Kiri Coughlan moves into leisure and tourism sector

In times of crisis, how and when you communicate is as important as what you say. Is a medium fit for purpose yesterday, before the crisis, right for a crisis today? You must be able to answer that question before you set sail on the crisis communication journey.

The medium you choose and your speed to communicate send a very clear message. Crises can get out of hand quickly with the 24-hour news cycle, AI, the internet, or social media. While these change the speed at which information spreads, they don’t change the fact that you must understand what is happening here and now.
That has always been the case with crisis communication. You must know what is going on around you and what is affecting your stakeholders. Importantly, know where impacted people will be heading for information, and how to reach them at any given time.

In his book Understanding Media: The Extension of Man, communication theorist Marshall McLuhan famously wrote: “the medium is the message.”

He used a light bulb as an example of a medium, surmising that the electric light is pure information. It is a medium without a message. It is a medium that has a social effect in that it enables people to create spaces during bleak times that would otherwise be shrouded in darkness.

When the crisis occurs, you need to know whether the light will be turned on or off by the medium you choose. That medium differs for stakeholders at different times. You can’t be everywhere for everyone.

You need to determine who you must reach, when you must reach them by, and what medium will send the right message at the right time. The right choice of medium is vital to deliver the message that you are concerned enough to make contact.

Anyone who has heard me speak or read any of my writing will know that I am a fan of "the medium is the message" theory as a critical strategic approach to crisis communication. If you know your stakeholders as well as you should, you will know how they get their information at different times on different days, and can therefore effectively communicate with them.

Choosing the right medium at the right time

One of the problems of working in crisis communication is that using real case studies invariably breaks confidentiality, so my examples are 100 per cent fictitious.

Say you are a promoter of a music festival, and on the first morning, you are informed that several patrons have collapsed at the event from what appears to be a potentially fatal reaction to a pill they may have taken. The police inform you that recently, a bad batch of drugs was brought into the city. You have a crisis.

Your key stakeholders in the first instance are those on their way and at the festival. You must get to them, the other patrons who may take these pills, before you try to manage the potential reputational fallout.

At the venue, you stop the video feed to the big screens and post a message. You hijack the social media feeds, hashtags, and online commentary surrounding the festival. You post a picture of the offending pills online, on Reddit, TikTok, and on the event’s owned channels.

All this must be done before you worry about the impact of this news on your reputation. Remember the golden rule of crisis management: people first, then reputation, and then dollars.

By using the media that matters most to your most important stakeholder in this situation - those at risk of taking the pills - you are well down the path to managing the crisis. Now you can attend to reputation, but you have already taken the first big step in managing the event’s reputation by prioritising people, understanding your audience, and communicating with them immediately through their preferred medium.

When people look back on how you acted, they will see a responsible, knowledgeable, and caring organisation. That goes a long way in protecting a reputation and ensuring the best chance of survival for the event.

Now, let's take a corporate example. A major telco goes down. Obviously, customers can’t be contacted by phone, and when the phones go down, some people are imperilled. They are out of contact; they have devices that rely on being connected. They are scared to be isolated. How does the telco react?

It could happen to any telco, but fortunately, there are three major suppliers in Australia. If one goes down, the obvious best medium is the other two.

Work with them to contact their users and inform them of the details surrounding the other telco outage. The word will spread. People who know vulnerable people will try to contact them. Using word of mouth is not ideal, but it is the fastest and most effective medium in this scenario.

Again, the medium is the message. You reached out quickly through the best way possible in an emergency. A general blast to all media and fast updates to ensure all owned media have up-to-date information prominently displayed, will demonstrate your commitment to customer safety.

Your medium and speed have put people first and are the first steps in protecting reputation. If your competitors are unwilling to cooperate, the media have an even bigger story that doesn’t revolve around you.

Let’s go to a final fictitious example.

Your organisation has been accused in the media of covering up bullying and harassment by a highly ranked executive. This is an example of people in power behaving badly.

Does this crisis affect the organisation or only the individual? Is the individual given the presumption of innocence as prescribed by law? Does the organisation absorb the blows to protect the individual and risk the consequences, which are invariably accusations of ignoring the victim?

Everything is alleged, and nothing is proven. This is an all-too-common occurrence for people and culture professionals and boards. It invariably is left to the communication professional to “do something.”

How can the medium be the message in this circumstance? The number one stakeholder is the workforce. People first. Nothing short of a commitment from the top to get to the bottom of the matter, without staging a witch hunt, will suffice.

Every organisation should have an effective way to connect quickly with employees during working hours, and in many cases, after hours when needed. In this case that’s your medium of choice. It shows you are trying to get ahead of the issue.

