When the Breach Goes Public
Most cybersecurity incident response (IR) playbooks are rock solid when it comes to technical containment, forensics, and recovery. But when it comes to the public side of the response—the part that determines whether your brand emerges with scars or permanent damage—many organizations are flying blind.
Why? Because this part of the response lives at the awkward intersection of executive leadership, legal nuance, and public perception. And it’s often left out of tabletop exercises altogether.
It’s a perfect storm:
- Executives don’t normally participate in IR tabletops and are unprepared when they become the face of the crisis.
- Breach coaches are typically focused on technical triage and initial disclosures, not long-haul brand strategy.
- Public relations during a cyber crisis is not an improv act—it requires prep work and a deep understanding of your stakeholders and business model.
Meanwhile, threat actors are getting bolder. They’re not just exfiltrating data—they’re emailing your customers, reaching out to reporters, and pressuring your executive team directly. That eliminates the luxury of controlling the communications clock.
As I recently shared with CSO Online, identity-based attacks are increasing, especially with the proliferation of stolen credentials hitting the market for sale. In 2025, identity is both the perimeter and the blast radius. Attackers don’t need to break in, they just log in. That reality underscores the urgency of brand-focused incident response: attackers are not only exploiting systems, they’re exploiting trust.
So, if your goal is to protect trust - not just systems - during a breach, here are 10 things you need to do:
1. Be Right, Not Fast
Your instinct will be to say something quickly. But rushing a statement before you have the facts straight creates long-term problems. Once something is public - whether it’s an error, a mischaracterization, or a guess - you own it.
Acknowledge the issue, if necessary, but wait until your technical and legal teams confirm what’s happened. Every jurisdiction - international, federal, and state - has its own breach disclosure requirements. Violating these through premature or inaccurate messaging creates regulatory exposure and credibility loss.
Your time to communicate is relative: to the incident, the industry, the adversary, and your stakeholders. Be disciplined, not reactive.
2. Legal, Regulatory, and Communications Must Be Locked at the Hip
These three groups should be joined at the planning phase—not brought in separately after the breach begins. Every public statement has legal implications. Every regulatory filing has communications implications. And every omission will be scrutinized in hindsight.
Set up a cross-functional war room and make decisions together. Legal protects you from liability. Regulatory ensures compliance. Communications manages clarity and tone. If these aren't aligned, you’ll end up contradicting yourself in ways that erode trust.
Stick to verified facts. This is not the time for corporate storytelling. It’s a time for controlled, lawful, and confident communication.
3. Talk Directly to the People Impacted
Don’t hide behind a press release. Talk directly to the people whose data or experience has been affected. That includes customers, vendors, regulators, and elected officials.
Communicate with empathy and clarity. Vague or generic responses, i.e. “we take your privacy seriously," only add insult to injury. People want to know what happened, what you’re doing to fix it, and how it affects them. High-touch communication may feel excessive, but the alternative is letting public speculation fill the silence.
Own the moment or lose it.
4. Control the Narrative or Someone Else Will
In the AI era, misinformation moves faster than you can say “no comment.” If you’re not shaping the story, someone else is—possibly the threat actor.
Get your statement into the media narrative early. Don’t wait for reporters to interpret leaked emails or dark web posts. When the media gets something wrong, correct the record immediately and publicly. You don’t have to over-explain, but you do have to show that you’re paying attention and staying in control.
Your adversary already hacked your network. Don’t let them hijack your brand.
5. Discipline Your Communications
A breach is not the time for freelancing. One voice. One message. One approved narrative. That consistency reinforces credibility across every stakeholder group, from customers to board members to regulators.
Create a central comms team with clear approval workflows. Know who’s allowed to speak publicly, and make sure everyone else knows to defer. In a high-pressure moment, undisciplined internal chatter often becomes the next headline.
Control the message, or the message will control you.
6. Empower Your Employees
Your employees are often your most visible and trusted messengers. In the absence of clear internal communication, they’ll either freeze up - or worse - make it up. The last thing you want is this to spin into multiple news stories.
Equip your team with internal FAQs, approved talking points, and guidance on what they should say (and not say) to external partners, clients, and vendors. Even a simple “I don’t know the details, but here’s our latest company update” can make a difference.
Employees want to help. Give them the tools to do it.
7. Stay Nimble as the Situation Evolves
Breach response is not a one-act play, it’s a series of twists and turns. What you knew on Monday may be obsolete by Wednesday. If your communications don’t evolve with the facts, you’ll look out of touch at best...and deceptive at worst.
Build a cadence of updates: internal, external, media-facing. Even if there’s no new information, tell people that. Silence breeds speculation.
And remember: regulatory disclosure laws are the floor for communication, not the ceiling.
8. Take Visible, Proactive Action
Don’t just tell people what happened. Show them what you’re doing next.
Victimhood isn’t a strategy. People want to see accountability and improvement. Highlight the steps you’re taking to prevent a future incident: new tools, new processes, outside audits, organizational changes. Reinforce your commitment to cybersecurity and privacy without sounding defensive.
Reputation repair starts with proof of learning, not just apologies.
9. Run Tabletop Exercises That Include Comms, Not Just Tech
Most tabletop exercises revolve around identifying, containing, and remediating a technical breach. That’s great, until the real-world breach hits CNN, Reddit, and Capitol Hill all in the same day.
Test your communication workflows. Pressure-test different escalation scenarios. Include your legal, regulatory, PR, and executive teams. Simulate public responses, media inquiries, and even class-action lawsuits. Practice the communications side with the same intensity you bring to system restoration.
If you haven’t rehearsed your public voice, don’t expect to find it in the middle of a crisis.
10. Plan for Reputation Recovery
Your job isn’t done when the systems are back online. The trust you lost - or protected - during the breach will define your brand for years.
For large-scale incidents, having an existing relationship with a public relations firm is a game-changer. They know how to measure sentiment, craft recovery narratives, and help steer the post-breach brand arc.
Track media coverage. Monitor social media sentiment. Listen to what your customers are actually saying, not just what your legal team wishes they were. Then, plan a trust rebuild campaign rooted in transparency and progress.
Think of this as your “brand remediation” phase. It’s not optional.
Final Thoughts: You Can't Recover in Silence
If there's one takeaway from today’s threat landscape, it's this: You can survive the breach, but only if you manage the message.
Cybersecurity incidents are no longer just IT problems. They’re public, messy, emotional events that affect customers, regulators, markets, and morale. The organizations that navigate them successfully aren’t just the ones with the best IR playbooks. They’re the ones that treat brand protection as a core part of incident response, not an afterthought.
You don’t get to control if something bad happens. But you do get to control how you show up when it does.
And in a world where trust is currency, showing up the right way is everything.
Where to Go From Here:
Resilience is more than technology; it’s protecting the trust you’ve built with your community. NuHarbor Security is a trusted leader in public-sector cybersecurity, helping states and higher education institutions build not only secure infrastructure, but resilient reputations. Our experts can help you plan ahead so your reputation emerges stronger. Schedule a consultation today.
Don't miss another article. Subscribe to our blog now.
