Cybersecurity incidents are no longer rare, isolated events. As organisations face growing threats from data breaches, ransomware and other cyberattacks, reputation is increasingly shaped long before a crisis occurs. From media engagement and thought leadership to stakeholder trust and organisational preparedness, communications can play a critical role in building credibility before a breach makes headlines.
Telum Media spoke with Oliver Ellerton, Director at Ellerton & Co. Public Relations, about the reputational challenges of cyber incidents, the value of pre-crisis credibility, and how communicators can help strengthen organisational resilience.
Cyberattacks and data breaches have become a recurring headline globally. From a communications standpoint, what makes cybersecurity incidents particularly challenging for organisations to manage in terms of reputation?
Security breaches are no longer a question of “if”, but “when”. For communicators, the challenge is not whether a cyber crisis will happen, but whether they are prepared to respond when it does.
A few things make cyber incidents different from most crises. The first is speed - or more accurately, the gap between when a breach occurs and when it is detected. According to IBM's Cost of a Data Breach Report 2024, organisations take an average of 258 days to identify and contain a breach. By the time communications begins, the organisation is often already on the back foot.
The second challenge is technical complexity. Most organisations struggle to explain what has happened in a way that is both accurate and accessible. The result is often either vague statements that say very little, or overly technical explanations that confuse rather than clarify.
There is also a stakeholder challenge. A breach can affect customers, partners, regulators, employees, and investors simultaneously - each with different expectations. Messaging that reassures one group can raise concerns for another, making it difficult to strike the right balance under pressure.
The regional dimension adds another layer. Asia was the most attacked region globally in 2024, accounting for 34 per cent of all incidents investigated according to IBM's X-Force Threat Intelligence Index. However, the approach to disclosure varies widely across markets. That gap between legal obligation and actual practice can itself become a reputational risk.
What does “pre-crisis credibility” look like in the context of cybersecurity communications, and why is it increasingly important in today’s threat landscape?
Pre-crisis credibility comes down to a single question: is your brand one that can be trusted? Everything else - from whether leadership has spoken publicly about cyber risks to whether journalists and analysts understand how the organisation operates - builds from that.
It is the cumulative result of how an organisation communicates before anything goes wrong. In cybersecurity, this foundation is particularly important because the default assumption after a breach is that the organisation knew more than it disclosed, or acted too slowly. You are starting the conversation at a deficit.
Much of this credibility is built through consistent, often unglamorous work - media relationship sessions, off-the-record briefings, and showing up before there is anything to announce or defend. Over time, this creates familiarity and trust that can shape how an organisation is perceived when an incident occurs.
What pre-crisis credibility looks like in practice: leadership engaging on cybersecurity topics in trade and business media before there is a headline. Companies proactively discuss their governance processes, which include board-level oversight, investment decisions, and training programmes as well as maintaining a visible presence in relevant industry conversations.
As cyber incidents become more frequent, stakeholders are no longer judging organisations solely on how they respond, but on whether they appeared to take the risk seriously beforehand. Those who have built that foundation tend to be viewed as more credible, while those who do not often appear reactive - even if their response is sound.
Many organisations only engage the media after a breach happens. How can communicators proactively work with journalists to build understanding and credibility around cybersecurity issues before a crisis unfolds?
Many organisations hesitate to engage with journalists unless they have something to announce. In cybersecurity, that approach can be counterproductive. Relationships built before a crisis are often what determine how an organisation is covered when something goes wrong.
Journalists are generally more responsive to organisations that are accessible and willing to provide insight without any product agenda. Offering subject-matter expertise - for example, having a CISO or Head of IT explain how certain threats work or share lessons from industry incidents - is genuinely useful to journalists and helps build relationships.
Providing data and original insight is also effective. Cybersecurity reporting is often driven by numbers and case studies, so organisations that can contribute research or analysis, even within a specific niche, are more likely to build ongoing engagement with media and be positioned as a source, rather than just a subject.
Participating in broader industry conversations also helps establish credibility over time. Whether through forums, panels or briefings, these interactions create familiarity, so that when a story breaks, journalists are more likely to approach organisations that have already demonstrated knowledge and openness.
Another approach is spokesperson briefings. Although walking journalists through a technical topic or industry trend with no immediate news peg is a significant time investment, it pays off. Reporters remember who helped them understand something, and when a story breaks, they are far more likely to reach out to those who have already demonstrated their expertise.
None of this requires disclosing sensitive information. It requires an investment of time, substance, and a willingness to engage meaningfully before a crisis occurs.
Beyond media outreach, how can thought leadership contribute to building reputational resilience around cybersecurity before an incident occurs?
Thought leadership is often discussed but not always executed well. A lot of what passes for thought leadership is essentially repackaged press releases and AI-generated op-eds. That is not what I am talking about.
Effective thought leadership demonstrates that leadership is actively engaged with cybersecurity as a business issue, not just a technical one. It shows a willingness to address difficult questions and, importantly, provides something useful to the audience, whether that is journalist, regulator, client, or investor.
This could take the form of a CEO writing publicly about why cybersecurity governance needs to sit at board level, not just under the IT function. It could also be senior executives sharing insights on industry-specific threats or contributing meaningfully to discussions around regulatory developments.
The value from a reputational standpoint is straightforward. When an incident occurs, stakeholders will ask whether the organisation took cybersecurity seriously. A visible track record of informed and consistent engagement helps answer that question. While it does not eliminate reputational damage, it provides important context that the organisation has been aware and engaged in cyber-related issues.
Cyber preparedness is often associated with well-resourced multinational companies, yet smaller organisations are increasingly targeted. How should communicators adapt their role and priorities across businesses of different sizes, and where can smaller organisations focus their efforts to have an effective reputational impact?
This is where the gap between perception and reality is most pronounced. There is a widespread assumption that attackers target large organisations because that is where the money is. In practice, Verizon's 2025 Data Breach Investigations Report found that ransomware was present in 88 per cent of SMB breaches, compared to 39 per cent for larger organisations, underscoring the scale of the risk for smaller businesses.
The challenge is that these organisations typically have fewer resources, less experience in crisis management, and limited media relationships. As a result, communicators need to focus on a smaller set of high-impact priorities.
The mistake smaller organisations often make is assuming that reputational strategy is only relevant once you are at a certain scale.
And when an attack lands, the financial exposure goes well beyond the initial demand. Verizon’s same report puts the median ransom payment for SMBs at US$115,000 - before you factor in downtime, recovery costs, regulatory penalties, and the reputational fallout that can take years to repair. That kind of impact does not discriminate by company size.
Basic preparedness is critical - having holding statements ready, clearly defined spokesperson roles, and an understanding of regulatory obligations. Beyond that, building a modest but credible presence in relevant industry communities can help establish context and familiarity. Owned channels, such as LinkedIn, can also play a role in signalling how the organisation approaches its operations, including its commitment to responsible practices.
The communicator's job, regardless of the size of the organisation, is to help leadership understand that the reputational dimension of a cyber incident is not a secondary consideration. It is central to recovery.
-2.jpg)
.jpg)
