Crisis media management: How to handle the media following a cyber-attack

Thirty Seven is a journalist led content creation and web design agency.

We put journalistic principles at the heart of every piece of content we produce and every website we build for our clients.

CONTENT MARKETING / Email Marketing / Blogs / Social Media Content / Articles / Podcasts / Speech Writing / Presentation Design / White Papers / eBooks / Infographics / Interactive Games / Surveys / Contests / Magazines

DESIGN & DEVELOPMENT / Branding / Web Design / Web Development / Digital Design

How to handle the media following a cyber-attack

Hospitals across the country were hit last week in what has been said to be the biggest ransomware outbreak in history.

Around 40 NHS organisations and some medical practices were affected, with operations and appointments cancelled.

But it was not an incident which was confined to the UK. Globally there were 75,000 attacks in 99 countries, including to the German railway network, Spanish telecoms and the Russian interior ministry.

The incident has put cyber attacks firmly on the media agenda and exposed cyber security vulnerabilities.

Understandably, much of the focus has been on what could have been done to prevent the attacks.

But it is also important to consider how organisations should handle the media interest in the event of something similar happening.

Here are our tips for managing a crisis media management incident caused by a cyber-attack:



The starting point is to have a specific crisis media management plan. You should have an overall crisis communication plan, but dealing with a crisis caused by a fire, industrial accident, product recall or power failure is very different to managing one caused by a cyber-attack. Although some of the principles will be the same, it is likely that in a cyber-incident it will be less easy to determine exactly what you are dealing with. Breaches are often reported by people outside the organisation, immediately putting organisation’s in a reactive position, and they can take place over a long period of time.    


Once it is clear your organisation has become a victim of a cyber-attack, it is crucial you respond promptly to the incident to show you are aware of the issue. Even if there is little you can say at that point, it is important you confirm there is an issue and that your customers know you are working to understand and resolve the problem. This will help to position you as an authoritative source of information and help prevent rumours and conjecture. Acting slowly or with uncertainty, on the other hand, will cause you to lose trust.

'Responding slowly or with uncertainty to a cyber attack will cause organisations to lose trust' via @mediafirstltd



Think carefully about the spokesperson you want to put up in front of the media. Many organisations will naturally default to their CEO in a time of crisis, but does your CEO really know enough about IT security to get your messages across and withstand potentially hostile interviews? Do you want to expose their lack of expert knowledge? It needs to be someone senior, so perhaps the IT Director would be a better option. It is crucial your spokesperson comes across as both credible and knowledgeable. They need to have previous media experience and recently been on a media training course.

One voice

This does not mean you should only use one spokesperson – if media interest in the incident continues over a number of days you will certainly need more. But you need to ensure that your spokespeople deliver the same message.


If customer data has been compromised, or, as in the case of the NHS incident, services they depend on have been affected, you need to start your media responses and interviews by apologising. Be sincere and human and show your customers they are upmost in your thoughts.


Don’t make excuses or blame others, such as third party suppliers in your media work. You are responsible for selecting these suppliers and working in the best interest of your customers. Blaming others also suggests controlling the incident and preventing it from happening again is out of your hands. Own the issue and take responsibility.

'Blaming others for a cyber incident suggests controlling it is out of your hands' via @mediafirstltd



Keep customers informed both through direct communication and through the media and communicate regularly so they continue to see you as the main source of information throughout the crisis. Ensure you are open and honest with them


Use the same channels as your customers – if your customers are raising concerns and asking questions on Twitter, for example, it’s important you also use that channel to make them aware of what you are doing to resolve the problem.

Media interest

Be aware a journalist could contact anyone in your organisation for information about the attack. Make sure your employees know where to direct any media interest and are properly trained.

'Be aware a journalist could contact anyone in your organisation for details about the cyber attack' @mediafirstltd 



Media First are media and communications training specialists with over 30 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers. 

Click here to find out more about our highly practical crisis communication and media training courses.


Subscribe here to be among the first to receive our blogs.



comments powered by Disqus

Get in touch to discuss your training needs
0118 918 0530 or or tell us how we can help