“You don’t want to be on that list.” Cybercrime Magazine’s Paul John Spalding and Steve Morgan, Founder of Cybersecurity Ventures discussed how cyber incidents have lasting impact on an organization’s reputation in a March podcast.
As Spalding and Morgan agree, transparency during and after a cyber incident seems to have a direct correlation to long-term reputation. People want to know what is happening, why, how it happened, and what is going to be done differently to prevent this from happening again. During a cyber incident, the response needs to be clear and prompt. A lack of customer-facing response or delayed response may be interpreted as incompetence or deceit.
As seen in so many very public and very significant incidents, taking ownership of the incident and responding quickly with clear and forthright communications changes the public perception of a response. Regardless of whether the incident was caused by an insider mistake, an external threat actor or a third party vendor, the organization with ownership of the data or the system is judged upon how they respond. A poorly planned or lacking response does historically continue to cause reputational harm.
Which do you prefer: to be left to wonder, with no information, or to be told “we are aware of a problem and are investigating”. Or would you even prefer “we are aware of the problem; we will continue to provide updates every two hours as we investigate”? All three of these responses (including silence) provide no details about the incident. But the latter responses give some assurance that this is a priority and that SOMETHING is being done.
Incident response planning is an essential part of organizational cybersecurity. In the best interest of organizational reputation, the incident response plan should include the following, to address reputational risk:
- draft internal and external communications for high risk and or high likelihood scenarios
- draft communications for issues of availability, integrity, or confidentiality of critical systems, including internal and cloud systems
- a communications plan: Who is going to be the voice of the organization? Does everyone else know they are not the voice? How frequent will communications occur? What methods of communication should be used, if available? What if those methods are unavailable due to the incident? The plan should be legally vetted, if possible.
- transparent after-action communications, to the extent allowed by any legal advisers
Practice and training are important for incident response, including plans for how the organization will minimize reputational harm. Poor, disorganized, slow responses will be judged and remembered; lasting reputational harm results from being on that poor response list.
Need help creating an incident response plan or want a fresh set of eyes on your current plan?
Considering testing your plan through a tabletop exercise? Email security@more.net
References:
Reference
The Collateral Damage of Cyberattacks: Reputational Harm, Cybersecurity Magazine, March 17, 2025.