Cybersecurity has become a boardroom priority in a world where digital transformation drives every industry forward. But when a cyber attack strikes, it’s not just systems under threat, it’s trust. And protecting trust begins with how you communicate.
This was the striking takeaway from a recent episode of PRWeek’s Beyond the Noise podcast, titled Cyber Attack Comms: “We Were Rabbits in Headlights". The episode featured a candid conversation with Jack Richards, Global Head of Integrated & Field Marketing at Onclusive, and Charlotte McGill, a crisis communications expert from Burson. Together, they unpacked the communications fallout of a real-world cyber incident—and offered hard-earned lessons that every organisation should take seriously.
Here’s what stood out most from the episode, and what it means for your business.
When a cyber attack hit Onclusive in early 2024, Richards described the moment as “being rabbits in headlights.” It’s an image that perfectly captures the paralysis many organisations experience when suddenly confronted with a major breach.
Systems were down, clients were calling, and teams had questions internally. Externally, there was growing uncertainty. And yet, the reality was stark: waiting for full clarity wasn’t an option. Communications had to start immediately, even without all the answers.
This is one of the greatest paradoxes in crisis PR: stakeholders don’t expect perfection, but they do expect presence. Silence breeds speculation. Timely, transparent updates, however limited, are always better than a communications void.
Insight: A good crisis response doesn’t depend on perfect information. It depends on a clear protocol, empowered spokespeople, and a shared understanding that not saying anything is saying everything.
A critical first step in Onclusive’s response was to inform and align internal teams. Employees are not just recipients of information; they are amplifiers. If they’re confused, anxious, or misinformed, the ripple effect will appear in client conversations, social media, and operational delays.
Equally important is managing external communications across audiences: clients, partners, regulators, and the press. McGill emphasised that the objective is not to spin a narrative, it’s to be seen as honest, human, and in control, even if only partially.
Insight: Your crisis strategy must map out stakeholder-specific messaging and designate who says what, to whom, and when. A well-informed employee is your best frontline ambassador.
One of the most underrated aspects of a cyber response is the role of executive leadership. Richards noted how visible and involved the Onclusive CEO was during the response; an approach that helped reassure employees and clients.
In our experience at Purpose Communications, the presence of leadership is more than symbolic. When senior figures step forward with empathy and accountability, they anchor the organisation’s response. They personify responsibility, and signal that the crisis is being taken seriously at the highest level.
Insight: CEOs and executives don’t need all the answers, but must be seen. Visibility builds confidence; invisibility invites doubt.
McGill offered a reality check: too many companies still approach cyber preparedness as a technical issue, handled by IT, legal, or compliance departments. In truth, a breach is a business crisis, and your brand reputation is on the line from the first hour.
She noted that the most effective organisations simulate scenarios, stress-test their response plans, and align communications with operations long before a breach occurs.
At Purpose Communications, we help clients develop agile and actionable crisis comms frameworks, tailored to their risk landscape. We run simulations, build cross-functional playbooks, and ensure that when a crisis comes, the first call isn’t a panic; it’s a process.
Insight: A cyber incident moves faster than most other crises. You cannot afford to figure it out in real time. Planning is the difference between scrambling and steering.
Once Onclusive had contained the breach, they took time to reflect. What worked? What gaps were exposed? What lessons could be applied beyond the IT department?
This is an essential, often overlooked phase of crisis communications: recovery messaging. Clients want to understand what’s changed. Employees want to know how future risks will be handled. Regulators and partners expect proof that safeguards are stronger.
Insight: The post-crisis phase is an opportunity to demonstrate resilience. If handled well, your recovery can enhance your reputation, not diminish it.
Preparedness Is Reputation Insurance
A cyber attack can strike any organisation, at any time. But while you can’t control the breach, you can control the narrative.
You can shape how your stakeholders experience the crisis and how they remember it.
Share