You can’t prevent every breach, but you can control the narrative

Recent warnings from the National Cyber Security Centre (NCSC) made for uncomfortable reading for many boardrooms. The agency’s message was unambiguous: cyber resilience is now a board-level responsibility, not an IT concern. With 204 “nationally significant” attacks in the past year, and a 50% rise in “highly significant” incidents, the question for business leaders is no longer whether a cyber attack will happen, but how ready they’ll be when it does.

Too often, these events are still treated as technical issues rather than reputational crises that test leadership teams under pressure. Recent high-profile incidents at Harrods, the British Library, and Jaguar Land Rover show that even large, well-resourced organisations can execute a strong technical response yet still falter when it comes to timely, transparent communication with customers, suppliers, and other stakeholders. Many companies maintain rigorous - but largely untested - cyber response plans that focus on systems recovery and operational impact, but overlook how those actions align with communications to key stakeholders.

The stakeholder landscape in a cyber crisis is expanding fast. It’s no longer just customers and the media who expect clear communication – regulators, suppliers, investors, employees, and even government agencies now demand timely updates and accountability. With the UK Government preparing to introduce the Cyber Security and Resilience Bill during this Parliament, regulated companies will be required to report incidents to the NCSC within 24 hours, organisations will face unprecedented scrutiny and compressed timelines. Managing these stakeholders under pressure, often without basic access to IT systems, demands clear protocols, defined roles, and rehearsed response plans.

Most companies invest heavily in firewalls and encryption, yet overlook the human infrastructure that determines how a company is perceived externally. Systems can be rebuilt, trust cannot. True preparedness isn’t about the thickness of a manual or the sophistication of technical defences; it’s about how an organisation performs when the lights go out and the inbox stops working. In those first chaotic minutes, clarity of roles, speed of decision-making, and the ability to communicate confidently without full forensic clarity mark the difference between control and confusion. The most resilient businesses have rehearsed that moment. They’ve mapped who speaks to whom (and how), stress-tested their response through live simulations, and built trust between their technical and communications teams long before an attack happens.

Leadership defines how a cyber crisis unfolds. When British Airways faced its major data breach, or when the British Library was paralysed by a ransomware attack, the difference between confusion and control came down to how decisively senior leaders set the tone. In a crisis, people don’t rise to the occasion; they fall to the level of their preparation, which depends on leadership attention long before the breach occurs. The best-prepared boards don’t delegate cyber resilience to IT: they bring communications, legal and technical teams into the same room, stress-test their coordination, and agree who leads when systems fail. Cyber resilience starts as a leadership behaviour, not a line item in an audit report.

This means the most effective organisations are moving beyond static response plans towards living frameworks for cyber resilience. They embed incident response into quarterly risk reviews, run joint simulations across legal, communications and technical teams, and pressure-test internal escalation paths. With regulators demanding faster reporting and tighter supply chain oversight, these cross-functional exercises are no longer optional; they are essential to ensure decisions are rapid, accurate, and aligned with stakeholder expectations. 

As cyber risk becomes a permanent feature of the business landscape, the question is no longer how to avoid a crisis, but how to ensure you control the narrative. The organisations that emerge strongest will be those that treat resilience as a collective discipline, where technical readiness and reputational readiness are inseparable. By combining robust systems with rehearsed communication, clear roles, and leadership that sets the tone from the top, companies can navigate attacks with clarity, protect trust, and ensure that when the lights go out, stakeholders know the organisation is still in control.