Response. Recovery. Reputational rehabilitation. As cybersecurity incidents have grown more complex and prevalent, a third strategic communications step has become essential: thoughtful, ongoing communications to restore confidence after the incident itself has been resolved.
This may seem counterintuitive; in the age of “breach fatigue,” attention is likely to quickly shift elsewhere, right? Not so for core stakeholders like customers, employees and investors, who may feel betrayed and continue to scrutinize the organization moving forward. To fully regain their trust, an attacked organization should demonstrate a continued commitment to cybersecurity and meaningful security enhancements.
This requires careful balancing in communications activities post-attack.
First and foremost, any communications aimed at shoring up stakeholder confidence naturally draw more attention to the incident. It is extremely important that the victimized organization show a return to normal-course business. Second, unlike traditional response and recovery communications, which can be rigidly driven by legal requirements, reputational rehabilitation requires narrowly targeted, creative tactics that capture attention and feel genuine. Third, reputation-rehab communications require concrete commitments to institutional change that the organization must then live up to. If a company publicly pledges 10 steps it will take to fortify its systems, it will be held to account. However, announcing security enhancements can provide a road map for future attackers, so any rollout of these changes cannot be too specific. Finally, it can take months of sustained effort across multiple channels to effectively reach multiple audiences. Difficult as it is in the chaos of an incident, the planning for this work should start mid-incident – not after the dust has settled.
Therefore, coordination is key: corporate communications apparatuses and cybersecurity, corporate affairs and external advisor teams must work in lockstep to ensure the company’s reputation is rebuilt in alignment with its broader strategy and positioned for ongoing success.
Creative tactics for rebuilding reputation
The goal of reputational rehabilitation is to reassure stakeholders that cybersecurity is a top priority, while also guiding them to refocus on the company’s otherwise favorable reputation, broader business objectives and overall strategic plan. But this can’t just be said outright – seeding these themes takes time, strategic message calibration and creativity. Tactics that engage and excite audiences, even after the buzz around the incident has subsided, can help convey crucial messages that effectively get the train back on the tracks. For example:
Research and thought leadership
The company can take on a broader analysis role, studying how incidents are unfolding across their industry, what trends are taking shape or how key audiences perceive certain kinds of response communications. These insights can then form the basis for impactful thought leadership that provides important context audiences will be interested in, unlocks opportunities for potential earned media and can be repurposed over time to continually engage different audiences on a range of owned and earned platforms.
Custom video content for internal audiences
Meeting employees where they are with tailored, personalized stories is also a great way to help them feel reconnected to the brand. Videos featuring commentary from leaders highlighting ongoing cybersecurity updates or stories of how those updates have impacted customers and teams can be powerful and remind employees to be vigilant about security. This same format can also be utilized for business-as-usual messaging that reaffirms the company’s onward and upward trajectory, strategic positioning and core objectives both internally and externally.
Paid targeting
Stakeholders are fragmented and the landscape is crowded. Paid targeting gives companies the ability to directly reach certain job titles, demographics or geographic locations, ensuring that messages land with the right people at the right time. It also affords the ability to tailor messaging; for some audiences, it may be more appropriate to pivot to more positive, generalized themes, while for others with continued concerns, reiterating key messages around the organization’s improved cyber approach may be a more tactful and influential approach.
Bringing it all together
Now for the most important part: strategic coordination. If the company has not done multi-faceted campaigns of this nature before, it is often worth bringing in outside communications support with expertise in cyber incident and recovery communications. A specialized firm can help with stakeholder mapping, provide a comprehensive understanding of overall business strategy, advise on how to build a post-incident campaign with that strategy in mind and guide when and where to place messages. They can also track how campaigns are resonating and help update messaging on a rolling basis for specific audiences to maximize impact on long-term reputational success.
Then, all this work must also be aligned with the company’s cyber recovery plan, larger corporate positioning narrative and, where relevant, legal strategies. This entire effort must be closely coordinated with legal counsel as well as internal cyber and communications leaders to create cohesive messaging that helps the company’s cause without inviting further risk.
Why reputational rehabilitation
Ongoing reputational rehab takes a lot of moving parts to come together effectively. But the payoff is clear. Effective reputational recovery can restore trust, win new customers and positively position the company in a risk-aware market. It can turn a serious crisis into an opportunity to re-engage and reconnect with key stakeholders — ultimately making the company more resilient in the face of future challenges.