In our increasingly digital world, the threat of cyber incidents—whether data breaches, outages, or ransomware attacks—looms large over every business, regardless of size or industry. Take for example, the Optus or Medisecure breaches; not to mention the countless others that haven’t hit the big-time news. 

How you respond to these incidents can either fortify or fracture your business's reputation. So what can communications professionals in these businesses do in advance to prepare for these risks? And what do you do when a cyber incident occurs? We’ve got five essential crisis comms strategies to help you navigate the storm.

1. Know your stakeholders!

Preparation is key. Know who you need to speak to, why and when. Before a crisis strikes, ensure you have a well-crafted crisis communication plan in place that outlines who will communicate with key stakeholders and in what order.

For example, during a significant cyber incident, you might need to contact federal authorities, relevant ministers, or even CEOs of competitors who could also be at risk. This step is critical because it aims to maintain control of the narrative and build trust with your stakeholders.

So: make sure to gather your internal stakeholders and determine who needs to be contacted during a cyber incident. Ensure everyone knows their role and the communication order.

2. Have a plan on when to go public

Timing is everything. One of the biggest challenges in a cyber incident is deciding when to go public. Often, you won’t immediately know what happened, why, or the full extent of the impact. Should you disclose a potential breach right away, or wait until more details are known?

This decision should be made before a crisis occurs, considering your organisation’s risk appetite and the importance of acting quickly to prevent misinformation. Failure to address issues promptly can lead to loss of trust, so make sure to have a pre-established agreement with your internal teams about the triggers for going public during a crisis. Be the first to tell your story—don’t let others control the narrative.

3. Upkeep your information

Once you’ve gone public, maintain a steady flow of updates. Even if there’s little new information, regular communication shows that you’re actively managing the situation.

For instance, St Vincent’s Hospital in Australia handled a 2023 cyber attack by issuing immediate statements and providing ongoing updates, which included detailed actions they were taking and FAQs to address public concerns. This transparency helped maintain trust, compared to Optus’s response to their 2023 outage, which left customers in the dark for six hours with no updates— only adding to the frustration.

To avoid this, make sure to regularly update your customers, even if it’s just to confirm that investigations are ongoing. Include practical advice on what steps they can take to protect themselves.

4. Only comms writes the comms

While legal input is important, don’t let the lawyers or tech experts write your communications. Legal language can come across as cold, unempathetic, and difficult to understand. Your audience needs clear, human communication that addresses their concerns. Write your communications in clear, empathetic language. Let the lawyers review it for accuracy, but ensure the final message resonates with your audience.

5. The customers are always the centre

Above all, focus on the real victims of the crisis—your customers. They trusted you to protect their data, and now they need reassurance that you’re doing everything possible to resolve the issue and protect them from further harm.

Empathy should be at the heart of your communication. Avoid making tone-deaf comments that downplay the situation and always communicate with empathy. Address your customers' worries directly and offer actionable advice to help them safeguard their information.

Handling a cyber incident effectively requires more than just technical solutions—it demands thoughtful, proactive communication. By knowing who will speak to whom, aligning on when to go public, maintaining an ongoing flow of information, keeping the lawyers in check, and focusing on your customers - you can navigate the crisis with your reputation intact. Plus, if you need any templates to make any of this happen, we’ve got you covered here.

Strengthen your crisis comms skills

If you’re looking to boost your crisis communication skills, consider joining the upcoming Crisis Comms Bootcamp. This intensive webinar series will equip you with everything you need to develop a robust crisis communication plan.