How do you communicate a cyber-attack?
Almost a half of British businesses have experienced a cybersecurity attack or breach. The question for PR agency owners and comms professionals is how prepared are they to respond to the inevitable.
The growing list of businesses whose day-to-day operations have been severely impacted following a cybersecurity attack should leave no one in any doubt that it is not a matter of if but when your business will be impacted by a cybersecurity incident. When a cybersecurity incident happens, it will be about how prepared you are and how you respond.
Cybersecurity risk remains a top concern for 72% of businesses. Research further shows that 43% of UK businesses have experienced a breach or cybersecurity attack, equating to 612,000 businesses. The survey results also show that there has been an increase in business continuity planning, up from 44% in 2024 to 53% in 2025. This figure, however, highlights that many businesses, despite the fallout from the breaches creating newspaper headlines, have not committed the necessary resources to planning and preparedness.
Cybersecurity and business continuity
Having a robust security incident response and business continuity plan in place is more than a safety net, it is a strategic advantage.
When the unexpected happens, it is not just your systems that are tested, but your ability to act quickly, communicate clearly and adapt with confidence. Organisations not only need to protect critical assets but also ensure rapid recovery and ongoing operations.
October is Cybersecurity Awareness Month; the perfect time to avoid long-term reputational damage to your business minimising the impact and rebuilding trust with your stakeholders to aid a quicker recovery. This can be achieved by planning and preparing ahead of time and putting those impacted at the heart of your response.
How to communicate a cyberattack
The National Cybersecurity Centre’s best practice guidelines underscore that having a robust response that is well communicated should include the following:
- Employees can be the first line of defence if they are able to identify phishing, which remains the most prevalent and disruptive breach. Board-level briefings, awareness campaigns, human risk management platforms and bespoke security training help to create the right security culture and can prevent an attack.
- Knowing your stakeholders as well as planning and preparing ahead of time will allow you to communicate effectively with those impacted by a cybersecurity attack.
- Running a simulation exercise will provide a safe environment to test, validate and refine your plans.
- Establishment of response plans and supporting tools to guide your organisation to effectively respond to, and continue operating through, a cyberattack.
- Compliance with security standards (including NCSC CAF, ISO27001, NIST CSF), helps to strengthen resilience, meet stakeholder expectations and fulfil regulatory requirements.
- 24/7 security monitoring through a security operations centre, including vulnerability assessments and penetration testing, proactively identify and address security risks.
- Senior counsel brings an external perspective when and where you need it most.
Let this Cybersecurity Awareness Month, with the theme of “Stay Safe Online”, be the catalyst for developing a comprehensive cybersecurity response plan to help you get your business on the front foot by strengthening your defences.
After all, when a cyber-attack happens, it will be about how prepared you are and how you respond. Are you ready for the inevitable?
Mike Evans is co-managing director of Herdwick Communications, specialists in stakeholder communications. Kieran Fowler is head of cyber consulting at Waterstons, a strategic digital and IT partner.
Read more
Are VPNs blinding brands? The Online Safety Act could harm audience profiling
Crisis communications: your last line of defence after a cyber-attack?