What is the most accepted way for top management to communicate with staff? Where do they expect to hear from the top brass? That is your medium of choice. At a time when employees need to hear from the top, reach out to them through the medium they expect you to. Don’t change and don’t improvise. Rely on muscle memory.

In prioritising employee communications, you are respecting that this is an issue which impacts them and that they are the most important stakeholders. Everything else can wait. Remember, people first, reputation second, and dollars last.

People first, always

You have established that you understand that this is about your people, and you care about and respect them.

In each of the examples above, I have touched only on initial moves that not only put people first but, in doing so, lay the groundwork to protect the reputation of the organisation when the inevitable inquisition begins.

The medium you choose to communicate with your most important stakeholders, and the time it takes for you to react to a situation, will be scrutinised just as closely as the words you use.

Douglas Wright is Chief Executive Officer of Wrights, providing strategic counsel to boards and executives navigating complex reputational, stakeholder, governance and public policy challenges.

With more than four decades experience, he has advised leading corporations, industry bodies, government agencies and not-for-profit organisations across Australia and internationally. Prior to establishing Wrights, he founded and led Ogilvy PR Australia.

Douglas is Deputy Chair and a Fellow of Communication and Public Relations Australia (CPRA), a Chartered Public Relations Practitioner (UK), a Fellow of the Australian Institute of Company Directors and a Certified Practising Marketer.

He combines commercial judgement, strategic insight and an ability to shape outcomes in complex environments.

Read more from our columnists in The Earned View  

Limited AI skill may be making communications professionals blind to their own gaps

Feeling more confident about how you use AI?

The rising confidence many communications professionals feel about artificial intelligence is not hard to explain. The tools have improved quickly. They are easier to use, more widely available, and increasingly embedded in the apps people already rely on, including search, email, documents, meeting notes, and the daily systems of work.

But ease of use is not the same as skill. With generative AI, that distinction is becoming more important and more easily missed.

For the past two years, Sequencr AI has worked with communications teams to empower them to understand, adopt, and scale the use of the technology. At the start of every engagement, we ask participants how they use AI, how proficient they believe they are, how confident they feel about their skills, and where they hope to apply the technology next.

The answers point to a troubling pattern. Communications professionals are becoming more confident with AI, but they are not becoming more proficient. In fact, proficiency has stagnated.

When confidence outpaces capability

Across dozens of Sequencr AI surveys, with more than 1,000 substantive responses, self-reported proficiency has not changed significantly over the last two years. The largest group continues to sit in the middle. In surveys where we asked a comparable proficiency question, 56 per cent of respondents identified themselves as Explorers, one level above beginners. Another 20 per cent identified as Adopters, 12 per cent identified as Skilled Users, and just two per cent qualified as Power Users. 

Confidence tells a different story. In recent surveys, it has risen from an average of 4.2 a year ago, to the mid-6s on a 10-point scale.

In some teams, we are seeing a clear divide. Half of the people with similar proficiency scores reported low confidence in their AI skills. The other half rated their confidence at 7 or 8 out of 10, even with the same reported proficiency.

People are more confident of their AI skills even though their proficiency has not changed. 

This dynamic resembles the Dunning-Kruger effect, the cognitive bias in which people with limited knowledge or ability in a specific area overestimate their competence.

For communications teams and agencies, that confidence gap has consequences. It affects what teams try, what they ignore, and what risks or opportunities they fail to see, including:

1. Teams mistake basic use for real capability

Most communications professionals already use AI to draft, edit, summarise, brainstorm, and rewrite. Those are useful applications. They are also the easiest ones.

The larger opportunity is not to make the old workflow a little faster, it is to rethink the workflow itself. AI can help teams test messages across audiences, map stakeholder concerns, identify reputational risks, synthesise competing signals, draft response scenarios, and adapt content across channels with far greater speed and consistency.

A team that believes it is already proficient may never ask the more important question: What could this work become if AI were designed into the system, not simply added to the task?

That is missed opportunity.

2. Teams let AI do the thinking they still need to own

Overconfidence changes how people use AI. When teams believe they are more proficient than they are, they are more likely to accept the tool’s framing, structure, and recommendations without challenge.

That is where confidence becomes a liability. Teams may feel more capable because they are producing more, while becoming less practiced at the thinking that creates real communications value.

3. Teams skip the context layer

Overconfident users often assume the problem is the prompt. If the output is generic, they try a sharper instruction. If it lacks nuance, they ask for another version. If it misses the audience, they rewrite the ask.

