Preventing and surviving a cyber-attack: the role of PR and communication

About the author

Chris is a lecturer, media trainer, crisis communication consultant and coach. Her in-house roles have included the global position of Director of PR for Barclays. Chris leads the CIPR PR Diploma and Crisis Comms Diplomas. BA Hons, CAM, MCIPR

AI generate image
AI generate image

“It’s not if, it’s when” was the comment made by a panellist at a recent cybersecurity Webinar I chaired.  With a cyber-attack happening an estimated once every 39 seconds somewhere in the world he was probably correct to warn all of us that cybercrime is one of the key risks to reputation communicators need to anticipate and plan for.

Digital systems now underpin almost every aspect of an organisation’s operations—from customer data and supply chains to financial transactions and intellectual property.

As communicators it is important we spend some time with those responsible for cyber security within our organisations:

  • First ask about the type of cyber-attacks the organisation has already weathered (there will almost certainly have been some) and find out what is being done to both mitigate and manage such attacks.
  • It is worth asking what insurance is in place.  If there is a cybersecurity insurance policy, you may find that it brings with it additional access to PR and communication support.
  • Make sure you understand too how your organisation seeks to mitigate the risk of a cyber-attack coming via one of the organisation’s suppliers.  This is happening more and more.  Organisations need to be sure their suppliers adhere to the same high standards as they do themselves when it comes to cybersecurity.  You are only as strong as your weakest link.

While cybersecurity is often viewed primarily as a technical or IT issue, the reputational, legal, and stakeholder consequences mean that PR and communication play a critical role both in mitigating cyber risk and in communicating effectively with stakeholders when an attack occurs.

Cybersecurity as a reputational risk

Cyber incidents rarely remain purely technical. Data breaches, ransomware attacks, and system outages quickly become public-facing crises, attracting media attention, regulatory scrutiny, and loss of stakeholder trust.  You should be ready to cope with the threat actors in a ransomware attack courting media coverage to bring pressure to bear on the organisation to pay any ransom.  It should be remembered that the UK’s National Cyber Security Centre makes it clear no such payments should be made.

In the UK, organisations must notify the Information Commissioner’s Office (ICO) of a personal data breach within 72 hours of becoming aware of it. Notification is required if the breach poses a risk to people’s rights and freedoms, such as potential discrimination, financial loss, or reputational damage.  The 72-hour window starts upon becoming aware of the breach, even if full details are not yet available.  A very uncomfortable position to be in.

High-profile breaches have demonstrated that reputational damage often stems not only from the breach itself, but from how the organisation communicates—or fails to communicate—during the attack. Delayed responses, inconsistent messaging, or a perceived lack of transparency can amplify harm far beyond the original incident.

As a result, cybersecurity must be treated as a strategic risk, with PR embedded alongside IT, legal, and risk management and compliance teams rather than brought in as an afterthought.

How PR can help mitigate cyber risk before a breach

PR contributes to cyber risk mitigation well before an incident occurs:

  • First, communication teams can help shape a culture of awareness and preparedness. Clear internal messaging about cyber threats, employee responsibilities, and reporting protocols reduces the risk of human error—still one of the leading causes of breaches. Phishing attacks, weak passwords, and poor data handling are employee behavioural risks, and effective communication is essential in addressing them.

AI is now playing a real and growing role in cyber-attacks, mostly by making them faster, cheaper, and harder to detect. It hasn’t created brand-new types of attacks so much as supercharged existing ones.  AI-generated audio and video, so called deepfakes, are now being used to impersonate senior executives.  Voice cloning can mimic a CEO or Finance Director with only minutes of audio.  Cyber criminals have been using such cloning for urgent “transfer funds now” scenarios.  There are real-world cases involving losses running into six-figures where this type of executive impersonation was used.

  • Second, PR professionals can support scenario planning and crisis simulations. By participating in cyber incident rehearsals, PR teams help organisations anticipate stakeholder reactions, media narratives, and reputational risks. This ensures that holding statements, Q&A documents, and decision-making frameworks are prepared in advance, rather than improvised under pressure.
  • Third, PR plays a role in expectation management. Through consistent, credible communication about cybersecurity investment, governance, and responsibility, organisations can build trust with customers, regulators, and partners. While no organisation can promise immunity from cyberattacks, demonstrating seriousness and preparedness can soften stakeholder reactions if an incident does occur.

Discover the CIPR Crisis Communication Diploma

The role of PR and communication during a cyber breach

When a cyber breach happens, speed, clarity, and credibility are paramount. The first hours following an incident are critical in setting the tone for how the organisation is perceived. PR teams must work closely with IT and legal colleagues to understand what is known, what is uncertain, and what can be communicated safely.

It is worth remembering that the e-discovery process during which the IT team seeks to ascertain which parts of the organisation have been impacted can last for weeks or months, but stakeholders will expect to be hearing a message or reassurance very quickly.

One of the most important contributions PR makes during a breach is coordinating consistent messaging. Stakeholders—including customers, employees, regulators, investors, and the media—should receive aligned information that avoids speculation or contradiction. Even when details are limited, acknowledging the incident swiftly and explaining next steps helps maintain trust.

Transparency is essential, but it must be balanced with accuracy. Over-reassuring stakeholders or downplaying the severity of a breach can be damaging if later disclosures contradict initial statements. Keeping the balance between being quick and being correct is a key challenge and something that should be scenario planned in advance.

PR professionals help organisations strike the right tone: factual, empathetic, and responsible. Acknowledging concern for affected individuals—particularly when personal data is involved—signals accountability and care.  Holding and other statements should be prepared by the PR team as part of the usual Crisis Communication Plan and can be flexed to circumstances if the worse comes to pass.

PR teams also manage media relations during a cyber crisis. Journalists will fill any information gaps with external commentary if the organisation remains silent. As we crisis communicators say you need to be present in your own story.  By providing timely updates, clear explanations, and access to credible spokespeople, PR can reduce misinformation and help the organisation retain some control over the narrative.

Post-incident communication and recovery

PR’s role does not end once systems are restored. Post-incident communication is vital in rebuilding trust and demonstrating learning. Stakeholders want to know what went wrong, what has been fixed, and what has been changed to prevent any future cyber-attacks. PR teams help translate technical remediation into language that non-expert audiences can understand, reinforcing confidence in the organisation’s response.  It could be quite some time until all normal services are up and running so employees and customers will need to be supported with clear communication.

In the longer term, PR supports reputational recovery by highlighting improvements in governance, investment in security, and strengthened controls. Organisations that communicate openly about lessons learned are often better positioned to regain credibility than those that retreat into silence.

One of the best examples of an organisation seeking to do this post a cyber-attack is the British Library.  You can read about their experiences here.

Discover the CIPR Crisis Communication Diploma