PRmoment PR Masterclass: The intersection of data, planning and measurement PRmoment Awards 2025 The Creative Moment Awards Winners 2024 PRmoment Leaders PRCA PA Academy PA Mediapoint PA Assignments ESG & Sustainability Awards

How to maintain your company’s reputation after a cyber attack, by Rosanna Fiske, CEO of PRSA

Recent weeks have seen a surge of high-profile cyber attacks. From the well-documented hack into Sony’s PlayStation network to the most recent revelation that the International Monetary Fund has suffered a “large and sophisticated” attack of its servers, cyber attacks on multinational firms are coming rapidly, and often without warning. 

This trend is disconcerting. Equally disturbing is the lack of transparent and timely disclosure from affected organisations, particularly regarding the impact on customer data and what is being done to thwart future attacks. Unfortunately, most cyber attacks are met with initial silence by the aggrieved firm, followed slowly, at a trickling rate, with a few scant details.

To be sure, cyber attacks are not new. While groups like Anonymous and Lulz have gained international notoriety following their hacks on Sony and the US Senate, respectively, their dubious work has precedent. Cyber attacks date back to the 1960s, when “phone freaks” or “phreakers” would use “blue boxes” as tone generators to make free phone calls over the AT&T telephone network.

What was once considered a nuisance, at best, has turned into a massive problem for businesses and the public. But that problem is being exacerbated by a lack of transparent communications from affected firms as to what impact attacks are having on customer data.

Case in point: The Wall Street Journal reports that Citigroup waited three weeks before notifying its customers of a hack into its credit-card network. Similarly, the IMF only disclosed recently that it was the victim of a “very major breach” within the last several months, without going into detail of the information that was stolen, or even what steps it is taking to mitigate effects of the attack. 

For the public, particularly if one’s personal information may have been breached, this lack of forthright and timely disclosure adds more frustration and angst to what is already a tenuous situation. Quite often, people have placed significant trust in a business or government institution to protect their personal data in exchange for convenience and ease. It’s incumbent upon those organisations to reciprocate that level of trust.

What is at stake is a person’s identity; the very essence of who they are, both offline and in the digital environment. Yet the seriousness of one’s online persona, and how that affects their real-world livelihoods and safety, is all too often met with muted responses from hacked firms, as they seek to avoid tipping off competitors to the impact of an attack, or giving the upper hand to hackers for successfully breaching their seemingly impenetrable security systems. The need for greater disclosure is clear: cyber attacks represent one of the greatest challenges facing modern business. At a time of precariously low trust in business and government, full and earnest disclosure – the type that respects the public’s right to accurate and timely information about its own data – is imperative.

Companies also need to better educate customers, through proactive communications, about the importance of monitoring and protecting their data, and the role they play in mitigating the negative effects of cyber attacks. Wouldn’t it be wise to try to head off future cyber attacks by arming customers with information about how they can serve as watchdogs for the company, rather than withholding key information from them?

Granted, there are competitive concerns to consider. No executive in his right mind would willingly give away the kitchen sink about how his company operates. But one has to believe that the global business community can do more to work collaboratively to develop practical and immediate solutions to thwart future cyber attacks.

And that process should start with more forthright and transparent disclosure when cyber attacks occur. The rate of hacks is likely to rise, and so will the public’s expectation that its data will be protected in an appropriate manner.

Timely disclosure will go a long way toward ensuring a company’s reputation remains strong in as a result of a cyber attack, while giving businesses and governments the benefit of doubt that they will keep the public’s best interest in mind.

Rosanna Fiske, APR, is chair and chief executive officer of the Public Relations Society of America (PRSA)

If you enjoyed this article, sign up for free to our twice weekly editorial alert.

We have six email alerts in total - covering ESG, internal comms, PR jobs and events. Enter your email address below to find out more: