Cyberattacks: how companies can communicate effectively after being hit

In its latest annual publication, insurance group Hiscox surveyed more than 2,000 cybersecurity managers in eight countries including France. Two thirds of the companies in the survey reported having been the victim of a cyberattack between mid-August 2023 and September 2024, a 15% increase over the previous period. In terms of potential financial losses, Statista estimated that cyberattacks cost France up to €122 billion in 2024, compared to €89 in 2023 – a 37% rise.

A weekly e-mail in English featuring expertise from scholars and researchers. It provides an introduction to the diversity of research coming out of the continent and considers some of the key issues facing European countries. Get the newsletter!

The main forms of cyberattacks on French businesses, the recommendations for how companies can protect themselves, and the technical and legal responses they can adopt are well documented.

However, much less is known about appropriate communications and public relations responses to cyberattacks. The issues at stake are critical. When a company is the target of a cyberattack, should it systematically accept responsibility, or can it instead claim to be a victim to protect its reputation? A wrong answer can aggravate the situation and undermine the confidence of customers and investors.

Positioning as a victim

Our recent research questions the assumption that accepting causal responsibility should be the norm after a cyberattack: we show that positioning oneself as a victim can be more effective in limiting damage to one’s image – provided claims of victimhood are deployed intelligently.

There is evidence that firms need a strategy to present themselves effectively as victims of cybercriminals. Some firms, such as T-Mobile and Equifax, have in the past paid compensation to consumers while refusing to accept any responsibility, essentially presenting themselves as victims.

Similarly, the large French telecommunications operator Free presented itself as a victim when communicating about the large-scale cyberattack that affected its operations last October, which may have had an impact on its image. The UK’s TalkTalk initially framed itself as a victim of a cybercrime but was later criticized for its inadequate security measures.

Victimhood and sympathy

Clumsily declaring itself as the sole entity to blame or the sole victim of a cyberattack – which is what interests us here – can be risky and backfire on a company, damaging its credibility rather than protecting its reputation.

When companies present themselves as victims of cybercrime, they can elicit sympathy from stakeholders. People tend to be more compassionate toward businesses that depict themselves as wronged rather than those that deny responsibility or shift blame. In essence, this strategy frames the organization as a target of external forces beyond its control, rather than as negligent or incompetent. It leverages a fundamental social norm – people’s instinctive tendency to support those they see as victims.

But claims of victimhood must align with public expectations and the specific context of the breach. They should not be about shirking responsibility, but about acknowledging harm in a way that fosters understanding and trust. The following approaches and choices can help.

• align with public perception

The reactions of stakeholders often depend on their understanding of the situation. If the attack is perceived as an external and malicious act, it is crucial for a company to adopt a consistent stance by emphasizing that it itself has been a victim. But if internal negligence is proven, claiming victim status could be counterproductive. The swiftness of a company’s response, the level of transparency and the relative stance taken are all part of a good strategy.

• express support for stakeholders

Adopting a position of victimhood does not mean denying all responsibility or minimizing the consequences of an attack. The company must show that it takes the situation seriously by expressing empathy and commitment to affected stakeholders. It must pay particular attention to those affected inside the organization: a claim of victimhood should be part of an apology or a message expressing concern. An effective message must be sincere and oriented toward concrete solutions.

• consider reputation

We find that it is easier for companies to claim victimhood persuasively if they are perceived as virtuous. This reputation can be due to a positive track record in terms of corporate social responsibility or because they are a not-for-profit institution (e.g. a library, a university or a hospital). Virtuous victims generate sympathy and empathy, and this is also reflected after a cyberattack.

• highlight the harmfulness and sophistication of the attack

The results of our study also show that public acceptance of victim status is more effective when the cyberattack is perceived to be the work of highly competent malicious actors. It is also important for a company to persuade the public that the attack harmed the company, while keeping the main focus of the response on the public.

• don’t complain

It is essential to distinguish between legitimate claims of victim status and communication that could be perceived as an attempt to exonerate oneself. An overly plaintive tone could undermine a company’s credibility. The approach should be factual and constructive, focusing on the measures taken to overcome the crisis.

• test reactions before communicating widely

Companies’ responses to a cyberattack can vary depending on the context and the public. It is best to assess different approaches before embarking on large-scale communication. This can be done through internal tests, focus groups or targeted surveys. Subtle differences in the situation can cause important shifts in how the public perceives the breach and what the best response might be.

Our study sheds light on a shift in public expectations about crisis management: in the age of ubiquitous cybercrime, responsibilities are often shared. Poorly managed communication after a cyberattack can lead to a lasting loss of trust and expose a company to increased legal risks. Claiming victim status effectively, with an empathetic and transparent approach, can help mitigate the impact of the crisis and preserve the organization’s reputation.

This article was written with Ilaria Baghi (University of Modena and Reggio Emilia).

Paolo Antonetti ne travaille pas, ne conseille pas, ne possède pas de parts, ne reçoit pas de fonds d'une organisation qui pourrait tirer profit de cet article, et n'a déclaré aucune autre affiliation que son organisme de recherche.