But communications work depends on context that a generic prompt cannot supply on its own: the organisation’s history, stakeholder relationships, source environment, issue dynamics, risk tolerance, brand voice, and strategic priorities.

Without that context, AI produces plausible work, not useful work.

That is why the next level of proficiency is not just better prompting. It is building the systems, knowledge bases, and workflows that give AI the right information to work from.

4. Teams fall behind the competitive curve

The biggest risk of misplaced confidence is complacency. If teams believe they are already good at AI, they are less likely to keep pace as the technology changes.

AI is no longer just a prompt box. Agents, automated workflows, and connected tools are beginning to handle more complex tasks: monitoring signals, retrieving context, drafting outputs, and coordinating multi-step tasks.

Teams that overestimate their proficiency may keep using AI in basic ways while assuming they are keeping up.

In a fast-moving technology cycle, that is how confidence turns into competitive disadvantage.

The real confidence issue with AI

That is why the Dunning-Kruger effect with AI in communications is not quite what people assume.

The obvious concern is that AI makes people overconfident about other subjects. Someone asks a tool to explain a legal issue, a financial trend, or a policy debate, then mistakes a fluent summary for real expertise.

Our data points to a different problem.

Communications professionals are not necessarily becoming overconfident because AI makes them feel like experts in everything else. They are becoming overconfident because AI makes them feel more capable at using AI itself.

Our proficiency data suggests there is more to learn and more upside to take advantage of.

Matt Collette is CEO of Sequencr AI, a technology consultancy dedicated to unlocking the full potential of AI for marketing and communications teams. Before founding Sequencr, he was Head of Digital for Edelman Canada and later Global Head of Digital Growth, where he led efforts to embed generative AI across Edelman's global operations.

Matt created the firm's AI task force, launched its first campaign powered by generative AI, and developed tools, prototypes, and training initiatives for clients and internal teams.

Read more from our columnists in The Earned View  

Cybersecurity incidents are no longer rare, isolated events. As organisations face growing threats from data breaches, ransomware and other cyberattacks, reputation is increasingly shaped long before a crisis occurs. From media engagement and thought leadership to stakeholder trust and organisational preparedness, communications can play a critical role in building credibility before a breach makes headlines.

Telum Media spoke with Oliver Ellerton, Director at Ellerton & Co. Public Relations, about the reputational challenges of cyber incidents, the value of pre-crisis credibility, and how communicators can help strengthen organisational resilience.

Cyberattacks and data breaches have become a recurring headline globally. From a communications standpoint, what makes cybersecurity incidents particularly challenging for organisations to manage in terms of reputation?  
Security breaches are no longer a question of “if”, but “when”. For communicators, the challenge is not whether a cyber crisis will happen, but whether they are prepared to respond when it does. 

A few things make cyber incidents different from most crises. The first is speed - or more accurately, the gap between when a breach occurs and when it is detected. According to IBM's Cost of a Data Breach Report 2024, organisations take an average of 258 days to identify and contain a breach. By the time communications begins, the organisation is often already on the back foot.

The second challenge is technical complexity. Most organisations struggle to explain what has happened in a way that is both accurate and accessible. The result is often either vague statements that say very little, or overly technical explanations that confuse rather than clarify. 
 
There is also a stakeholder challenge. A breach can affect customers, partners, regulators, employees, and investors simultaneously - each with different expectations. Messaging that reassures one group can raise concerns for another, making it difficult to strike the right balance under pressure. 
 
The regional dimension adds another layer. Asia was the most attacked region globally in 2024, accounting for 34 per cent of all incidents investigated according to IBM's X-Force Threat Intelligence Index. However, the approach to disclosure varies widely across markets. That gap between legal obligation and actual practice can itself become a reputational risk. 
 
What does “pre-crisis credibility” look like in the context of cybersecurity communications, and why is it increasingly important in today’s threat landscape?  
Pre-crisis credibility comes down to a single question: is your brand one that can be trusted? Everything else - from whether leadership has spoken publicly about cyber risks to whether journalists and analysts understand how the organisation operates - builds from that. 
 
It is the cumulative result of how an organisation communicates before anything goes wrong. In cybersecurity, this foundation is particularly important because the default assumption after a breach is that the organisation knew more than it disclosed, or acted too slowly. You are starting the conversation at a deficit. 
 
Much of this credibility is built through consistent, often unglamorous work - media relationship sessions, off-the-record briefings, and showing up before there is anything to announce or defend. Over time, this creates familiarity and trust that can shape how an organisation is perceived when an incident occurs. 
 
