Latest statistics from the Government’s Cyber Security Breaches survey for 2025 reveal the sheer scale of the problem. It disclosed that some 612,000 UK businesses and 61,000 charities had suffered a cyber breach or attack.
In some instances, the consequences are just inconvenient but in others they can be devastating operationally, financially and reputationally; the recent production-halting attack on JLR is understood to have cost it and its suppliers some £2.1billion in lost sales and fixing.
What the figures underline is that no organization, in the public or private sector, is immune with cyber-and-data security ranking as one of the top five risks facing businesses in 2026.
Earlier GCHQ’s National Cyber Security Centre warned that the rise of AI-enabled cyber threats, whether from malign State actors or increasingly sophisticated criminal gangs, are only set to grow.
Communications alone won’t fix the problem but as in any other unexpected, critical event, they are fundamental in mitigating the consequential risk to corporate reputation and retaining customer trust and loyalty.
Whilst many of the actions that need to be taken mirror those required in a non-cyber crisis, there are important differences posed by the sheer speed, scale and spread of the potential damage to an organisation’s critical systems.
Top Tips for Communicating in a Cyber Crisis
- Back-up communications – a cyber-attack that cripples critical systems may also take out communications facilities so ensure you have alternative options available, off-site if necessary – ie phone lines, social media devices, emergency email addresses
- Transparency – be open and transparent about what has happened, who it has affected and what you are doing to remedy the matter.
- Speed – communicate quickly and clearly. The extent of cyber-attack impacts tends to grow as more becomes known so always caveat statements with ‘as far as we currently know’ so that you are not hostage to changing circumstances later. Provide regular updates to all those affected as a vacuum may be filled by mis-information or deliberate dis-information
- Factual – become the source of true, accurate and verifiable information. Don’t engage in speculation. Working to build a trusted brand in ‘normal’ times will pay off when you really do need to be trusted.
- Clarity – avoid technical jargon, corporate-speak and complex language; be clear and to the point
- Consistency – ensure messaging is consistent across all channels and platforms, internally and externally. Mixed messaging sows confusion and feeds mis-trust
- Stakeholder engagement – know your audiences, including employees, shareholders, clients, suppliers, regulators, media and tailor communications to each
- Media – journalists are only fulfilling their legitimate role so don’t treat them as the enemy, By understanding the narrative arc of a crisis, you can anticipate questions and prepare answers before they are asked. If there is something you can’t say – for matters of commercial confidentiality or so as not to prejudice a police investigation – say so. Remember that ‘no comment’ doesn’t mean no story; only that journalists with a deadline to meet will speak to someone with less accurate knowledge of the true circumstances and that can make a bad situation worse. Also, the media can be helpful in getting important information quickly to the public if your own systems are compromised.
- Sentiment tracking – during and the after the incident, monitor customer/public sentiment to measure the effectiveness – or otherwise – of messaging and impact on brand perception and take any necessary corrective action.
- Learn and share – sharing the lessons learned from an incident, ie with trade bodies, sector organisations and even rivals, will help improve overall resilience. If anyone can be a target, then together everyone can help build better resilience and defences
To know more about our crisis communications services, contact:
peter@squareoneconsultants.co.uk