If you’re a cyber security professional operating in the public sector or critical national infrastructure space, you probably already know the fundamentals of incident response.
You've seen the frameworks. You've read the playbooks. You understand that a breach isn’t just a technical problem, but a crisis that spreads across the whole organisation - IT, communications, governance, etc, and into the public domain.
But the truth is, “*knowing”* isn’t the same as “*being ready”*.

In the pressure cooker of a live incident, when regulators and senior stakeholders are calling, the media are circling, and customers/staff are panicking, many teams find themselves overwhelmed, not by the technical work, but by everything around it.

We call this the feeding frenzy, and it’s what catches most organisations off guard.

Why?

You’ll Be Pulled in Every Direction, Fast

When the worst happens, every stakeholder expects immediate answers, including critical 3rd parties. Under the forthcoming Cyber Resilience Bill, organisations will be legally required to manage and report cyber incidents not just within their own walls, but across interconnected systems, vendors, and digital services.

Internal stakeholders want to know what’s broken, what’s stolen, and when it will be fixed.

Regulators (ICO, NCSC, or sector-specific bodies) demand timely, accurate reporting, often within 72 hours, as mandated by UK Data Protection Act 2018.

Law enforcement and national bodies want forensic data preserved for investigations – your environment is now a crime scene

The media, tipped off by social media stories or internal leaks, are looking for information and comments and will report what they know and what they “assume”.

The public are wanting to know what’s going, how they’re impacted and how you’re dealing with the incident. Their only source of information is the media. They will make their own conclusions based on the information they receive.

What’s worse, is that these stakeholders often have conflicting needs. If you don’t fill the information vacuum with clarity, it will fill itself - usually with speculation, or misinformation – leading to a breakdown in trust.

He Said, She Said

According to the NCSC’s 2023 review, one of the most consistent failure points in public sector incidents is breakdowns in communication rather than technical containment. This breakdown is due to organisations solely focusing on the technical elements of dealing with an incident and not managing the human element – the need for knowing what is going on.

A robust technical team knows how to address a cyber incident. They’ve studied and trained for this. Forensic recovery and identifying root causes may not always be straightforward and can take time, but they are often methodical processes with clear protocols.

What’s far less predictable is the communications element:

• Who’s writing the internal updates to staff?

• Who’s briefing the press office or your regulator/law enforcement?

• Who’s handling questions from concerned citizens or patients?

• Who’s managing cross-agency coordination if multiple departments are involved?

Having plans is one thing, but being ready to deliver on them under stress is another. You don’t always know how you’ll act in a crisis. Some people thrive in these situations, while others struggle a little more. Who’s owning this process? People naturally gravitate toward someone for answers, but you might not know who that is or who is responsible for what.

A clear message of ownership prevents crossed wires, duplication and omissions that slow or hamper remediation. People behave differently under stress, and the personal impact of stress and burnout is real. Defining ownership early gives people confidence and helps them manage the pressure, so they can stop panicking about whether they know what they’re doing and focus on the response.

Stop Rehearsing the Easy Bits

Most tabletop exercises in the public sector still focus on technical containment. While necessary, in isolation, it’s simply no longer enough. Very few rehearsals stress-test:

How senior stakeholder briefings will be handled under pressure.

Who drafts public messaging and aligns it across departments.

How internal comms avoids panic or speculation.

What happens if the regulator demands answers you don’t yet have.

According to the NCSC (2023), fewer than 30% of public sector organisations run full-spectrum incident response simulations that involve communications, legal, and executive leadership. This is a problem, because in their 2023 Annual Review, they noted a rising trend: public trust is lost more often through poor communication during incidents than through the breach itself.

Real Readiness Is Cross-Functional

In the 2023 attack on the British Library, the breach took down core IT systems and led to a ransomware gang leaking internal data. Despite solid technical response, delays in public communication created widespread criticism and confusion. You want to do everything you can to avoid being in this situation.

So, start here:

Map your stakeholders now - regulatory, internal, political, legal, comms, and service users.

Assign named owners for each comms stream (internal, external, regulatory.)

Pre-draft key messages and adjust them live during the event.

Create a comms cadence of daily updates, or more frequent if required, tailored to each audience. The Cyber Resilience Bill is likely to demand quicker and more frequent updates. By setting and sticking to an agreed cadence, you can control the flow of information and allow your teams to get on dealing with the incident.

Know who reports what to regulators and what the thresholds are for notification.

Have up-to-date contact details - not buried in a spreadsheet that only one person can access. Do you need an offline copy?

Then, test it, and not just in theory. Simulate the ‘feeding frenzy’ with realistic pressures.

Forensics Will Be Slow

Whether the breach is criminal or state-sponsored, evidence collection can take days or weeks. Yet, your stakeholders will expect clarity within hours.

You must explicitly set expectations:

What is known versus what’s still under investigation.

What decisions are pending and when they’ll be made.

What support you need to move faster.

Equally important is tracking and storing all communications, decisions and actions, it's not just about actions taken, but also who said what and what was agreed. This clarity prevents confusion, ensures accountability throughout the response and provides valuable evidence for internal or external investigations and root cause analysis.

Ask Yourself (and Your Leadership) This

Do we know our regulatory reporting thresholds and timelines?

Have we trained our comms, HR, and legal teams on their role in a cyber incident?

Do we have realistic, rehearsed escalation paths, including regulators, government departments etc?

Can we coordinate with other departments or agencies using shared messaging protocols?

Have we pressure-tested our ability to maintain trust, not just recover systems?

If the answer to any of these is “no” or “we’re working on it,” you’re not alone. It’s tough to keep on top of everything you need to do with limited time, resources and budget, but the reality is that you are exposed regardless.

You Won’t Have Time to Get Ready When the Incident Starts, So Start Now

Public sector organisations don’t get the luxury of silence. You’re in the public eye, funded by taxpayers, and serving communities. If you misstep, it’s not just your systems that suffer, it’s public confidence in institutions.

That’s why the most capable teams don’t just know what to do. They prepare for how it will actually play out. They train across functions. They rehearse communication under pressure. They prepare their leaders for the moment when control starts to slip.

You’ve Read the Guidance. You Know the Risks. Now Ask Yourself: If a Major Cyber Incident Hit Today, Are We Ready to Lead, or Just React?

We get it. You're under-resourced, overstretched, and doing your best with what you’ve got.

Most public sector security teams are juggling legacy systems, tight budgets, and increasing scrutiny, all while trying to deliver critical services. The intent is there, but the time, money, and headcount often aren’t.

That said, hoping to respond well after the breach isn’t a strategy. Proactive preparation can no longer be optional. Investing even modest time in planning, testing, and communication alignment today will save you orders of magnitude in cost, disruption, and reputational damage tomorrow. When the inevitable happens and the feeding frenzy begins, the organisations that succeed are the ones that prepared for more than just the technical fall out.

If you’re not sure, Cyro Cyber can help. We work with public sector teams across government, healthcare, and CNI to build truly actionable tabletop exercises and incident response plans that bridge the gap between theory and reality.

Get in touch with us today to ensure you’re ready for anything.

Featured

May 21, 2025

Walking the Walk: Closing the Cyber Gap Inside Insurance Companies

May 21, 2025