Sarah Woodhouse, Director of AMBITIOUS, explains how businesses must communicate a cyber breach in order to remain trustworthy and minimise damage.
A cyber breach occurs roughly once every 39 seconds.
With businesses as targets for their data, it’s not a case of if but when an attack will happen, and brands have historically struggled with the need to communicate during these kinds of crises.
Take Uber as an example, which was hit by a cyber breach in 2016 and kept quiet from customers for over a year. Accusing them of trying to cover up, customers and regulators lost trust in the brand over the incident.
With cyber breaches hitting big brands and critical infrastructure sectors such as governments, hospitals, energy and water, incidents can be extremely high-profile.
However, it’s not only large organisations that are the target; attacks remain a common threat for businesses of all sizes. In the Government’s Cyber Security Breaches Survey 2023, 59% of medium-sized businesses said that they were the victim of a breach or attack.
The survey noted that smaller companies reported fewer attacks but reflected that this could be due to less prioritisation and reporting rather than being targeted less. In fact, for B2B businesses, the threat increases with the proliferation of supply chain attacks, which see cyber attackers target third-party tools and providers, compromising numerous systems within a supply chain.
B2B businesses have a duty to go public to reassure their audiences by allaying concerns and protecting the image of the company.
If you don’t go public with it, there is a chance your ‘attackers’ will. In late 2023, the ransomware gang BlackCat filed a complaint with the US financial regulator, the Securities and Exchange Commission (SEC), against one of its victims for failing to report a cyber breach.
Awareness and understanding that cyber-attacks happen is high; therefore, organisations should focus on managing and preserving their reputations after an attack has occurred.
Where a crisis communications strategy fits in
Crisis communications exist to limit the negative impact of a crisis on a brand and its people, products or services. Crisis communication should be part of a company’s overall communications strategy, with scenario planning in the event of a cyber breach given specific thought.
In 2024, the most reoccurring types of cyber-attack are ransomware attacks (where an attacker infiltrates a system and holds data or assets ‘ransom’ until a sum of money is transferred for its release), distributed denial of service attacks (which take online services down), data breaches, identity theft and theft of passwords or usernames.
Transparent and concise communication is key to limiting the damage to a company’s reputation. It relies on effective crisis planning, combined with short-term decision-making, as you deal with the disruption. It’s not easy to get right, but these five steps will stand you in good stead to negate any reputational damage.
Time your communications
You need to be transparent and act quickly to address the breach or attack head-on. GDPR requires an organisation to report any personal data breach to the relevant authorities within 72 hours of becoming aware of it.
Of course, early detection can help control a situation and minimise its impact on an organisation and its customers.
This comes down to having a strong cyber security posture for detecting and responding to an attack. Communicating that the organisation was able to spot the attack early demonstrates that it takes cyber security and the protection of customer data seriously. Successful crisis communications come down to the organisation’s ability to anticipate the crisis upstream.
If you haven’t already, assess your cyber security posture as part of a crisis preparedness strategy.
Identify who to communicate to
The victims of the cyber incident are your priority.
This could be customers whose personal data has been stolen or those who can no longer access your tools and services. Other stakeholders such as investors, suppliers, or trade associations should also be communicated with as soon as possible, where appropriate.
It’s important to carefully manage how you communicate a breach to employees, reassure them, prevent leaks, and align company messaging. Provide clear and concise instructions on how to handle enquiries and update them regularly on the situation as it evolves to remain in control of the message.
How to communicate
Before communicating with the press, make sure that you’re able to contact all affected customers personally.
To be transparent, assess all the communication channels at your disposal. Depending on the severity of the attack and the number of people affected, draft a statement from the CEO, CTO, COO or similar for your homepage or blog. All social communications can then be directed back to this. Assess whether a video statement would also be appropriate to demonstrate empathic leadership.
Make sure that you’re available to answer any questions or address any concerns that individual customers may have. Develop a list of press contacts to help you communicate the message to the wider public to prevent any leaks or speculation.
What to communicate
Acknowledging that an incident has occurred and apologising sincerely is the first step.
Take responsibility for it to maintain trust.
Show solidarity with victims and your commitment to finding solutions to protect those affected and to prevent it from affecting anyone else.
Knowing how much to communicate depends on your knowledge of the current situation. It’s important to avoid communicating for the sake of it, i.e. if you don’t have all the details. Reassure customers and stakeholders that you are taking it seriously and investigating who it has affected and to what degree. Work with cybersecurity experts to respond to the incident and to understand how it happened and how to recover (whether that’s getting services back or retrieving data).
Demonstrate how you have used the incident to boost resilience
No matter how the incident was handled, customers will be understandably cautious about your cyber security posture in the future.
After the event, you may want to demonstrate to your target audience the steps you have taken. For example, show how you are protecting current systems by regularly testing for vulnerabilities. Would a cyber security accreditation be appropriate, or perhaps an investment in bringing in cyber experts to regularly audit your systems?
Demonstrate your cyber preparedness via a strand within your corporate and external communications PR strategy. Reinforce a positive brand reputation by improving online sentiment. Engage in high-quality campaigns in the right media publications, push expert thought leadership and encourage positive reviews.
Suffering a cyber breach is never by choice, but by prioritising crisis communications and embracing authenticity and trustworthiness within communications, organisations can earn praise for their proactive approach – potentially even turning a negative into a positive.
