North Korean is responsible for the cyberattacks against Sony, according to the FBI.

The recent cyberattack on Sony and the ensuing public relations nightmare affords some concrete PR lessons.

To review, Sony was about to release the film “The Interview” that depicts a fictional attempted assassination of North Korean leader Kim Jong-un. Hackers attacked the Sony corporate website, stole thousands of documents including emails and revealed embarrassing correspondence from Sony executives about film stars.  Because of threats of violence aimed at movie theaters showing the film, the major theater chains refused to show the film and Sony cancelled the film opening.

Sony’s initial decision to cancel the film took plenty of heat. Critics said it failed to stand up to a bully and protect their First Amendment rights. Even President Obama weighed in with criticism of Sony, implying he would have recommended that Sony release the film and not cave into the threats. Security experts criticized Sony for weak cybersecurity, especially since Sony’s PlayStation website was hacked previously.

After cancelling the film, Sony forbid media interviews, was virtually silent on social media, and removed its name from the film’s marketing materials. Sony did make a good PR move when it offered the Wall Street Journal an exclusive, behind-the-scenes look at the company, says Forbes contributor Peter Himler.

Probably as a result of the criticism, Sony quickly reversed its decision and released the film to independent movie houses.  “The Interview” has been shown in most areas of the country with no incidents of violence. As of now, major movie chains have not shown the film and Sony is probably losing money on the film (though it may move closer to breaking even after video-on-demand release and distribution in other countries).

Sentiment toward Sony has shifted as the PR story has progressed. Sony has been perceived as victim for suffering hacking attacks, a weakling for canceling its film, then as a hero for agreeing to release the film.

 Accused of sloppy security

“The company came across as unapologetic for their sloppy security and IT standards,” writes Ronn Torossian, CEO of 5W Public Relations, “Taken in conjunction with their recent PlayStation hack, the public is both unsympathetic and suspicious of the company’s level of competence.”

When a company is attacked, PR must utilize social media platforms to engage in immediate and effective damage control. Consumers have brand-specific loyalty and feel valued when companies interact with them on social media.

“The Sony attack was extortion, pure and simple. PR officials need to help companies save face and stand up to cyber-criminals,” Torossian says. “It’s hard for the public to rally behind a brand that lets itself be pushed around and victimized.”

Public Relations Lessons

Other PR experts explained what lessons can be learned from the Sony episode.  Laura Carabello, founder and principal, CPR Strategic Marketing & Communications, cites these lessons:

• Conduct a post-crisis analysis. Find what went wrong and make sure it won’t’ happen again– or at least mitigate the damage.

• Business executives must understand that privacy online is a relic of the pre-Internet days. Write in email only what you are willing to have seen in public.

• Prepare for the PR crisis. Assemble a team, make crisis assignments, and run disaster simulations as you would a fire drill. Have a crisis management expert in place and on speed dial.

• Identify every stage of risk and ask key questions about system breaches: What’s the worst that could happen? What would exposure reveal about the company? How could damage to our brand be repaired?

Government criticized

The FBI, which publically accused North Korea of being behind the attacks, has come under fire for selectively releasing its evidence. Some say the U.S. government should have either released all is evidence or withheld all of it under the guise of national security.

The government should have at least presented evidence that an IP address used in the attack was associated with North Korea at the outset, Himler writes.  But that wouldn’t have silenced the critics, he admits.

“Nowadays, crisis managers can only aspire to have their POV prevail over a plurality of public opinion, and hope the passage of time will do the rest in putting the problem to bed.”

Observers agree the episode confirms the importance of strong cybersecurity. The attacks should serve as a wake-up call for companies that have been lax on information security.

“Instead of questioning who is responsible for the incident, the industry should instead focus on prevention of the next threat from even occurring,” Torossian states. “Cyberattacks are becoming an increasingly common method of harassment, yet very little in the way of preventative technology has been developed.”

All businesses must harden their security – and prepare a comprehensive crisis management plan for what these days seems like an inevitable attack.

What other lessons do you think PR executives can learn from the Sony hacking case?