr

  • 1900–1901 UTC+1. Twitter and Facebook posts advertising video of how the company dealt with the response. Use of “heroes at Hydro” — potential reference to the Heroes of Telemark.
  • 2145 UTC+1. Retweet showing the return to normal operations at a plant.

Wed 3 Apr

  • 1403 UTC+1. Retweet of a tweet showing the return to normal operations at a plant.
  • 1504 UTC+1. Retweet of influential cyber/infosec commentator’s positive comments on their video from the previous day (@GossiTheDog).

Sat 6 Apr

  • 0645 UTC+1. Facebook post linking to hydro.com latest update from the previous day.
  • 1840 UTC+1. Twitter post announcing last update on the attack. Good use of non-triumphant wording and photo of obvious work continuing.

Twitter posts continue through the month reflecting on the attack and the response.

Interested in a free consultation on how exercising can help you today?

Contact us

  • blue textured material
  • KNOWLEDGE BASE
  • Cyber exercising, red teaming and pentesting

  • You may have heard of red teaming or pen testing but what exactly is a cyber exercise and how is it different?
  • Learn more ->