Skip to content

How to communicate during a cyber incident

Cyber incidents are no longer rare. They are a regular operational risk for organisations of every size, in every sector.

That doesn’t mean we should panic. It means we should prepare.

The organisations that struggle are often the ones that go quiet, or hide behind vague language. The organisations that recover best communicate early, clearly, and consistently, even under pressure.

This guide is for teams who need to communicate clearly to staff, customers, and partners while an incident is still unfolding.

What we are seeing in the real world

A few patterns keep showing up.

Extortion is evolving.

Ransomware is still common, but the pressure tactics have become more layered. Some attackers now use multiple levers at once: disruption, data theft, and threats to publish.

Social engineering still works.

Many incidents still begin with a person being tricked. A convincing email. A call that sounds legitimate. A request that feels urgent. People make normal mistakes. Attackers design situations to trigger them.

The supply chain is a front door.

Attackers don’t always come straight at you. They look for the easiest route in. That can mean targeting a supplier, a service provider, or a shared platform.

Operational technology brings extra exposure.

Connected operational systems are not always built with modern security in mind. If they’re linked to wider networks, they can become an easier route into bigger systems.

AI is raising the tempo.

It is getting easier to scale believable phishing, write convincing messages, and tailor scams to specific roles. That increases both volume and speed. Your response needs to keep up.

None of this is “cyber doom”. It is simply the environment we operate in.

A cyberattack has a predictable shape

Even when incidents differ, the flow is often familiar

  1. Initial access: a way into your systems
  2. Expansion: gaining wider access and reaching key systems and data
  3. Impact: data theft, disruption, encryption, or all three
  4. Loss: financial cost, operational disruption, data exposure, and loss of trust
  5. Recovery: restoring services safely, confirming what was affected, supporting people, and rebuilding confidence.

This matters for communications because each stage creates different questions from different people.

Your job is to help people understand what’s happening, what it means for them, and what you are doing next.

Why communications is critical to recovery

In a cyber incident, communications is not a support function. It is part of the response. Because when systems are disrupted, uncertainty spreads fast.

People want to know:

  • Can we keep operating?
  • Is my data safe?
  • What should I do right now?
  • Who do I trust?
  • What are you not telling me?

If you do not answer those questions quickly, someone else will.

That can be the media, social channels, internal rumours, or the attackers themselves.

Attackers know this. They often try to get their story into the public domain early to create pressure and force rushed decisions.

Clear comms slows that down. It creates breathing space.

The overlooked risk: losing your comms channels

Here is a scenario that deserves more attention. What if a cyber incident takes out your normal ways of communicating?

Email down.

Intranet down.

Teams down.

Customer systems unavailable.

Website publishing blocked.

If you have not planned for this, you lose time. And time is the thing you do not have in an incident.

A resilient comms plan includes backup routes, such as:

  • pre-approved holding statements and short scripts
  • a simple crisis microsite or “dark site” approach
  • out-of-band contact lists and phone trees
  • prepared customer service lines for frontline teams
  • a way to brief staff quickly without relying on core IT

This is not over-engineering. It is basic continuity.

Scenario planning is where confidence is built

Most organisations have a crisis plan. Fewer have tested it in a way that feels real.

Simulation exercises are one of the fastest ways to build real readiness. That means:

  • drafting a holding statement under time pressure
  • handling a mock journalist call
  • writing staff guidance that is simple and usable
  • preparing customer updates with clear actions
  • testing approvals and decision-making routes
  • practising what you do when facts are incomplete

It is uncomfortable, in a good way. It reveals gaps early. And it builds calm.

Customer and staff communications are still too often overlooked

A lot of cyber planning focuses on systems. That’s understandable. But people are the ones who feel the impact first.

Staff need clear guidance on what to do, what not to do, and where to report issues. Customers need timely, plain-English updates that respect their concerns.

The organisations that do this well tend to have two things in place:

1) They understand their audiences.

They know what different groups worry about, and what “good support” looks like for them.

2) They can notify early.

Even if the first message is short and limited, it reduces uncertainty and sets a tone of control.

Clear beats complicated

When incidents involve personal data, there are legal and regulatory duties around reporting and notifying people.

That adds pressure. It also creates discipline.

The practical rule is simple, write for humans.

  • Use plain language
  • Say what happened (as far as you can)
  • Say what it means for them
  • Say what you are doing
  • Say what they should do next
  • Say when they will hear from you again

Careful and clear can sit in the same sentence.

The cyber comms basics that get overlooked

What to have ready before the first call comes in. Practical steps for clearer, faster updates when pressure is high.

1) Build a cyber-specific comms playbook

Not generic crisis templates. Not” we’ll deal with it on the day”.

A useful playbook includes:

  • roles and responsibilities (named, not vague)
  • draft holding lines and stakeholder messages
  • a simple timeline checklist for the first 24 to 72 hours
  • pre-built Q&A packs for likely questions
  • clear sign-off routes for urgent updates, with named approvers and deputies
  • a single “source of truth” update page and link plan
  • a clear update rhythm (even if the update is “we are still investigating”)

2) Plan for channel loss

Every plan should include: “What if email is down?”

If you can’t answer that, you are not ready.

3) Practise through simulation, not just planning

Readiness comes from practice.

And practice needs to feel real.

Test the messy parts: incomplete facts, urgent approvals, difficult questions, and channel disruption.

4) Treat prevention comms as a security control

Short, regular internal messages reduce social engineering risk because they help people spot issues early and report them fast.

That means:

  • use real examples your teams might actually see (fake invoice requests, password reset prompts, supplier change emails)
  • make the “right action” obvious: one sentence on what to do, one link or one number to report it
  • give people a simple verify script: “Stop. Check. Call back using a known contact.”
  • repeat the reporting route everywhere (intranet banner, posters, toolbox talks)
  • close the loop: thank people for reporting and share a short “what it was” update (anonymised)
  • build a no-blame culture: “If you clicked it, report it. Early reporting limits impact.”

5) Bring comms into supplier conversations earlier

Supply chain incidents are not just a technical problem. They can quickly become a customer trust problem.

Comms should help set expectations upfront:

  • Onboarding questions: what the supplier will do, and how fast they will tell you, if something goes wrong
  • Notification standards: who they contact, within what timeframe, and what information they will share
  • One shared story: pre-agreed messages and clear ownership (who says what, where, and when), so customers get one consistent update

6) Design messages for a global audience when needed

If customers are in different countries, messages may need translation and local checks.

Plan that upfront, so you are not translating under pressure. Have named reviewers, a translation route, and a single source of truth that every language version points back to.

Two things to add that save time fast

Handle inbound comms, not just outbound.

Decide where enquiries go (one inbox or number), give frontline teams a short script, and set clear triage rules for what gets answered, what gets logged, and what gets escalated. All media questions should go straight to a named owner. Some organisations also bring in external support to manage comms during an incident, so the incident team stays focused on recovery.

Know what not to say.

Avoid speculation. Don’t guess cause or blame. Don’t promise timelines you can’t meet. Don’t respond to threats or claims in public. Stick to facts, impact, actions, and next update time.

If you remember the essentials

Good cyber communications is calm, early, and useful. It helps people do the next right thing. It protects trust and reduces uncertainty while recovery happens.