Sergey Nivens – stock.adobe.com
By Mikey Hoare, crisis expert, Kekst CNC
Published: 01 May 2025
Recently, M&S, the Co-op, and Harrods faced significant cyber attacks, disrupting operations across the UK. These incidents illustrate not just the chaos from cyber threats but also the communication hurdles companies must navigate with their customers. How organizations handle these tough conversations can make or break their reputation.
M&S has stepped up its communication game, engaging directly with customers and maintaining a proactive tone. However, these messages must align with the actual situation on the ground, which isn’t always straightforward—initial assumptions can turn out to be wrong.
Public reaction to cyber threats is evolving. People have become more aware and are quicker to suspect a cyber attack when disruptions occur. While many aren’t as worried about data loss as they once were, concerns about sensitive information remain high. Moreover, some individuals are increasingly litigious, which adds to the pressure.
Threat actors are also targeting employees and customers directly, trying to push companies into paying ransoms. This tactic can escalate fears, especially if the company has been slow to communicate. In this context, strong internal communication becomes vital. Monitoring media coverage is essential to grasp public sentiment and how your messages are being perceived.
Connecting with customers directly is another effective strategy. M&S has utilized Instagram well for this purpose. The challenge lies in synchronizing communications with the operational response and carefully managing expectations.
Some common missteps include:
-
Overcommunicating too soon: The facts often evolve, and jumping ahead can lead to mixed messages. If you assure customers that their data is safe, only to find out it’s compromised, you risk losing their trust.
-
Undercommunicating for too long: Not having all the details shouldn’t stop you from providing guidance on what to do amid disruptions.
-
Mismatched tone: Companies often emphasize their swift responses or position themselves as victims. Customers might not see them that way, especially if their sensitive information is at stake.
- Ignoring the threat actors in communications: Cybercriminals pay attention to how incidents are reported. They may leverage media narratives to pressure organizations into ransoms.
Some companies handle these situations well, keeping all stakeholders informed and assured about their efforts to mitigate impacts. Regardless of size, companies must continually refine their communication strategies in the face of cyber incidents.
Mikey Hoare is a crisis expert at communications advisory firm Kekst CNC and former Director of National Security Communications for the UK Government.
