Hearts & Minds: Cracking the code of cyber security comms

When government issues a warning, it’s all too easy to be dismissive. It’s a standard default, to ask what do they know? Consider this warning from Richard Horne, head of the National Cyber Security Centre: “There is no room for complacency about the severity of state-led threats or the volume of the threat posed by cybercriminals. The defence and resilience of critical infrastructure, supply chains, the public sector and our wider economy must improve.”

That’s everybody, that’s you. There have been strikes recently against a hospital, software firm, supermarket food supplier. Again, it doesn’t affect me. So, look at the figures: Horne’s centre dealt with 430 incidents last year, up from 371 in 2023; 89 were nationally significant, 12 were at the top end of the scale, up threefold on last year. Most of them were ransomware attacks, hackers crippling an IT system and demanding payment to unlock it. 

If you’re not alarmed now, you should be. It’s clear that cyber security is not something just for the IT people. It’s a real and central risk for any company, any organisation. It doesn’t belong in some offshoot somewhere, but goes to the very heart of the operation, affecting all stakeholders and consumers.

Be afraid but be prepared must be the strategy. Comms-wise, it’s not something to shout from the rooftops – the hacker likes nothing more than a challenge, to prove your supposedly watertight system is full of holes. Likewise, though, existing and future staff, customers, investors, suppliers all want reassuring you’ve got it covered. It’s a case for quiet reassurance, not to be broadcast and definitely not to be posted on social media.

Don’t over-promise. You’re up with the latest thinking, you’re employing experts and you’re in constant discussion with them, you’re repeatedly testing for vulnerabilities. Saying you’re confident it will never happen to you and if it did, there would be no impact, won’t be forgotten and could backfire spectacularly.

Of course, if you underplay your approach there’s a danger a competitor may get the upper hand, but by making cyber security a point of emphasis and repeatedly underscoring it, you’re getting the message across to those who need to know.

Seek professional advice. Time for a plug: Sodali provide comms support across the entire cyber incident lifecycle, from helping to strengthen resilience, to crisis comms preparedness, to 24/7 incident response, and post-incident reputation management.

Heed Horne’s words and act. It’s foolish not to.

Chris Blackhurst is one of the UK’s foremost business journalists. He was previously Editor of The Independent and City Editor of the Evening Standard.