It is not a question of “if” you will be the victim of a cyberattack, but when. 

And when it happens, it will be expensive. 

According to cybersecurity experts Booz Allen, the average ransomware attack demand last year was $6,364,773 (US) and the average settlement was $556,751. 

And that’s just the initial financial cost. After the damage has been done to your reputation and class action lawsuits have been settled with your customers, the actual losses from a breach are likely to be much, much higher. 

You may think you’re prepared. And perhaps, a few years or even months ago you were. But the speed at which the threats change and multiply means that what may have worked – either from a technological standpoint or from an issues-management standpoint – may not work today. Artificial intelligence alone has introduced what the cybersecurity experts at Crowdstrike call a “tectonic shift” in the “cyber arms race.”

The First 30 Minutes 

Here’s what happens in the first 30 minutes of a breach (we know, we’ve been there). 

Your email and website are down. Customers are already on social media complaining. Board members and executives are calling. Partners who are connected to your system are demanding to know if their own systems and data are at risk. If you’re a public sector organization or a high profile brand, a whole bunch of government folks and media are calling and demanding answers. Members of your own staff may be on social media complaining they are in the dark. 

The clock is already ticking on your response. 

Crisis communications needs to follow a plan. If it doesn’t, it becomes panic communications. 

Did you decide ahead of time if, when and how you would publicly disclose a breach? Who speaks on behalf of your organization? Are they media trained?  Do you have a line of communication between your technical experts and your spokespeople? What are your immediate public and internal holding messages? Who needs to approve messaging before you can get it out the door? You need to know this ahead of time because, in a breach, you will be drowning in demands.

If your comms team hasn’t already helped develop a game plan on how to manage social media, stakeholders, customers/clients, staff and even your Board, your reputation is already on fire.

Crisis communications needs to follow a plan. If it doesn’t, it becomes panic communications. 

The thing is, all of your partners and clients understand cybersecurity risks. They’re preparing for them too. But if you seem to have been caught unprepared for something they know could happen, how does that look on you? 

Five Principles to Keep in Mind

A crisis comms plan for a cyber attack should be consistent with your approach to other crises. Five basic principles include:

1. Be True to You
Make sure your decision making in the moment stays true to your organization’s values. If you are a transparent and accountable organization, stay that way, insofar as it is possible. 

2. Be Fast
Make sure critics and trolls aren’t filling the information vacuum before you tell the public.

3. Be Definitive
Instill confidence by telling people what you are doing to remedy the situation, how you will function in the interim.You need to maintain or earn people’s trust in your messaging. 

4. Be Nimble
Circumstances change quickly in a breach. Be prepared to pivot. Plan ways to communicate even if your regular channels are compromised in the attack.

4. Be Consistent
Crisis comms isn’t one and done. Your stakeholders need to see you are doing the right things to repair any damage and prevent it from happening again.

Your comms playbook needs to fit that overall cybersecurity plan your organization has spent so much time and money preparing and honing. It needs specific answers to the comms considerations above. And if you don’t have one written – or haven’t updated yours in a while – you’ve got some work to do in 2025. 

Is your organization prepared with a crisis communications plan? If the answer is no or it needs an update, we’re here to help. Contact us today.