By now, most organizations realize that it’s a matter of “when,” rather than “if,” when it comes to having their computer systems and networks breached by hackers.

When you consider that the average cost of a breach in 2024 hit an all-time high, up 10 per cent to almost $5 million, it bears asking: is it worth it to prepare in advance?

Research from IBM and others has repeatedly found that companies with a plan in place, and especially one that is tested in tabletop exercises, pay less for and are faster in recovering from a data breach. Of course, a cyber-attack can cost more than money. Besides the legal and recovery fees, there could be fines, regulatory scrutiny, reputational damage and, perhaps most importantly, the loss of customer trust.

Yet at the same time, many remain unprepared. A recent U.S. survey found that less than half of all businesses have a formal crisis communications plan (anecdotal experience suggests the same is true in Canada).

To me, that’s asking for trouble.

An effective crisis communications plan serves as a roadmap for navigating the chaos following a cyber incident. It ensures timely, accurate, and consistent messaging to stakeholders, helping to maintain trust and comply with regulatory requirements. Without a plan, organizations risk misinformation, delayed responses, and exacerbated reputational harm.

However, having a plan isn’t sufficient; regular testing is crucial. Truly cyber-resilient organizations must not only have a cyber crisis communications plan in place but also stress-test it regularly to ensure effectiveness under pressure. A simple tabletop exercise that takes a day to execute is all it takes to highlight and expose gaps in your plans and blind spots in your response processes.

IBM also highlights in its research incident response plans, their testing and employee training are among the top factors that decrease the ultimate cost of a data breach.

Building an Effective Cyber Crisis Communications Plan

So, how do you build a strong plan that will stand up well when the worst inevitably happens? Organizations should:

1. Assemble a Cross-Functional Team, including outside advisers: Include representatives from IT, legal, PR, HR, and executive leadership. Add great outside counsel across law, communications and containment who live and breathe these crises every day.
2. Define Clear Communication Protocols: Establish who communicates what, to whom, and through which channels.
3. Develop Pre-Approved Messaging Templates: Prepare statements for various scenarios to expedite response times.
4. Conduct Regular Training and Simulations: Ensure all team members understand their roles and can execute the plan under pressure.
5. Review and Update the Plan Periodically: Adapt to evolving threats and organizational changes.

The costs of cyber threats are only heading in one direction: higher. Artificial intelligence lets fraudsters operate at pace and scale like never before, which means any organization needs to be ready for threats that don’t resemble those of the past. To stay ahead of the curve, companies simply must think proactively and prepare in advance, and a strong, regularly tested cybersecurity crisis plan should be a core component of that preparation.