GRACosway Logo - Horizontal Colour

News

October 8, 2025
Cybersecurity Awareness Month: why communications are critical in a cyber crisis

Cybersecurity: why communications are critical in a cyber crisis

October is Cybersecurity Awareness Month and it’s a timely reminder that no organisation is immune from cyber incidents. The way an organisation communicates in the early hours of an event can have as much impact on reputation and trust as the technical remediation.

In Australia, the Notifiable Data Breaches scheme requires entities covered by the Privacy Act 1988 to notify the regulator and affected individuals when an eligible breach is likely to result in serious harm. Incidents therefore enter the public domain quickly and under scrutiny from regulators, media, customers and government. The scheme commenced in 2018 and remains a core feature of Australia’s privacy framework.

The OAIC’s latest update shows 2024 was the highest year on record, with 595 notifications in July to December 2024, a 15 percent rise, and 69 percent linked to malicious attacks, with health and government most affected.

Why communications matter

When a cyber incident occurs, technical teams focus on containment and recovery. At the same time, stakeholders expect clarity. Customers want to understand potential risk to their data. Employees need direction. Regulators expect timely and accurate updates. While the media look for authoritative information.

Clear, timely and coordinated communication can reassure stakeholders, align with legal and regulatory obligations, and protect long term credibility. Effective cybersecurity crisis communications help organisations meet expectations while protecting reputation.

A practical approach to preparedness

Every organisation benefits from a simple, high-level approach that can be tailored to sector and risk profile.

  1. Preparedness: have a cyber communications plan in place before a crisis strikes. Establish roles and approvals, spokesperson approach, messaging principles, and pre-prepared materials. Include simulations to test readiness.
  2. Incident response: deploy agreed materials, coordinate internal and external updates, liaise with regulators and media, and monitor stakeholder response.
  3. Recovery: review performance, update strategy and protocols, and reinforce messaging through targeted engagement.

This approach is conceptual by design. The specifics should be customised to the organisation and its risks.

The regulatory context

The Notifiable Data Breaches scheme has operated since 2018 and continues to guide transparency during incidents. In late 2024 Parliament passed the Cyber Security Act 2024 as part of a wider legislative package under the Australian Cyber Security Strategy. The reforms introduce new measures, including a ransomware payment reporting obligation and the creation of a Cyber Incident Review Board. Relevant rules have begun to commence in 2025. Organisations should monitor commencement dates and official guidance as implementation progresses.

Turning awareness into action

Cybersecurity Awareness Month is an opportunity to pressure test readiness. As the regulatory environment continues to evolve, communications planning is central to resilience. GRACosway works alongside leadership teams before, during and after an incident. To learn more about our approach, get in touch with our team.

Brendan Altadonna, Director, Corporate and Financial Communications

Subscribe to the GRACosway mailing list to get regular political and policy updates.

Subscribe to the GRACosway mailing list to get regular political and policy updates.

Permissions

GRACosway will use the information you provide on this form to send you political and policy analysis and briefings via email. Please mark the box below if you would like to receive updates from us.