Cyber attack crisis comms: What small businesses should (and shouldn’t) do next

No business is too small to be a victim. And, should the worst happen, how you communicate - what you say, how quickly you say it, and who you say it to - in the hours and days that follow can make or break your business’s reputation. 

It isn’t just about damage control; it’s about showing leadership, earning trust, and reassuring customers, staff, and stakeholders that you’re taking the situation seriously, that you have a plan in place, and that you’re actively working to resolve the issue.

Don’t panic, and don’t go silent

The first instinct after discovering a data breach or attack may be to shut everything down or go quiet while you figure things out. But a lack of communication can make the situation worse, not just for your customers, but for your team, regulators, and the public.

That doesn’t mean issuing rushed statements or laying blame before you know the full picture. It means being calm, clear, and honest about what’s happening, even if the only thing you can say right now is: “We’re investigating and will share more as soon as we know.”

The do’s: How to communicate confidently after a breach

• Do start with your team

Before posting publicly, make sure your staff are informed. They’re likely to be fielding calls, emails, or even social media messages. Ensure they know the approved message and where to direct queries.

• Do notify your customers quickly

If customer data is affected, or there’s a chance it could be, don’t delay. Even if you’re still investigating, issuing an early warning will allow people to take precautions, such as changing passwords or monitoring their accounts for unusual activity. Where appropriate, encourage these actions clearly but calmly.

• Do report to the right authorities

Depending on the nature of the breach, you may be legally required to report it to the Information Commissioner’s Office (ICO) within 72 hours. You should also contact Action Fraud and your cyber insurance provider, if you have one.

• Do use plain English

It’s generally best to avoid technical jargon like “unauthorised access via third-party vulnerability” as it can cause unnecessary confusion. Speak clearly: what happened, what it means, and what you’re doing about it.

• Do show empathy and accountability

Even if the breach wasn’t your fault directly, your customers and clients want to know you care. Acknowledge the inconvenience or stress caused and take responsibility for putting things right.

The don’ts: Common mistakes to avoid

• Don't speculate

It can be tempting to reassure people with phrases like “no data has been stolen” but unless you’re certain, avoid making promises you may have to backtrack on.

• Don't shift the blame

Blaming your IT supplier or a rogue employee might be factually correct, but it can come across as evasive or as though you’re looking for a scapegoat. Own the problem, then show what you’re doing to fix it.

• Don't go dark

In the absence of communication, people may assume the worst. Keep your stakeholders updated regularly, even if you don’t have new information to share.

• Don't forget about social media

Customers may vent frustrations online or ask public questions. Monitor your channels and respond carefully, but don’t get drawn into arguments or respond emotionally.

Don’t wait until you’ve had a breach – build your plan now

The best way to manage a crisis is to be well prepared before it happens. Even a basic communications plan can save hours of stress and prevent poor decisions.

At a minimum, identify:

• Who will speak on behalf of the company (to customers, press, regulators)

• What channels you’ll use to update people (email, website, social media)

• How you’ll keep staff informed internally

Having a few pre-written templates that can be tailored in a crisis can be invaluable.

Transparency builds trust

A cyberattack doesn’t have to destroy your business, but mishandling it can do lasting damage. In an age of data leaks and digital disruption, businesses that communicate clearly and act decisively are often better placed to recover, rebuild trust, and move forward.

Want to better protect your business against fraud and hacking attempts? Read our guide to fraud, hacks and data leaks to learn about common tactics used by cybercriminals and how to reduce your risk.