Post-Cyberattack: Companies Claiming to be a Victim is Found to be Helpful

It just has to be used in a balanced way to be trusted

When an embarrassing, dangerous organizational storm puts trust and credibility in the crosshairs, it matters greatly how you respond and how well you do it.

In the article, Cyberattacks: how companies can communicate effectively after being hit, Paolo Antonetti, a marketing professor at the EDHEC Business School in Croix, France, with an interest in stakeholders' responses to crises — and Ilaria Baghi, an associate professor in the Department of Communication and Economics at the University of Modena and Reggio Emilia, addressed vital leadership decision-analysis and responses to experiences that put credibility and stakeholder relationships at risk.

“Insurance group Hiscox surveyed more than 2,000 cybersecurity managers in eight countries… Two thirds of the companies in the survey reported having been the victim of a cyberattack between mid-August 2023 and September 2024, a 15% increase over the previous period,” Antonetti and Baghi learned and reported.

What they were curious about and took more work to learn was “appropriate communications and public relations responses to cyberattacks,” they wrote, because, “The issues at stake are critical.”

Antonetti and Baghi pose an important question

“When a company is the target of a cyberattack, should it systematically accept responsibility or can it instead claim to be a victim to protect its reputation,” they asked?

The answer isn’t what organizational leaders feel most comfortable doing. It’s what stakeholders expect of them, collectively and individually.

“A wrong answer,” Antonetti and Baghi wrote, “can aggravate the situation and undermine the confidence of customers and investors.”

Valuable Insights to Learn and Remember

• Align with public perception

“The reactions of stakeholders often depend on their understanding of the situation,” Antonetti and Baghi wrote. “If the attack is perceived as an external and malicious act, it is crucial for a company to adopt a consistent stance by emphasizing that it itself has been a victim.”

Does that surprise you, that as a leader and organization, it was found acceptable to frame the company as a victim too and that doing so wouldn’t be upsetting to stakeholders? It does me. While this can be done, I would recommend this particular focus be very judiciously decided and if chosen, use it in small doses. A little communicating victimhood goes a long way after a crisis.

“If internal negligence is proven, claiming victim status could be counterproductive.”

I’ll see your “counterproductive” and raise you, “it would be dangerous and reckless.”

• Express support for stakeholders

“Adopting a position of victimhood does not mean denying all responsibility or minimizing the consequences of an attack,” Antonetti and Baghi warned.

Precisely. Don’t look for manufactured, self-interest reasons to dismiss responsibility or show through words and other actions that you don’t recognize and acknowledge the damage done to any stakeholders.

“The company must show that it takes the situation seriously by expressing empathy and commitment to affected stakeholders,” Antonetti and Baghi pointed out. “An effective message must be sincere and oriented toward concrete solutions.”

Sincerity and clarity of high-effort solutions are mandatory tasks.

• Consider reputation

“We find that it is easier for companies to claim victimhood persuasively if they are perceived as virtuous,” Antonetti and Bahi reported. “Virtuous victims generate sympathy and empathy, and this is also reflected after a cyberattack.”

Believing we are virtuous is not the same as having the credibility from stakeholders that we are honorable, in practice. It’s vital to know the difference and have high social-and-self awareness because selling ourselves as virtuous when we’re not perceived and judged to be so. is going to lead to swift and intense backlash.

Access to 40,000 aircraft across the globe, Villiers Jets can handle almost any flight requirement you may have, from single engine piston through to jet aircraft. Enjoy access to the best private jet charter prices available across the market.

• Highlight the harmfulness and sophistication of the attack

“Results of our study show that public acceptance of victim status is more effective when the cyberattack is perceived to be the work of highly-competent malicious actors,” Antonetti and Baghi explained.

“It is important for a company to persuade the public that the attack harmed the company, while keeping the main focus of the response on the public.”

• Don’t complain

“Distinguish between legitimate claims of victim status and communication that could be perceived as an attempt to exonerate oneself,” Antonetti and Baghi wrote.

“An overly plaintive tone could undermine a company’s credibility. Be factual and constructive, focusing on the measures taken to overcome the crisis.”

Be solution oriented and think about what stakeholders (all of them, not just some), expect of you in the short, mid and long term. Communicate specifically and back it with tangible action.

• Test reactions before communicating widely

“Poorly-managed communication after a cyberattack can lead to a lasting loss of trust and expose a company to increased legal risks,” Antonetti and Baghi asserted.

Open mouth and insert foot is not as uncommon as you might assume when it comes to organizational communications.

The findings were interesting. There is nothing wrong with communicating that you too were a victim in a cyberattack.

Realize though that the thrust of your communication has to be on the impact of the event on other people, how you feel (and should feel) about it compassion wise, what will specifically be done in response and why and when that will happen.

This respects stakeholders by alerting them about what is happening and will happen.

If they have to be made whole in some manner, clearly express what that will be tangibly, how it will work and when specifically it will take place. Do not be vague.

Michael Toebe is the specialist at Reputation Intelligence, helping individuals and organizations with matters of credibility, trust, decision analysis, communications, relationships and reputation.

You can DM him on Substack or contact him below for consulting, risk analysis, coaching, ongoing advisory, a variety of proactive and responsive communications and reputation (not legal) representation.

Reputation Intelligence Guides for Purchase

On Apology, What We Can Learn and Do Better
Learn more

Your Reputation Signature: What It Is, Why It Matters and How to Protect, Restore and Reconstruct It
Learn more

Halo and Horns Effect: Why It's Critical to Remember
Learn more

Lawfare, Corruption and Violence of ‘Legally Supported’ Attacks On You
Learn more

A Big Danger to You and Those You Care About: Other People’s Apophenia
Purchase here

Invest passively in highly-vetted real estate at EquityMultiple, where you can partake in modern real estate investing.