As businesses become prime targets for data breaches, it’s no longer a matter of if an attack will occur, but rather when, writes Sarah Woodhouse, director of the public relations firm AMBITIOUS.
Historically, brands have grappled with the challenge of communication amidst such crises. Take Uber, for instance, which faced a data breach in 2016, concealing it from customers for over a year. This secrecy led to accusations of a cover-up, eroding trust among customers and regulators.
Cyber breaches not only affect prominent brands but also critical sectors like government, healthcare, energy, and water infrastructure, amplifying their visibility. However, attacks aren’t exclusive to large organisations; businesses of all sizes are at risk. The 2023 Government Cyber Security Breaches Survey found that 59 per cent of medium-sized businesses experienced breaches. Smaller companies may report fewer attacks due to reporting challenges rather than lesser targeting.
B2B businesses have a responsibility to publicly address breaches to reassure stakeholders and safeguard their reputation. Given the widespread awareness of cyber threats, organisations must focus on reputation management post-attack.
Managing reputation post-attack
Crisis communications exists to limit the negative impact of a crisis on a brand and its people, products or services. Crisis communication should be part of a company’s overall communications strategy, with scenario planning in the event of a cyber breach given specific thought.
In 2024, the most reoccurring types of cyber-attack are ransomware attacks (where an attacker infiltrates a system and holds data or assets ‘ransom’ until a sum of money is transferred for its release), distributed denial of service attacks (which take online services down), data breaches, identity theft and theft of passwords or usernames.
Transparent and concise communication is key to limiting the damage to a company’s reputation and relies on effective crisis planning, combined with short-term decision-making, as you deal with the disruption. It’s not easy to get right, but these five steps will stand you in good stead to negate any reputational damage.
Respond quickly
You need to be transparent and act quickly to address the breach or attack head-on. GDPR requires an organisation to report any personal data breach to the relevant authorities within 72 hours of becoming aware of it.
Of course, early detection can provide more control of a situation and minimise the impact on an organisation and its customers.
This comes down to having a strong cyber security posture for detecting and responding to an attack. Communicating that the organisation was able to spot the attack early demonstrates that it takes cyber security and the protection of customer data seriously. Successful crisis communications come down to the organisation’s ability to anticipate the crisis upstream. If you haven’t already, assess your cyber security posture as part of a crisis preparedness strategy.
Identify audience
The victims of the cyber incident are your priority.
This could be customers whose personal data has been stolen or those who can no longer access your tools and services. Other stakeholders such as investors, suppliers or trade associations should also be communicated with where appropriate as soon as possible.
It’s important to carefully manage how you communicate a breach to employees; to reassure, prevent leaks and align company messaging. Provide clear and concise instructions on how to handle enquiries and update them regularly on the situation as it evolves to remain in control of the message.
Notify customers and stakeholders first
Before communicating to the press, make sure that you’re able to contact all customers affected personally.
To be transparent, assess all the communication channels at your disposal. Depending on the severity of the attack and the number of people affected, draft a statement either for your homepage or blog from the CEO, CTO, COO or similar. All social communications can then be directed back to this. Assess whether a video statement would also be appropriate to demonstrate empathic leadership.
Make sure that you’re available to answer any questions or address any concerns that individual customers may have. Develop a list of press contacts to help you communicate the message to the wider public to prevent any leaks or speculation.
Accept responsibility
Acknowledging that an incident has occurred and apologising sincerely is the first step.
Take responsibility for it to maintain trust.
Show solidarity with victims and your commitment to finding solutions to protect those affected and to prevent it from affecting anyone else.
Knowing how much to communicate depends on your knowledge of the current situation. It’s important to avoid communicating for the sake of it, i.e. if you don’t have all the details. Reassure customers and stakeholders that you are taking it seriously and investigating who it has affected and to what degree. Work with cyber security experts to respond to the incident and to understand how it happened and how to recover (whether that’s getting services back or retrieving data).
Show what you’re doing
No matter how the incident was handled, customers will be understandably cautious about your cyber security posture. After the event, you may want to demonstrate to your target audience the steps you have taken. For example, show how you are protecting current systems by regularly testing for vulnerabilities. Would a cyber security accreditation be appropriate or perhaps an investment in bringing in cyber experts to regularly audit your systems?
Demonstrate your cyber preparedness via a strand within your corporate and external communications PR strategy. Reinforce a positive brand reputation by improving online sentiment. Engage in high-quality campaigns in the right media publications, push expert thought leadership and encourage positive reviews.
Experiencing a cyber-attack is never a deliberate choice, yet by prioritising crisis communications and fostering authenticity in your messaging, organisations can gain trust for taking a proactive stance. This has the potential to transform a negative incident into a positive outcome.
