Preparing Your Organization for Communicating During a Cyber Attack

Attention warning attacker alert sign with exclamation mark on dark red background.

No business—large or small—is immune to cyber attack. In fact, how companies prepare for and respond in the face of crisis can have a direct impact on the bottom line, with 55% of Americans saying they would be less likely to do business with brands who are victims of a cyber attack.

The past few years have spurred a number of communications challenges that companies have navigated—from the global pandemic and social justice movements, to general business fluctuations. With the move to remote work and increases in digital infrastructure, cybersecurity has also become a chief concern for businesses.

This year alone, there have been major breaches at T-Mobile, Reddit, MailChimp and more.

While business continuity plans should already be in place, there is also the complementary work of the communications team to externally and internally prepare for crisis.

As breaches and cybersecurity concerns continue with increased frequency, these are a few things to keep in mind when forming your communications strategy:

Outline the Risks and Prepare

While every organization should create a crisis communications protocol at a minimum, the leadership team, in collaboration with the communications team, should:

  • Outline the top 10 risks to the business, including IT and cybersecurity
  • Work across departments to learn about different perspectives or risks you may have not considered
  • Compile these into a document and plan a response to each

With cyber issues specifically, it’s important to consider who is at the table. The C-suite, PR, legal and your board of directors should all be looped in on the processes you choose to follow and the questions they need to be prepared to ask when crisis hits.

The communications team should also have visibility into technology vendors and partners that may need to be added to a response when issues arise.

Forget the Golden Hour

You have your plan in place, a crisis hits – now what? You used to have a “golden hour” to respond. With the increasing use of Twitter as the world’s news service, you need to plan to have 15-, 30-, and 60-minute communications.

Especially with confidential and proprietary information on the line as part of a breach, time becomes even more critical in a response. Silence is the new (and damning) “no comment.”

As part of your plans, consider developing holding statements for each of your 10 major known issues so you can easily adapt and streamline approvals for these initial communications. Consider having statements ready for breaches that impact internal, external and both audiences. You’ll also need to have stakeholder communications —including customers, partners, employees, board members and investors—at the ready if the breach is far-reaching. Consult the experts in this instance and ensure your CISO or other leader close to the issue is in lockstep with the response.

In the case of T-Mobile, where 37 million customers had their personal data exposed in January 2023, the company acted quickly to notify customers following learnings from another large-scale breach in 2021.

Consistency = Trust

While aftershocks are likely to continue once the initial breach hits, it’s important to acknowledge the situation at the outset and update your stakeholders as information is available and actions are taken. Consistent, clear communication will build trust with your audiences.

Reddit leaned into its own format, notifying users of the breach and leaving the door open to questions and comments during an “AMA.” The transparency and swiftness in the company’s response reduced speculation.

Do not mislead. Do not lie. Be careful about sharing information until it is confirmed, or at a minimum, acknowledge that the situation is fluid and more details will be shared as available so you don't have to walk back statements later on. You may not have all the information, or you may be limited in what you can share publicly, and that’s ok—but stakeholders will be looking to you for details and action.

As the dust settles, ensure you build in time for reflection, not only for the business to realign and invest in its security strategy, but also as a communications team to adapt and respond the next time.

No response to a breach will be perfect, though these are a few things you can do to set up your organization to respond when issues strike.

Julianna Sheridan is an account director at Matter Communications and co-lead of the agency’s crisis communication practice.