From "we have fixed the vulnerability" to "we control the situation": the evolution of cybersecurity communication language

Although businesses are building up technical defenses to ensure the security of their systems and user data, vulnerabilities still persist. According to McKinsey, less than 1% of global cyber risks were insured in 2025. Reputational losses are not insurable at all. In these conditions, PR communications become a key tool for protecting reputation. Recently, companies have been moving away from purely technical formulations in favor of management and publicly understandable language, shifting the focus from the vulnerability itself to controlling the situation.

Why technical formulations no longer work

Traditionally, businesses have been reluctant to comment on cyber incidents, limiting themselves to standard technical formulations. Typically, the general audience simply does not understand them, which means they do not strengthen the reputation.

For example, in February 2023, the hacker group NLB announced the theft of databases from the Sber ecosystem. In response, the company's press service published a dry and predominantly technical comment.

Despite the desire to promptly address potential risks and assure users of the absence of infrastructure hacking, the abstract language of cybersecurity reduced the effectiveness of this message. In particular, the phrasing "data related to clients" blurs the subject and scope of the incident, which may increase user anxiety. Similarly, the expression "compilation of various databases" does not reveal the practical implications of what happened: for a general audience, it is unclear whether such data can identify an individual and how it may be used.

For comparison, let's examine the brief message from "Beeline".

The press service of the telecom operator released it at the end of February 2025 in response to a DDoS attack that led to widespread internet access failures. Despite the concise format, the focus shifts from the mere fact of service unavailability to managing the situation and its consequences. The DDoS attack is interpreted as an operational incident rather than an abstract "technical problem," which brings the communication closer to a management narrative and service resilience logic. Despite the official language and a high proportion of nouns, this message turned out to be much clearer for the general audience compared to traditional cybersecurity formulations.

Cyber threats to business = personal vulnerability of each user

Abstract technical phrases served a formal function during the period when the main damage from attacks did not go beyond the corporate perimeter. Today, the situation has changed. According to WCIOM, users cite the leakage and theft of personal data as their main digital fear. The risk of disruptions in internet and online service operations remains significant—this factor consistently ranks among the top three key digital phobias.

This shift can be explained: the threats of data leaks and service access disruptions have become widespread and palpable in the CIS. In the first three quarters of 2025, the share of successful attacks resulting in information leaks increased from 41% to 54% compared to 2023 and the first half of 2024. Meanwhile, account credentials and personal data remain the most sought-after type of information for attackers, second only to trade secrets.

The risk of encountering the consequences of a cyberattack is present in almost every industry. A quarter of all publications in the dark web about data leaks from companies in CIS countries pertain to online stores, marketplaces, and pharmacy chains, 14% relate to government institutions, and another 10% concern the financial sector.

As user anxiety grows due to cyber threats, businesses increasingly face not only direct financial losses but also reputational damage. According to Boston Consulting Group (BCG), among companies affected by cyber incidents, nearly one in six experienced a decline in stock value of more than 5%. 60% of them showed weak financial results even a year later, indicating long-term reputational losses.

How to Talk About Cyberattacks to Strengthen Trust During a Crisis

Let’s consider three approaches to crisis communication during and after a cybersecurity threat.

1. Focus on Service Availability and Protective Measures Instead of Technical Details

In August 2025, a major DDoS attack was carried out on the “State Services” portal, causing some users difficulties with authentication. The Ministry of Digital Development “switched on optimism” and emphasized that the service continues to operate as usual despite the incidents. Technical details took a back seat, primarily confirming the key thesis: the situation is under control and does not pose critical risks for users.

If we consider the communication in more detail, several key factors can be highlighted.

1. The message is presented in a formal-business tone, largely determined by the editorial policy of the Ministry of Digital Development, which traditionally uses an official style in public statements. At the same time, the language is accessible enough for a wide audience.

2. Technical details are used sparingly and explained immediately. The phrasing about "multi-level high-tech layered protection capable of processing billions of cybersecurity events daily" does not delve into cybersecurity specifics but serves as an argument in favor of the system's resilience.

