Blog presented by the Organizational Communication Research Center.

Cyber Security is a current issue making every person in communications uneasy. The world of digital communication is so vast and there are so many areas within it that being equipped to advise leaders and organizations can be challenging. As communicators, we have watched headline after headline appear when companies have had data stolen and we have seen the corporate reputation and company brand sometimes suffer as a result.

Although data security has been a topic of discussion since the early 1970s, when IBM introduced Data Encryption Standards (DES) (Tankard, 2017), increasing digital communications and an ever-growing online economy expose organizations and individuals to a host of digital dangers. According to the 2017 Federal Trade Commission (FTC) Consumer Sentinel Network Data Book, consumers reported 2.7 million occurrences of computer and mobile security breaches to federal, state, local, and international law enforcement agencies totaling more than $905 million in financial loss in 2017 alone. While the FTC’s report notes the raw number of data fraud occurrences have been steadily decreasing since 2015, the financial loss per occurrence is on the rise. To mitigate such loss, governments have stepped in. In May 2018, the European Union (EU) began enforcing the General Data Protection Regulation (GDPR) affording higher personal data protection rights to consumers of goods purchased in any of the 28 countries within the EU, than anywhere else in the world (DiStaso & McAvoy, 2018). While GDPR is working to make the EU a leader in consumer information transparency, data theft remains a pressing concern in the United States and other data-driven economies, irrespective of the laws intended to protect against it (Cutler, 2018).

The widespread importance of data security highlights the critical role of public relations, and internal communications, as organizational advisors, and further highlights some of PR’s most fundamental principles, specifically crisis management and communication. Beginning with planning and partnering throughout the organization before a cyber-attack, including creating education and communicating recovery plans in the event of a data breech, the strategic communication role is critical to effectively protecting an organization’s data and creating a culture of security awareness.

Ten Tips to Create a Culture of Cyber Security Awareness

This list has been designed to help you build a culture of security awareness. While it won’t solve all your planning problems it provides guidance to get you started toward supporting your organization in planning for an attack or a breach.

  1. Collect as much information from as many credible and experienced sources as possible on the topic prior to your organization experiencing a data breach.
  2. Spend time with legal, IT, HR, Purchasing/Supply and all your departments who use systems with data – you need to know what data is where. Knowing how those systems work and the potential risks to all aspects of your organization will need to be done before anything goes wrong.
  3. How will the business run if there is a data breach? Who needs to be in the room to make decisions in the event of a breach and where is that room? Ensure you have a list of the right stakeholders for this scenario and a place to create a “war room” should it be needed. How will communications take place if data is breached?
  4. In a contingent situation, employees may occupy unfamiliar roles. Are they prepared and trained? Are your spokespeople media trained? Do you have someone in every location who is media trained? Ensure each person has a plan to perform and a resource to ask questions and provide feedback in the event they’re not sure of what to do.
  5. How do you currently share media stories internally? Is there a different plan in the event of a crisis? Solidify internal and external communication processes and inform stakeholders.
  6. Do you need to set up a separate triage service that covers both internal and external queries specific to the breach – who is the point of contact in your organization for employees and the media? Who will speak to clients? Suppliers? Partners?
  7. Do you have a risk committee? Audit committee? Do they need to sign off a plan, engage in the conversation? Does it need to start to form part of the annual report? How can you be more transparent about your approach to cyber security?
  8. Do your employees know about the importance of data security and related laws? Are there opportunities to create awareness or engagement by supporting employees with their queries and concerns around their personal data away from work?
  9. Follow Up. What is your plan for communicating with individual employees in the event of a cyber security crisis? Do you have a text system that you regularly test, away from your network that allows you to contact employees? We rarely consider our would without electronics — do you have a paper back-up system?
  10. What is your process in the event of a cyber security crisis for employees? Is it working? Are there adjustments to be made?

To get a copy of the full toolkit with a glossary of terms email

Jenni Field is the Founding Director of Redefining Communications . She serves on the Board of Directors for the Chartered Institute for Public Relations (CIPR). Jenni chairs CIPR’s Professional Development, Membership, and Internal Communications committees. Follow her on Twitter @mrsjennifield.

Edited by Katy Robinson, Research Editor of the IPR Organizational Communication Research Center.


Cutler, S. S. (2018). The face-off between data privacy and discovery: Why U.S. courts should respect EU data privacy law when considering the production of protected information. Boston College Law Review, 59(4), 1512-1540.

DiStaso, M. W. & McAvoy J. (May, 2018). What PR Pros need to know for GDPR compliance day.

Identity theft: A recovery plan. (2016). [Washington, D.C.]: Federal Trade Commission, 2016.

Tankard, C. (2017). Feature: Encryption as the cornerstone of big data security. Network Security, 20175-7. doi:10.1016/S1353-4858(17)30025-9

Share this:

Heidy Modarelli handles Growth & Marketing for IPR. She has previously written for Entrepreneur, TechCrunch, The Next Web, and VentureBeat.
Follow on Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *