Join CIPR
Search by title
A bird's eye view of table football. The ball is placed at the foot of the right hand striker with the opposing goal keeper poised to defend.
MagMos / iStock
TECHNOLOGY
Friday 30th May 2025

Crisis communications: your last line of defence after a cyber-attack?

When organisations suffer a cyber-attack, crisis comms are the ‘protector of last resort’ essential to buying the time and goodwill to allow the recovery processes and procedures to take effect.

What’s the most critical form of defence when a crisis hits? Many in the IT community would say cyber resilience. But this author believe that crisis communications is the true last line of defence. They’re not alone.

I recently attended a webinar titled Cyber Resilience: Your Last Line of Defence. It was insightful and well-presented, but I found myself disagreeing with the premise. To protect internal processes cyber resilience should be the first line of defence. 

When protecting brand value and reputation (ie external perception), effective crisis communications is your only form of defence. The ability to communicate clearly, quickly, and credibly under pressure, will protect the longevity of an organisation when all else fails.

ChatGPT agrees when asked:

“If you could only provide one technology solution in a crisis, what should it be to protect the longevity of the organisation?”

Its response:

“Your ONE tech solution should be built to manage external communications under pressure, with clarity, speed, and credibility.”

After decades in IT disaster recovery and business continuity, it may seem counterintuitive that I now champion communications above all else, but a personal lightbulb moment made this so.

I’ve always positioned technology solutions by understanding the risk and mitigation required, this focused on data protection and rapid system recovery. By default, the client would also mitigate reputation damage.

That argument still stands. However public perception of what is acceptable service, particularly their expectation around speed of response and communications has changed. Speed of IT recovery has also changed, a server recovery takes seconds, A server within a network, suffering ransomware, or a cyber-attack may take months!

Protecting internal processes and reputation management are the two sides of the crisis coin, one without the other and you’ve got a dud!

I fear that organisations and suppliers implementing ‘resiliency solutions’ have missed that other side of the coin. Crisis communications are the ‘protector of last resort’ essential to buying the time and goodwill to allow the recovery processes and procedures to take effect.

The conversation that changed my thinking

This was driven home one Sunday in our local village shop of all places. I struck up a conversation with the man serving about our respective day jobs. He mentioned he had a company that provided an online ‘dark site’ that enables global clients to publish crisis updates, issue clear instructions, and manage media and stakeholder expectations, even after they had lost all IT and communications capabilities for several days. In effect they were able to buy time to recover and mitigate reputation damage.

It was a revelation: when everything else fails, the ability to communicate can be the difference between survival and ruin and when all IT is down, as with a cyber-attack, this is a key strategic challenge. 

Why crisis comms must be independent

The ability to have access to a dedicated, independent communications platform is essential to ensure communications are issued in a crisis whatever the IT circumstances. Arguably it’s the most critical layer in your resilience strategy. Without it, all the investment in business continuity planning and IT resilience can unravel in minutes.

For years, I’ve observed a gap in how organisations view risk. They tend to focus on known, immediate threats, while overlooking evolving threats. The current blind spot is how crisis messaging will reach audiences when the usual channels are uninterested or compromised.

Risk perception shifts: A reactive pattern

Historically, it’s taken major events or technology shifts to trigger serious investment in resilience:

  • In the late 1980s and early 1990s, terrorist bombings drove rapid growth in IT disaster recovery.
  • The Year 2000 (Y2K) issue prompted a wave of continuity planning and IT refreshes.
  • In the late 2000s, real-time IT systems pushed organisations toward data replication and high-availability architectures.
  • The 2010s saw a surge in cybercrime, which led to the rise of integrated resilience solutions.
  • Despite all this progress, reputational risk, a consistent concern for executives, has remained under-addressed in practical, actionable terms. The assumption has been that comms will somehow “be there” when needed. That assumption is dangerously outdated.

The modern threat landscape has changed

Today’s threats are more insidious and more frequent: ransomware, supply chain breaches, friendly-fire outages like the 2024 CrowdStrike incident. These don’t just take out IT systems, they disable email servers, websites, and even the authentication infrastructure that gives staff access to their devices.

In such scenarios, the question is stark: How do you reach your audience?

If your back up communications plan relies solely on internal systems or third-party social media platforms that you don’t control, your crisis message may never be delivered or will be lost thanks to algorithms that probably won’t be prioritising your messages. The consequences are stakeholder confusion, customer frustration, and long-term reputational damage.

Is crisis communications the current gap?

All signs point to yes. Crisis communications often sit at the edge of the business continuity conversation, touched on, but rarely prioritised in technical and recovery planning. So, what is to be done?

Bridging the gap
To address this growing risk, crisis communications professionals should be asking some key questions:

Is crisis comms fully integrated into our resilience strategy?
Too often, PR and comms teams are treated as passive recipients of continuity plans rather than active contributors. Their input is critical from the start. If your organisation is siloed, critical requirements will be missed.

Do we control a standalone, resilient communications channel?
Organisations must control their primary crisis communications platform, not rely on infrastructure that could be compromised during an incident. If the platform has dependencies on your organisation’s IT infrastructure, you are at risk. The platform should be hosted separately, stand-alone and active within minutes.

Do we have a clear “page of truth” plan?
A designated, independent web location where stakeholders can find verified updates is essential in times of uncertainty. A dark site ‘page of truth’, available in minutes, is essential to help frame the posture of the company and provide appropriate gravitas to crisis messaging.

Final thoughts

In a crisis, speed matters. Clarity matters. But above all, control matters.

Crisis communications isn’t just an output of your resilience strategy; it’s a foundational part of it. And as threats become more frequent, complex, and reputational in nature, the tools and technologies that support crisis comms must be reviewed with the same rigour as your backup systems, failovers, or cyber defences.

We’re no longer just protecting data or IT availability, we’re protecting trust.

Nigel Hoggart is a crisis communications specialist at PressArea. With over 30 years in IT disaster recovery and business continuity, he has worked with leading organisations including Sungard AS, HP, Network Disaster Recovery and IBM. This post was originally published on the CIPR Crisis Communications Network website.

Further reading

This is not just any crisis comms email, this is an M&S crisis comms email
Five vital comms lessons from the tragedy of flight 5342
Cybersecurity: ‘when’ rather than ‘if’ your organisation is targeted

techcrisis-communicationbusiness