3. Active constructions are used, creating a sense of dynamics and control: it is emphasized that round-the-clock technical support and a monitoring headquarters are functioning, attacks are successfully repelled, and user data is protected.

2. Status update as a way to assert that "everything is under control"

In July 2025, a large-scale attack struck the information systems of the airline "Aeroflot." As a result, operations were partially blocked, many flights were canceled or postponed, and passengers were stranded at airports.

The press service decided to demonstrate that the team is managing the situation through a status update. On the day of the attack, July 28, six publications appeared on the carrier's official channels. The PR team divided the narrative into two outlines:

By the end of the day, the wording becomes more encouraging and positive: “Aeroflot continues its operational activities despite the IT infrastructure failure of the airline.” The press service explains how and with whom work is being done to resolve the failure, as well as provides statistics on canceled flights. For comparison, there are a total of 54 canceled flights against 206 that were scheduled to fly. Against this backdrop, the number of cancellations seems significantly lower, which brings the crisis back into a manageable framework and reduces the level of anxiety.

The next day, July 29, the press service reported only on the volume of eliminated consequences, without going into details of the incident. The main message of the post is that 93% of flights are being operated. On July 30, the company announced that the airline had fully restored operations.

3. Operational Response and Detailed Analysis of the Incident

On August 11, 2025, the telecommunications operator Citytelecom and the data center network Datahouse, which are part of the Filanko group of companies, became victims of hackers. The attackers targeted the core of the network infrastructure, leading to disruptions in service operations and internet access outages. By the end of the day, the companies managed to nearly fully restore system functionality.

To establish control over the situation, the press service already the next day, August 12, published a detailed official comment on the course of events on the website. Despite the abundance of technical terms, the text creates a sense of a managed crisis. This was largely achieved through numerous details. The company describes step-by-step the actions of the team during the incident, provides initial conclusions about the nature of the attack, reports on the eliminated consequences, and outlines further steps for complete restoration.

A similar message appeared in the media, for example, in CNews. This approach expands the reach of crisis communications and simultaneously increases the attention of a wide audience to the company's cybersecurity practices.

Collaboration between Cybersecurity and PR as the Foundation for Crisis Management

During vulnerabilities, users primarily expect predictability and reliability from businesses. For this, it is important for companies not only to effectively control the situation but also to clearly communicate this in external communications. Public updates of messages regarding status, actions, and consequences help reduce uncertainty and anxiety.

Communication approaches may vary; however, they share one commonality: close collaboration between the information security (IS) department and the PR team. IS provides an understanding of what is happening and real control over the threat, while PR translates this information into a language understandable to the audience. It is this connection and quick response that allow maintaining trust and resilience even in crisis situations.

In practice, the main difficulty lies in the differing tasks and approaches of the two teams. IS specialists focus on the accuracy of wording, minimizing the disclosure of details, and reducing technical risks, while the PR team operates with speed of response, accessibility of messages, and management of public perception. As a result, one side may consider a message too detailed, while the other may find it too closed off and unclear to the audience. To avoid conflicts during a crisis, interactions should be established in advance. Together with industry colleagues, I have identified several effective measures:

• predefine the interaction regulations between IS and PR in the event of an incident, including the process for coordinating messages and those responsible for communication;

• prepare templates for initial statements and scenarios for typical situations so that materials do not have to be written from scratch during a crisis;

• designate contact persons from both sides (IS and PR) to avoid wasting time searching for responsible individuals at critical moments;

• agree in advance on what data can be publicly disclosed and what remains internal;

• regularly conduct joint "exercises" or incident reviews so that teams understand each other's working logic.

In this case, during a real cyber attack, both teams come to a common formulation more quickly and can prepare a message that remains correct from a security standpoint while also being understandable for users. As a result, trust is maintained both within the company and outside of it. What practices do you use to ensure that teams work synchronously even during vulnerabilities?