

Blog: Effective communication in a cyber crisis
Businesses have long been the target of digital scammers, fraudsters and hackers, but over the past few years cybersecurity attacks have become much more commonplace.
While not all have been as high-profile as Optus or Medibank, nearly all cause some form of operational, financial and reputational damage.
Recently released Australian Bureau of Statistics figures show that 1 in 5 businesses experienced a cyber security attack during the 2021-22 financial year, more than double the figure from 2019-20. The majority of these attacks related to scams or fraud.
The increasing number of cyber attacks has led many businesses to invest heavily in their IT and cybersecurity systems to mitigate the operational and financial risks, but businesses have been much slower to protect themselves from the reputational risks.
The higher-profile cyber-attacks escalated quickly and received extensive media coverage and social media commentary - not because of flaws in the businesses’ cyber security systems but because of how communications were managed.
There are lessons to be learned from every cyber-attack and many of the same principles apply to managing a cyber-attack as managing any other crisis. However, there are also a few communications considerations and requirements that are particular to a cyber-attack.
Based on our experience assisting clients with cyber issues, we’ve compiled a few simple tips.
- Ensure you have a crisis communications plan in place
The fear of a cyber-attack has been a motivator for some businesses to develop a communications plan. If you don’t already have a plan in place, you’re heightening your risk. While every crisis is different, a plan with clear protocols, roles and responsibilities is vital. Ideally, the plan should also be ‘road tested’ through practice scenarios and key spokespeople provided with media training.
- Act quickly
A cyber-attack may cause some unavoidable reputational damage regardless of how well you communicate. To avoid lasting damage to a business’s reputation, acting and communicating quickly where you can is key, particularly where the impact of the cyber-attack is obvious. This also extends to quickly understanding who has been impacted by the cyber-attack. For example, it may not only be a business’s direct customers or clients who are impacted, but also the customer’s customers. Noting this can be difficult in case of a ransomware attack where unknown personal information has been extracted.
- Control the narrative
In the long-term, it is better to be open, share details as best you can and control the narrative from the outset. The impact of a cyber-attack can be immediate and obvious but identifying the cause of the attack and a plan for remediation can take time. Customers and clients expect prompt, clear and honest communication when the services they depend on are disrupted. A void in communication can cause reputational damage. Initial communication may be as simple as acknowledging the issue and providing assurance that it is being investigated, but it should always be proactive not reactive. Communications and messages will inevitably evolve over time as the cause is identified and rectified.
- Understand your legal requirements
Some cyber-attacks, such as data breaches, where personal information has been accessed or disclosed, require individuals and the Office of the Australian Information Commissioner to be notified by the business. This requirement covers where the personal information disclosed is likely to result in serious harm. For more information, visit https://www.oaic.gov.au/privacy/notifiable-data-breaches.
- Check your cyber insurance policy and your insurer’s communication protocols
In some cases, where the financial risk is potentially high, insurance companies can exercise the right to appoint their own PR and legal advisors to work with businesses to oversee their response to mitigate risk and potential financial exposure for the insurer. While this expertise can be helpful, there’s also potential reputational risk associated with a business having their communications controlled or heavily influenced by a third-party.
- Develop a recovery plan
The reputational impact of a cyber-attack can vary according to its severity and how the communications have been managed. Regardless, a plan will need to be developed to rebuild trust and provide assurance that the risk of another attack has been significantly reduced. This may include communicating upgrades to your cyber security systems, sharing key lessons to benefit clients should they be faced with a similar issue or helping customers communicate with their customers about the impact of the issue.
Hughes | Consultant
Useful Resources
Australian Cyber Security Centre (ACSC)
Recent News
- West Beach Trust appoints Elinor Walker to Board
- Blog: Why do so many companies fail the pub test in a crisis?
- Congratulations to our graduating and retiring Guide Dogs… and meet our new puppies!
- Flu cases in SA already up by 550 – experts warn get vaxed now
- Adelaide’s first purpose-built, affordable, long-term rental housing for women opens
- The world’s seaweed industry focuses on Adelaide at Seagriculture
- New Mount Barker Residential Development: A Feast for the Senses
- Blog: Be prepared - and be credible
- Visa Cash App Racing Bulls Announces Partnership with the Exclusive Student Housing Marketplace, Student.com
- CH4 Global and Mitsubishi Corporation partner to accelerate adoption of methane-reducing cattle feed supplement in Asia-Pacific markets
- Opinion Editorial by Brenton Cox, Adelaide Airport Managing Director - The Advertiser’s Future SA Campaign
- Adelaide’s most luxurious aged care site opens in an Australian first
- Understanding governance issues for school councils
- Blog: A better website is good news for customers
- Production begins at CH4 Global’s first full-scale EcoPark
- Aus Lights on the River 2025 line-up announced
- Top tips for puppies this Christmas
- $2.9 million beachside community hub opens at West Beach
- Detmold Group launches new sustainability goals while going solar in China
- Blog: A year in review