What pre-crisis credibility looks like in practice: leadership engaging on cybersecurity topics in trade and business media before there is a headline. Companies proactively discuss their governance processes, which include board-level oversight, investment decisions, and training programmes as well as maintaining a visible presence in relevant industry conversations. 
 
As cyber incidents become more frequent, stakeholders are no longer judging organisations solely on how they respond, but on whether they appeared to take the risk seriously beforehand. Those who have built that foundation tend to be viewed as more credible, while those who do not often appear reactive - even if their response is sound. 
 
Many organisations only engage the media after a breach happens. How can communicators proactively work with journalists to build understanding and credibility around cybersecurity issues before a crisis unfolds?  
Many organisations hesitate to engage with journalists unless they have something to announce. In cybersecurity, that approach can be counterproductive. Relationships built before a crisis are often what determine how an organisation is covered when something goes wrong. 
 
Journalists are generally more responsive to organisations that are accessible and willing to provide insight without any product agenda. Offering subject-matter expertise - for example, having a CISO or Head of IT explain how certain threats work or share lessons from industry incidents - is genuinely useful to journalists and helps build relationships. 
 
Providing data and original insight is also effective. Cybersecurity reporting is often driven by numbers and case studies, so organisations that can contribute research or analysis, even within a specific niche, are more likely to build ongoing engagement with media and be positioned as a source, rather than just a subject. 
 
Participating in broader industry conversations also helps establish credibility over time. Whether through forums, panels or briefings, these interactions create familiarity, so that when a story breaks, journalists are more likely to approach organisations that have already demonstrated knowledge and openness. 
 
Another approach is spokesperson briefings. Although walking journalists through a technical topic or industry trend with no immediate news peg is a significant time investment, it pays off. Reporters remember who helped them understand something, and when a story breaks, they are far more likely to reach out to those who have already demonstrated their expertise. 
 
None of this requires disclosing sensitive information. It requires an investment of time, substance, and a willingness to engage meaningfully before a crisis occurs. 
 
Beyond media outreach, how can thought leadership contribute to building reputational resilience around cybersecurity before an incident occurs?  
Thought leadership is often discussed but not always executed well. A lot of what passes for thought leadership is essentially repackaged press releases and AI-generated op-eds. That is not what I am talking about. 
 
Effective thought leadership demonstrates that leadership is actively engaged with cybersecurity as a business issue, not just a technical one. It shows a willingness to address difficult questions and, importantly, provides something useful to the audience, whether that is journalist, regulator, client, or investor. 
 
This could take the form of a CEO writing publicly about why cybersecurity governance needs to sit at board level, not just under the IT function. It could also be senior executives sharing insights on industry-specific threats or contributing meaningfully to discussions around regulatory developments. 
 
The value from a reputational standpoint is straightforward. When an incident occurs, stakeholders will ask whether the organisation took cybersecurity seriously. A visible track record of informed and consistent engagement helps answer that question. While it does not eliminate reputational damage, it provides important context that the organisation has been aware and engaged in cyber-related issues. 
 
Cyber preparedness is often associated with well-resourced multinational companies, yet smaller organisations are increasingly targeted. How should communicators adapt their role and priorities across businesses of different sizes, and where can smaller organisations focus their efforts to have an effective reputational impact?  
This is where the gap between perception and reality is most pronounced. There is a widespread assumption that attackers target large organisations because that is where the money is. In practice, Verizon's 2025 Data Breach Investigations Report found that ransomware was present in 88 per cent of SMB breaches, compared to 39 per cent for larger organisations, underscoring the scale of the risk for smaller businesses.  
 
The challenge is that these organisations typically have fewer resources, less experience in crisis management, and limited media relationships. As a result, communicators need to focus on a smaller set of high-impact priorities. 
 
The mistake smaller organisations often make is assuming that reputational strategy is only relevant once you are at a certain scale.  
 
And when an attack lands, the financial exposure goes well beyond the initial demand. Verizon’s same report puts the median ransom payment for SMBs at US$115,000 - before you factor in downtime, recovery costs, regulatory penalties, and the reputational fallout that can take years to repair. That kind of impact does not discriminate by company size.  
 
Basic preparedness is critical - having holding statements ready, clearly defined spokesperson roles, and an understanding of regulatory obligations. Beyond that, building a modest but credible presence in relevant industry communities can help establish context and familiarity. Owned channels, such as LinkedIn, can also play a role in signalling how the organisation approaches its operations, including its commitment to responsible practices. 
 
The communicator's job, regardless of the size of the organisation, is to help leadership understand that the reputational dimension of a cyber incident is not a secondary consideration. It is central to recovery.