How to apologize for an outage, a lesson for CrowdStrike

In case you missed it, last Friday, cybersecurity company CrowdStrike recently pushed an update that resulted in mass outages around the world. Hospitals canceled surgeries, planes were grounded, and customers couldn't use their cards to make payments.

Worse (almost) than the massive outage itself was the company's response communications, which have been stilted, full of corporate speak, and, most notably, lacking an apology.

George Kurtz, CEO of Crowdstrike, Tweeted on Thursday evening that they are "actively working with customers impacted by a defect found in a single content update for Windows hosts." The post specified "This is not a security incident or cyberattack" and stated "We further recommend organizations ensure they're communicating with CrowdStrike representatives through official channels.

Customers immediately noted the bland corporate tone in the face of such an egregious outage and lack of humanity in the communication.

But even more noted the distinct that an actual apology in the communications, the key to rebuilding trust with customers, was notably absent.

Others noted that the post sounded very much like the customers were the ones to blame.

Kurtz' update today didn't help, maintaining the dry corporate tone and stating that "Today was not a security or cyber incident. Our customers remain fully protected."

Users disagreed, claiming that even though the outage was not an external cyberattack, it had the same effect as a Denial of Service (DoS) attack and should have been referred to as a "cyber incident."

The memes abounded, coming fast and furious in the wake of the outage and the non-apology.

There is the classic Airplane! meme:

A nod to vintage Microsoft:

Mac users being our smug selves:

Classic IT:

And my personal favorite:

While it's not my business to speculate on how or if the outage could have been prevented, it surely is to give a little primer on corporate crisis communications. If you don't want users to make memes about your corporate mistakes, follow these guidelines:

How to apologize for a corporate mistake

1. Own up

The number one rule of corporate communications is that when you make a mistake, own up. Admit you made the mistake. Don't use the passive voice.

"Today, we mistakenly sent out a single content update for Windows hosts that had a defect in it."

2. Acknowledge the effect

Acknowledge the effect the mistake has on your users and their customers.

"We know you trust us with your security, and we know this has led to outages for many of our customers."

3. Frakkin' apologize

Apologize, clearly and humbly.

"I am truly sorry for the damage this has caused to you, our customers, and your customers who rely on you."

4. State the solution

This is the part that Kurtz has done well--he has stated how the team is working to fix the problem. The issue is that you can't start here; if you EVER want to rebuild trust, you must start with steps 1-3. You can't rebuild trust if you don't first acknowledge that you lost it.

5. State how you will avoid in the future

This may take a day or two, as you must first determine the root cause of error. But it should be a fast-follow to your original apology.