The Often-Overlooked Risk in Cyber Security

Cyber-attacks are on the rise. According to the FBI’s 2025 Internet Crime Report, losses from cybercrime reached $21 billion in 2024, which is a 33% increase over the previous year.

The main drivers behind the uptick: AI, ransomware as a service, supply chain vulnerabilities, geopolitical instability, and hacktivism.

Bottom line. Organizations of all types and sizes are at a higher risk of being the target of an attack that could cause major disruptions to their business and cost them huge sums to address.

But while most leaders are investing heavily in technical defense, they often ignore a critical operational risk: how they communicate within and outside of their organizations before, during, and after an attack.

In my experience running pressure tests for leadership teams around cyber-security, the same vulnerabilities show up time and again. Let me walk you through the big ones to watch out for and share some advice on how to make sure the concern people have when you’re the victim of cybercrime doesn’t turn into panic.

1. Make Sure You Have a Communications Pro on Your Incident Response Team

If your incident response team is comprised only of people who are responsible for triaging technical issues, you’re at a disadvantage. Because a cyber-attack isn’t solely a technical issue. It’s an attack on your operations, your reputation, and the trust you want people to have in you. Communications plays a critical role in these areas – especially during an incident, when answers are hard to come by initially and confusion reigns. You need a senior communicator on the team, and in the room when decisions are being made, to ensure stakeholders stay informed – so their trust in you doesn’t begin to erode.

2. Bridge the Gap Between Tech and the C-Suite

I often see a dangerous disconnect between technical teams and executive leadership. And it’s usually because they don’t speak the same language and view the world through different lenses. It’s understandable, given their roles. But it can lead to trouble when a cyber-attack occurs. A tech team might be keeping an eye on an issue or anomaly in the system that – in their minds – warrants further investigation. But they may not see it as an emerging business risk that needs to be elevated to leadership. That’s one way of being caught off guard. Another is that leadership may not have the technical background to properly assess whether a systems issue their tech team identifies poses a risk to their business. In either case, it could lead to underestimating the impact an emerging issue poses, and that could cause you to respond too late and be run over by the attack.

3. Don’t Hunker Down

The biggest mistake you can make is saying nothing until everything is resolved. Today, information moves too fast for a wait-and-see approach. If you stay silent while you figure things out, you allow others to fill that void with speculation and fear.

Even if you eventually fix the technical problem, the damage you might do to your reputation during and after the incident – by not communicating effectively – could be severe and long lasting.

You don't need all the facts before you begin speaking. I’m not suggesting you get out with conjecture or speculation. Not at all. What I am saying is you can share, pretty early on, what you know – even if it’s not much. You can also talk about what you’re doing to assess and resolve the problem – the steps you’re taking – to demonstrate that you’re on top of the situation. Because that’s what people are grading you on.

I’d also recommend standing up a communication platform that houses the latest, most accurate information and provides updates, so people know where to go to get timely and reliable information as the incident unfolds. If they don’t have that, they’ll be left in the dark – probably to imagine the worst.

4. Prioritize the Team Over the Template

I see too many companies spending hundreds of hours on complex planning binders sitting on shelves that try to anticipate every possible threat. These documents are usually lacking in the heat of a real attack.

A better approach is to have a strong, cohesive team that can be assembled at a moment’s notice. A team that has the power to make decisions and move quickly. Agility is more valuable than a 50-page manual.

5. Shore up Your Monitoring and Feedback Channels

One thing that’s incredibly important to have during a cyber-attack is a way to gather credible, real-time information about the impact the incident is having on your employees, customers, vendors, suppliers, regulators (if you have them), your board (if you have one), and other important constituents attached to your business. If you don’t have a feedback loop already established, it’s going to be hard to get that kind of information. And without it, you’re flying blind. You won’t know how much damage the incident is causing downstream – or what the people important to you are thinking and feeling. Which only elevates the likelihood of you missing the mark with any communication you send out. And, ultimately, people losing trust in you.

The Bottom Line: Understand that a cyber-attack isn’t just a strike on your technology and systems. It’s an attack on your entire business and your reputation. You may not be able to stop every hacker who’s coming after you. But you can prevent yourself from exacerbating an attack by fumbling your communications response to it.