Skip to content

When systems fail, clear communication protects trust and keeps people informed

A student is told their personal data may have been accessed.

A customer tries to use an online service and finds it unavailable.

A resident needs help from a council, but the website they rely on is offline.

A member of staff is asked what has happened, but has not been given clear lines to use.

Recent incidents linked to Oxford University show how quickly this moves from a technical problem to a communication test.

Oxford has been linked to two separate third-party data incidents this year. One involved Canvas, the learning platform provided by Instructure, after unauthorised access affected the wider platform.

Another involved Oxford’s CareerConnect platform, managed by third-party provider GTI, where the university said users’ first names, last names and email addresses had been accessed.

The important point is not only that these incidents happened. It is how quickly the questions changed. People needed to know what had happened, whether they were affected, what data was involved, what they should do next, and where further updates would appear.

That is why a cyber attack is not just an IT issue. It is a leadership and communications test.

When systems are down or data may have been exposed, communication is not a minor task.
It becomes the way people understand the situation, protect themselves and decide whether they can still trust the organisation.

 

Why this belongs in the boardroom

The UK Government’s latest Cyber Security Breaches Survey found that 43 per cent of businesses and 28 per cent of charities had experienced a cyber security breach or attack in the previous 12 months.

That makes cyber readiness a live issue for anyone responsible for reputation, service delivery and public confidence.

It also means communications needs be part of the response from the first meeting, not brought in after the technical team has decided what to say.

The National Cyber Security Centre has gone further. It says preparing for severe cyber threats is a leadership responsibility.

Cyber preparedness has moved out of the server room and into the boardroom.

Leaders cannot wait until a system is unavailable, data has been accessed or customers are locked out before deciding who says what, when and how.

The technical recovery matters. So does the communication recovery.

In the first few hours of a cyber incident, the organisation is judged on more than whether it can fix the system. It is judged on whether it appears honest, calm, useful and in control.

That control does not come from IT alone.

Communications need to control the message, the update rhythm and the public response, so people know what has happened, what is being done and what they should do next.

 

 

Recent incidents show the pressure

The University of Nottingham has also faced a major cyber incident.

Reports said a significant amount of personal student and alumni data had been accessed from its student records system, possibly including contact details, course information and financial information.

Again, the communication response mattered.

The university said it had taken affected systems offline, launched a forensic investigation, reported the incident to Action Fraud and the Information Commissioner’s Office, contacted affected people, set up support and advised people to monitor accounts and update reused passwords.

That is far stronger than a vague holding statement.

 

“We are investigating” is not enough

There are times when an organisation cannot say much.

It may not know the full scale of the incident. It may not know whether data has been copied. It may be working with police, regulators, insurers, cyber specialists and suppliers. It may also need to avoid saying anything that helps attackers.

That is understandable. But “we are investigating” on its own is rarely enough.

To the people affected, it can sound like a closed door. It gives no reassurance, no practical help and no sense of when more information will come.

A better early message explains what you know, what you do not yet know, which services are affected, which services are still running, what people should do now, what they do not need to do, who has been informed and when the next update will come.

That last point is often missed. People cope with uncertainty better when there is a clear update rhythm. “We will update you again at 4pm” is much stronger than “we will update you when we can”.

Even if there is no major change, the update still matters.

Silence creates a vacuum.

Vacuums are quickly filled by rumours, screenshots, speculation, angry social media posts and media questions.

 

 

The threat is not slowing down

Recent reports have highlighted a wave of data theft and extortion claims involving well-known names.

Kodak confirmed a data breach after ShinyHunters claimed it had stolen more than 2.2 million records.

The Council of Europe said it was investigating claims by the same group that nearly 300GB of data had been taken, including HR and payroll information.

Ralph Lauren has also been listed in reports of a ShinyHunters “pay or leak” campaign.

Cyber incidents and data breaches are no longer occasional interruptions.

They are regular leadership events with operational, reputational and regulatory consequences.

 

What leaders should do now

Cyber communication should be part of business continuity planning.

That means having a practical communication plan ready before an incident happens.

Not a 40-page document no one opens. A working plan people can use under pressure.

It should set out who is in the incident group, who signs off messages, who briefs staff, who speaks to customers, who updates the website, who handles media enquiries and who informs regulators.

It should include simple message templates that can be adapted quickly, agreed thresholds for when leaders must be visible and a clear testing schedule.

The UK Government’s Cyber Security Breaches Survey found that only 25 per cent of businesses and around 20 per cent of charities had a formal incident response plan.

Only 13 per cent of businesses and 13 per cent of charities had external communications and public engagement plans.

That is a risk, because when a cyber incident happens, it is too late to start discussing and agreeing communications basics.

IT, legal, comms, customer service, HR and senior leaders all need to know their roles.

They will not agree every word instantly, and nor should they. But they should already understand the decision process.

The best organisations rehearse the message as well as the recovery.

They practise explaining uncertainty, answering difficult questions and telling people what they can do while services are disrupted.

They also practise switching from crisis response to recovery communication, because the communication challenge does not end when the system comes back online.

There may still be backlogs, data concerns, service delays, customer complaints, staff stress and media interest.

Sean Ryan, director of strategic communications and resilience at Media First, said,

“Every comms team should be ready for a cyber attack on their organisation. Data breaches and ransomware attacks are on the rise and they bring big, complex reputational risks. That’s why a crisis comms plan for cyber attacks is crucial. Everything moves fast in a crisis so it pays to be prepared. Boards expect it.”

The real test

A cyber attack will test your systems. But it will also test your leadership.

People will remember whether you were visible, whether updates were clear, whether you sounded more concerned about protecting the organisation than helping those affected, and whether your communication gave them something useful to do.

If communication is slow, cold or unclear, trust falls with it.

If it is honest, practical and regular, it can hold people together while the technical recovery takes place.

In a cyber incident, the first message is not just a statement.

It is the start of the recovery.

 

Media First specialises in organisational resilience and can help you get ready for a crisis.

We combine strategic counsel with immersive training to build confident leaders, resilient teams and stronger reputations.
To discuss how we can support you, contact iain@mediafirst.co.uk