5 Ways Cyber Crisis Comms Are Different

May 2025
Share this article

Aaron Perkins is leading a three-part virtual workshop titled “Cyber Crisis Communications: Navigating the Digital Minefield.” The sessions will provide PR professionals with the knowledge, hands-on experience and confidence needed to navigate cyber crises. The dates are May 29, June 3 and June 5, from 3-5 p.m. ET. Visit the PRSA website for details.


Imagine this: It’s 4:37 on a Friday afternoon when you get a message from your chief information security officer. “We’ve confirmed unauthorized access to our customer database. Initial estimates suggest that data from approximately 50,000 accounts was accessed. The security team is still investigating the entry point and timeline, and we have initiated incident response procedures.”

Those weekend plans you had? They’re gone.

However, you’ve trained for this, and you know what to do — your crisis communications muscle memory kicks in. But as you begin crafting your response, you realize this isn’t like the product recall or executive misconduct situations you’ve handled before; this one is different.

Throughout my career at the intersection of cybersecurity and communications, I’ve learned that cyber incidents don’t just require different templates or regulatory knowledge — they demand a fundamentally different approach to human connection — an approach built on helping people feel truly heard, seen and understood during moments of digital vulnerability.

Here’s how cyber crisis communications differ, and what you can do to navigate these unique challenges:

1. Technical complexity creates an empathy gap.

The challenge: Your technical team reports, “The threat actor exploited an unpatched zero-day vulnerability in our third-party authentication service, potentially exfiltrating hashed credentials and payment tokenization references.”

In a traditional crisis, people intuitively understand what happens when a product fails or a storm causes damage. However, cyber incidents involve concepts that create immediate distance and confusion.

A more human approach: Instead of saying, “Our authentication mechanism was compromised,” try, “Someone found a way past the digital door that verifies you’re you when you log in. This means they could have seen your account information but not your complete payment details, which are stored separately and with extra protection.”

This translation does more than simplify — it helps people visualize their personal connection to what happened, closing the empathy gap that technical language creates.

2. The emotional timeline outlasts the technical one.

The challenge: Two weeks go by, and your incident response team declares the breach contained. Your customers, though, will continue receiving phishing attempts targeting them based on exposed information for months or years to come.

A more human approach: Create a communication cadence that extends well beyond technical resolution. For example:

  • Initial notification: “We’ve addressed the immediate security issue, and we’ll keep updating you as we learn more.”
  • Two weeks later: “Here’s what we’ve discovered and fixed since our last update.”
  • One month later: “Remember that we’re still monitoring for unusual activity, and here are signs you should watch for.”
  • Quarterly: “We’re still here, still vigilant and here’s how our security has evolved since the incident.”

This extended approach acknowledges that people’s emotional experience of the breach continues long after your technical teams have moved on.

3. Invisible impacts require a deeper understanding.

The challenge: Unlike a physical crisis with visible damage, the impact of your data breach is largely invisible, deeply personal and experienced differently by each affected person.

A more human approach: Create communications that validate diverse emotional responses: “We understand that data breaches can feel deeply personal. Some of you may be concerned about immediate fraud risks, while others might worry about longer-term identity theft. Some may feel this as a violation of trust, while others are simply frustrated by the inconvenience. Whatever you’re feeling is valid, and here’s what we are doing to address these concerns...”

This validation approach shows you understand the full spectrum of impacts, beyond just the technical ones.

4. Trust recovery follows different rules.

The challenge: Six months after your breach, despite implementing significant security improvements, customer trust metrics remain low. Unlike a recalled product that customers can see has been fixed, your invisible security enhancements aren’t rebuilding confidence.

A more human approach: Make the invisible visible through concrete demonstrations:

  • We’ve invited independent security experts to evaluate our new protections. Their full report is available here...”
  • We’re now conducting monthly security exercises. Here’s a behind-the-scenes look at our last one...”
  • We’ve added a real-time security status dashboard to our website showing system status and recent protection updates...”

These tangible proof points create visible evidence of your invisible security improvements.

5. The human behind the screen needs recognition.

The challenge: Your legal team has crafted a technically accurate breach notification with all required elements, but it reads like it was written for regulators, not for everyday people receiving it during dinner or while putting kids to bed.

A more human approach: Create communications that acknowledge the human context: “We understand this message is reaching you during your daily life, and security incidents are the last thing any of us want to deal with. We’ve made the steps you need to take as straightforward as possible, with support available when you need it — including extended hours for our help desk this weekend.”

This human awareness transforms a cold notification into a message that recognizes the person behind the screen.

Finding our humanity in digital crisis

In a cyber crisis scenario, as your team navigates the pressure of response timelines, technical complexity and regulatory requirements, the most critical question remains: How will the humans affected by this incident feel about our communication and, more importantly, our organization?

Will they feel confused by technical jargon, or will they clearly understand what happened?

Will they feel abandoned after the initial notifications or supported throughout their experience?

Will their emotions be dismissed, or will they feel genuinely understood?

The technical aspects of cyber response are critical, and equally important is maintaining human connection during a digital crisis. When we approach cyber crisis communications with this level of awareness, we do far more than manage incidents — we help people feel heard, seen and understood during moments when they need it most.

Return to Current Issue Crisis Communications | May 2025
Share this article
cyber_art
[matcha_09]
 

Subscribe to Strategies & Tactics

Subscribe

*Strategies & Tactics is included with a PRSA membership