A cyber incident is bad enough: Communication doesn’t have to be

Few moments expose an organisation’s true character quite like a disruptive cyber incident. Systems go down. Heart rates go up. Pressure mounts as employees, clients and customers start to ask what is going on.

Based on hard-won experience from sitting shoulder to shoulder with leadership and crisis communication teams during live incidents, here are some practical tips to ensure your internal and external communications don’t become a second crisis - this time of your own making.

1. Decide who speaks before everyone does 

In the few hours of an incident, everyone has something to say. This is not the time for democracy.

Pre-agree a core communications team (legal, comms, IT/security, and an executive with decision-making power) and stick to it. One external voice and one agreed internal narrative means fewer “clarification” emails later.

2. Tell employees early, before the rumour mill spins up

Employees are not mushrooms and keeping them in the dark does not end well. Staff will notice systems misbehaving long before a press release lands. Where leadership says nothing, speculation fills the silence.

Early internal messaging should be simple, short and practical: what’s happened, what’s being done, and when the next update will come. You do not need all the answers, but you do need to show up.

A gentle reminder not to speculate publicly can prevent the incident response being derailed by a well meaning LinkedIn post beginning with “Speaking in my personal capacity…”, or worse, sensationalism from within.

3. Translate for the outside world

Customers, partners, regulators and insurers all want answers, but none of them want a jargon-laden statement about “advanced persistent threat vectors”. Precision is useful only when the facts are certain. Focus on impact, mitigation and next steps. 

Avoid both extremes: the sterile non-statement that says nothing, and the over-eager disclosure that later needs to be walked back.

If you don’t know yet, say so (carefully). 

4. Speed beats perfection

Waiting for the full picture is tempting, but usually unfeasible. Silence invites imagination, and imagination seldom favours the victim organisation.

It’s best to set a predictable cadence of updates and stick to it, even if progress is incremental. 

The failure to communicate fast enough is an easy point of criticism for regulators and data subjects. Regular communication reassures stakeholders that the organisation is in control, even when the situation itself is not.

5. Legal accuracy doesn’t require lifeless prose

Yes, every word matters. No, that does not mean the message should read like draft pleadings.

The best incident communications are legally sound and recognisably human. Acknowledge disruption and convey empathy. Avoid admissions or overly legalistic phrasing. Minimise passive voice. People can tell when they are being spoken to, and when they are being managed.

6. Assume everything will leak

Internal emails will be forwarded and drafts will circulate. Someone will screenshot something. Messages intended for “internal use only” inevitably find a much broader audience.

Write accordingly. If you would not want to see it quoted later or written in a headline, rewrite it now. This rule alone prevents a surprising number of later problems.

7. Finish the story

Once the incident stabilises, say so. Explain what changed and what was learned. Stakeholders need closure: what happened, what changed, and what will be different next time.

Rebuild trust by talking about how incidents end at least as much as how they begin.

The bottom line:

In a cyber incident, someone else will tell your story if you don’t. Effective communication ensures it’s not an employee, a journalist, or a regulator doing it for you.

We see threat actors racing to beat their victims to the punch by contacting stakeholders directly. Heading them off at the pass with clear, quick and regular messaging can take much of the sting out of their threats.