Cyberattacks & Other Crises - How Should Companies Respond?

Cyberattacks & Other Crises - How Should Companies Respond?

As the most recent cyber-attack unfolds and affects a large number of reputable companies on a global scale, media coverage is being updated and people are commenting on the latest developments on social media in real-time which once again shows the importance of having a pro-active approach to crisis management.

So how can organizations approach corporate communications before a crisis occurs?

In a perfect world, every company would have a manual for every crisis that could potentially affect its reputation, and, in the end, its bottom line. Some risks (such as pre-cautionary product recalls) might be easier to identify and can thus be addressed before they happen. Pointing out those risks is an on-going process that needs to be monitored and updated regularly. By taking the latest trends and developments into account, companies can develop guidelines to follow before the crisis starts. Developing such a manual takes up valuable time and resources but will prove invaluable when a crisis does actually occur. Here, working with a partner like ABI who has the know-how and resources to identify and address those risks can come in handy. However, some risks harder to pinpoint.

What to do if a crisis takes you by surprise?

The digitalized, fast-paced and global environment that all businesses face today holds a nearly infinite amount of hidden risks that could lead to a crisis you need to address. Even the most conservative digitalization strategy can only limit but not completely eliminate companies’ exposure to these risks. Whether we like it or not, the digital revolution has taken place – and with it come risks that cannot easily be identified and avoided.

Cyber-attacks are one of those unlikely yet impactful risks that affect all companies, large or small. Just six weeks after the last attack, the most recent attack is now just unfolding in June 2017 – while this seems like a long period in today’s immediacy-driven society, businesses move more slowly.

 Particularly in the more conservative B2B space, companies can often not match the pace of change. In an ecosystem with several stages of approval for even the smallest of changes, large multi-national corporations face particular risks to their reputation and bottom lines. Even if you do not have a crisis manual, there are some guidelines you can quickly and easily follow in your ad-hoc crisis communications.

Three best practices to keep in mind during a crisis

If you’re in the middle of a crisis, you won’t have time to draft elaborate communications. Instead, keep the following three best practices in mind.

  • Appoint a clearly defined crisis management team and spokesperson.

Quickly define the problem and establish a protocol to make sure all new developments are being monitored and collected. Ideally, all information should come together in a crisis management team (which usually includes the Chief Executive Officer, the Chief Financial Officer, Corporate Communications, legal counsel and other relevant officers). This team should be led by one person who is trained on how to handle such situations. This person should also be appointed as the spokesperson who is responsible for sharing information both internally and externally. If nobody on your team is trained in doing so, working with a trusted, experienced partner who has a global footprint to address issues across time zones - 24 hours a day, 7 days a week – and close to the ground regionally is crucial. 

Your crisis management team will then develop appropriate response protocols – while the wider team would help coordinate intelligence, monitor social media and general press and broadcast activity, develop holding statements, key messages and press releases – as well as to ensure effective spokesperson responses with the media. 

  • Acknowledge the crisis calmly and as early as possible

Hopefully, someone in your company or one of your partners has alerted you to the potential crisis in an early stage. Rather than hoping for the best and ignoring early warnings, address the potential problem calmly. A simple and short message that conveys that you are aware of the problem and looking into it while limiting the potential impact on your stakeholders – be it customers, employees or investors – is the first step to take. Keep monitoring the conversation and respond calmly when needed. This is the list of elements to include in your statement (keeping potential legal restrictions in mind):

  1. What happened?
  2. When did it happen?
  3. How did it affect you (the company) and your customers or other stakeholders?
  4. What actions have you taken to address the crisis and to prevent it from spreading?
  5. What actions have you taken to prevent similar incidents from happening in the future?


  • Communicate the latest developments quickly and honestly

While looking into what happened and solving the issue should be your first priority, you should communicate the progress you’re making along the way as much as you can. Try and publish updates at pre-set times a day (e.g. in the mornings, around lunch time and then again before the end of the day) in the height of the crisis. These updates do not need to be long – even just pointing stakeholders to the next big update such as a press conference counts – but will relieve the pressure you face. People will talk about what happened and rather than letting them jump to conclusions, this is your chance to drive the conversation. Take the initiative without assuming responsibility for developments outside your control or blaming anyone else.

Keep calm and carry on

Keeping these three practices in mind will help you manage crisis communications pro-actively, no matter how surprised you might be by a crisis.  While plenty books have been written on the topic[1], theory can only take you so far. Situations can change in the blink of an eye so keeping a cool head crucial. Taking a step back, or allowing a trusted partner to do so for you, and considering the big picture implications are key to successfully managing a crisis. Don’t succumb to the chaos a crisis like a cyber-attack brings with it. Take a deep breath and communicate the key facts to the stakeholders most affected by the developments as openly as you can.


[1] See e.g. Alsop, R. J. (2006): The 18 immutable laws of corporate reputation: creating, protecting and repairing your most valuable asset, London: Kogan Page, or FOMBRUN, C. (1996): Reputation – Realizing Value from the Corporate Image, Boston: Havard Business School Press.


by Sandra Steingraber