CyberSecurity Crisis Communications: Having a Plan is the Best Plan

No one wants to believe that you or your business will become the next victim of a security hack.

Most people live in denial as a psychological defense because in the moment it seems safer to put the possibility of a threat away in a compartmentalized box of the brain.

But the reality is your online perpetrator is only ever one step away from your greatest vulnerability.

From the first great “Melissa” virus and “ILOVEYOU” worm of the late 90’s to the extremely sensitive clientele data hack of Ashley Madison today, we must remain vigilant.

Preparedness is a two-pronged strategy: technology and communications.

The vast majority of time and resources in CyberSecurity is directed at technology.

Technological readiness and agility for response is a very good thing because it is the singular way to directly combat an online attack of any shape or form.

However, not having a crisis communications strategy and protocol in place can and absolutely will make a bad situation significantly worse.

I can assure you that not having a plan is planning to fail.

The vast majority of businesses – from startups to big brands – do not have an agreed-upon crisis communications strategy.

As a 20-year veteran of corporate communications, I remain shocked by how difficult it is to convince a business head to invest the time upfront to secure a proper protocol.

Sadly, many executive teams learn the hard way – a crisis arrives, they are surprised, their decisions are reactionary instead of ideal, and regret over the lack of preparation sets in.

There are three crucial communications strategies you must have to prepare for a crisis.


  1. Crisis Inventory

Depending upon your personality, crisis scenario development can be perceived as either creative or masochistic.

However, creating a crisis inventory of likely and devastating events is critical to stay ahead of potential threats.

Given, we usually cannot foresee all events, but we can make our best guesses to what is probable for our businesses and plan accordingly.

Here’s how to identify and rate a potential relevant event:

  • Likely – How likely is this crisis?
    • 0 impossible, 1 nearly impossible, 2 remotely possible, 3 possible, 4 somewhat probable, 5 highly probable with warning signs
  • Devastating – How devastating can the crisis be?
    • 1 no damage, 2 little damage, 3 considerable damage without media, 4 considerable damage with media, 5 devastating front-page news and put out of business
  • Example: Ashley Madison clientele list hacking (score 9 or 10)
    • Likely: 5
    • Devastating: 4 or 5
  1. Crisis Response

The first rule of crisis response strategy is to fill the news vacuum.

If you do not take hold of the news cycle then others will do it for you.

Hence, you must be 1. quick, 2. consistent, and 3. open.

In terms of response content, spokespeople can chose from the following strategies which solicit varying levels of response acceptance (from high to none): full apology, corrective action, ingratiation, justification, excuse, denial, and attack the accuser.

Use full disclosure (versus partial disclosure) under the circumstances of: continuing danger, organization as victim, when the rumors are worse than the truth, you can afford corrective actions, and if the crisis could financially cripple the company.


  1. Crisis Handbook

Lastly, companies must document procedures for handling a crisis.

Written protocol takes the thinking and confusion away so you can immediately step into action.

Pre-approved processes and drafted statements lead to less stressful and more successful outcomes.


In summary, your cybersecurity strategy is resoundingly incomplete without a carefully designed crisis communications strategy.

Make the firm decision today to develop your crisis strategy and protocol.


About the Author:

Kelley A. Joyce, MBA, CPC is the CEO + Founder of The Truth at Work, Inc.

Kelley Joyce_141c_F

Kelley is a strategic advisor and executive coach to business leaders who seek to radically change their relationship with work. She can be reached at