This site uses cookies to provide a streamlined experience. To learn more see our current privacy policy.
April 27, 2022 // Sarah Johns  //       //  Opinion

Cyberattacked? Three key considerations for crisis communications

News of globally recognised brands falling victim to cyberattacks are no longer a rarity, and it’s not just cybersecurity teams that need to be prepared. Cyberattacks can be hugely detrimental to brand reputation, and PRs must take note. 

Of course, the extent of reputational damage as a result of cybercrime depends on the severity of the attack – the extent to which employee and customer data were breached, how much data was compromised and if an attack stops the brand from functioning, for instance, if the breach disrupted sales.

No matter how long you’ve worked in PR, seeing a crisis come to fruition and having to execute a crisis communications plan is never a nice feeling. Unlike announcements you’ve planned weeks in advance, crises can unfurl at the worst of times and you might fall into panic mode.

So, how should you best respond? Here’s my three-point plan.

1: Keep calm

We PRs are no strangers to bulging inboxes and a deluge of notifications. But if your company has been breached and you need to react, start by taking a breath. You may be on the receiving end of questions from left, right and centre, and your colleagues might also be under pressure from customers, shareholders and reporters. Pause and remember you have a support system around you, and you will get through it together.

2: Establish the facts

Call an urgent meeting with the C-suite, the heads of your IT, and/or cybersecurity and legal/regulatory teams. Find out:

  • If the cyberattack is still active 
  • If you have informed the police and the ICO –  not just important from a moral perspective, but also from a regulatory one!
  • Anything else the team can tell you about what they know so far

3: Take timely, appropriate action

Draft a short holding statement that solely covers what you know to be the case, then halve it. Say only what you need to say, but ensure your concern for the people affected comes across loud and clear. 

It goes without saying, but make sure the statement has plenty of eyes on it – not just for grammar and accuracy, but also to read it through the lens of someone affected by the attack. How would you feel if you read this and it was your personal data at risk, stolen or abused?

When drafting your statement, consider the following:

  • The fact of the matter – that you are aware cybercriminals have breached your organisation
  • What action you have taken to try to stop the attack
  • That employees and customers have been informed and that you will keep them updated
  • That you are aware of the seriousness of the situation and you show concern for all affected

Make sure communications do not involve speculation about what may have happened and that you do not elaborate until you have further facts at hand. For example, if no data has been stolen, you must be sure of it, as you can’t take back what you’ve already said.

Your critical priority will be communicating to employees and customers, so ensure they are informed ahead of other stakeholders. Control the flow of information by reminding colleagues any media queries they receive should be directed to you and your corporate communications team, and that only select spokespeople – usually the CEO – are permitted to speak about it on behalf of the company.

Once more information is available, pen a drawer statement for reactive PR should reporters request it. This could cover:

  • The fact of the matter
  • Is the attack over and has your company been secured? 
  • Are affected systems now back online?
  • Do you know if information was stolen, or if it was possible information was stolen?
  • What information was stolen, if any?
  • That you will continue to keep employees and customers updated
  • A reminder that you are aware of the seriousness of the situation and that you show concern for all affected

A crisis of any kind is unpleasant; cyberattacks especially so. But by keeping these three considerations in mind when reacting, you give yourself the best chance of limiting damage to your brand. 

Remember, we are all human and we can only do our best. Keep your cool, establish the facts and take appropriate, timely action, and you will get through it.

Sarah Johns is a Senior Account Manager in our Allison+Partners' London office.

Social Media

The Stream Podcast

The Stream

Articles and opinions delivered directly to your inbox.

Sign up today.