A few years back, a zero day hit WordPress.
Not a quiet one. A loud, messy one.
Every unpatched site started redirecting visitors to Chinese gambling pages. Overnight. Millions of them.
Guess what our site ran on?
It was just a landing page. No customer data. No production systems.
Still, none of that mattered at 9 in the morning. Phones started ringing. Inbox was on fire.
Someone asked if we had been breached. Someone else asked if customers could see it. Another asked whether we needed to shut everything down.
In small companies, confusion moves faster than facts.
Here is the uncomfortable truth. In moments like that, the technical fix is rarely the hard part.
The hard part is what you say, when you say it, and who hears it first.
Without a PR agency, you still need a playbook. Especially then.
First rule. Decide who speaks.
One voice. One channel. One owner. The fastest way to lose control is letting everyone explain the situation in parallel. Even internally. Silence from leadership creates a vacuum. Vacuums get filled with panic.
Second rule. Separate impact from optics.
Ask two questions immediately. Is customer data affected. Is customer trust affected. They are not the same thing. In our case, the answer to the first was no. The second was maybe. That changed how we responded.
Third rule. Acknowledge before you explain.
People do not need a root cause analysis in the first hour. They need to know you are aware and in control. A short message beats a perfect one. We are aware. We are investigating. We will update you at a specific time. That alone lowers temperature.
Fourth rule. Do not overshare technical detail.
Engineers love precision. Crises do not. Explaining exploits, vectors, and patch timelines publicly often creates more anxiety than reassurance. Say what happened in human language. Say what it means for them. Say what they need to do, if anything.
Fifth rule. Update even if nothing changed.
Silence is interpreted as bad news. Regular updates signal competence. Even a no change update keeps trust intact. Especially with customers who are watching closely but not speaking up.
Sixth rule. Write the post mortem later.
The urge to explain everything immediately is strong. Resist it. Fix first. Stabilise second. Reflect third. A calm, thoughtful follow up a few days later does more for credibility than a rushed explanation under pressure.
We handled it. The site was patched. Redirects stopped. No long term damage.
But the bigger lesson stuck.
Crises do not announce themselves politely. They show up uninvited and test whether you are ready to communicate before you are ready to explain.
You do not need a PR agency to survive that.
You need clarity, speed, and discipline.
And a plan you wrote before the lights start flashing.
Leave a Reply