Judy Smith is a crisis manager whose career was the inspiration for the TV show Scandal—specifically its lead character, Olivia Pope, played by Kerry Washington. For more than 25 years, Smith has advised world leaders and Fortune 500 CEOs. In 1993, she founded Smith & Co., a crisis management firm with offices in Washington, D.C., Los Angeles, New York, and London. She was involved in the Iran-Contra investigation, advised Monica Lewinsky when the former White House intern’s relationship with President Bill Clinton became public, and served as an adviser during the COVID-19 outbreak.

Fast Company asked Smith to analyze the CrowdStrike outage, which shut down millions of computers and caused thousands of flight cancellations. Smith, who is personable and an easy conversationalist, was bubbling over with suggestions.

What did CrowdStrike do well?

I think it’s important to note that the CrowdStrike IT outage was caused by an update glitch, and had nothing to do with bad actors. Companies are rightly focused on hackers, preparing in case they are victimized by a cyberattack. In this case, one of the largest global outages in history was caused by a content error. It shows that companies have to prepare for anything, as part of the frustration from the public is the relatively slow response and recovery.

In terms of what they did well: First, they apologized within hours after the incident and accepted responsibility for the damage that that was caused. Second, they confirmed quickly that the actual incident was the result of an outage, not a breach. Sometimes people wait a bit, and what that does is leave a bad empty space for rumors, speculation, and fake news. They were able to position themselves as the experts and authority on the issue: They knew what was going on and here’s how they were addressing it. Third, they tried to communicate through several channels—news, social media—it was such a widespread issue that they were trying to reach everyone, which is good.

What could they have improved?

Well, a crisis is never going to be received well. However, had they done proper planning, some of this could have been mitigated. They should have had a crisis communication plan in place. That way, the moment this hit they would know how they were going to communicate with various stakeholders through various channels and who is in charge of that. Their first public statement was overly corporate—filled with a lot of jargon. In today’s environment, executives need to speak more plainly and address consumers head-on. You also need to give a timeline for recovery. I know this is hard, but not having one leaves people frustrated.

Also, they offered a laughable $10 Uber Eats gift certificate as an apology. This caused additional outrage that the organization didn’t grasp the magnitude of the situation, and caused more reputational damage. It felt tone-deaf.

In addition, they tried to offer support to customers, but it was inadequate—customers were confused and couldn’t find proper lines of communication to get their needs met.

What do they need to do going forward?

A sincere apology to priority stakeholders goes a long way. That’s when leadership acknowledges the issue, takes responsibility, pledges to evaluate what went wrong, and commits to enhancing systems to avoid this in the future. Empathy matters. Statements filled with legalese are not going to pass the sniff test. Their communication needs to be very genuine as they move forward in the future.

It’s important to reach out to stakeholders. You want frontline assessments. It shouldn’t be a small group talking about what went wrong and how to fix it. You want to find out from people firsthand what went wrong.

They should also enlist an independent third party to conduct a review. This demonstrates that they are taking this seriously. When we do this for companies, we speak to the CEO and individually with everyone to get their assessment about what they think went right and what went wrong. We do it individually so people give honest assessments. Then we prepare a report that lays out the findings of the review as well as additional risks the company might face. We always ask: What other risks does the company have that you feel unprepared to meet? [Note: CrowdStrike has commissioned a Preliminary Post Incident Review, according to its website.]

What’s the biggest mistake companies make when they are in situations like this?

The biggest mistake is they focus on legal too much. Everyone is concerned about legal risk and damage and implications, but you need to weigh those considerations against communicating with stakeholders in a way that’s honest and authentic and resonates.

In addition, you need to plan for crisis management and then you need to practice the plan. You need to anticipate your biggest risk and lay out who is going to be in charge of the crisis, and the group needs to come together on a regular basis and make sure they are prepared. You don’t want to write a plan and then stick it in a drawer. The team that is handling the crisis needs to have a relationship and know how to work together so there’s already trust when the crisis hits. Our landscape is changing constantly and you need to be ready.