From February issue, NZ Manufacturer magazine

 It’s a reputation risk manufacturers can’t ignore

With corporate cyber breaches in the spotlight increasingly, NZ Manufacturer magazine advisor and Impact PR director Mark Devlin looks at how firms can protect their brand in the event of an incident.

For years, cyber security sat comfortably in the IT bucket. It was treated as a technical risk to be managed through software, consultants and compliance exercises, largely removed from day-to-day operational and commercial decision-making. That separation might once have worked. It no longer does.

For New Zealand manufacturers, cyber security has become a frontline business risk, one that increasingly plays out in public.

When incidents occur, the damage is rarely limited to systems or data. It shows up in halted production, delayed orders, disrupted supply chains and, critically, lost trust. The reputational consequences often outlast the technical ones.

That reality has been reinforced by the way cyber incidents are now covered in the media. Stories that once appeared in specialist technology columns are increasingly leading business news.

Journalists are less interested in the mechanics of a breach and far more focused on impact: what stopped, who was affected and how leadership responded. In that environment, cyber security is no longer just about prevention. It is about preparedness, judgement and communication under pressure.

Why cyber incidents hit manufacturers harder than most

Manufacturers are particularly exposed. They operate at the intersection of physical production and digital infrastructure, where disruption in one area quickly cascades into others. Production lines, logistics platforms, inventory systems, payroll and supplier portals are deeply interconnected.

A cyber incident does not just inconvenience office staff. It can shut down machinery, breach contracts and place long-standing customer relationships under strain.

Unlike many service businesses, manufacturers cannot simply work around the problem while systems are restored. When production stops, the effects are immediate and visible. Customers notice. Suppliers ask questions.

Staff worry about job security. In many cases, the story becomes public not because the organisation chooses to disclose it, but because the operational consequences are impossible to hide.

This is why cyber security planning that focuses only on technology is incomplete. The more difficult question is whether an organisation is ready for the scrutiny that follows when something goes wrong.

What “prepared” actually means when things go wrong

From a communications and reputation perspective, preparedness can be thought of in three phases: before an incident, during an incident and after recovery.

Most organisations invest heavily in prevention. Far fewer invest adequately in decision-making readiness. Yet when a cyber incident occurs, poor decisions made in the first 24 to 48 hours often cause more reputational damage than the incident itself.

Preparation starts with clarity. Manufacturers should be clear, in advance, about who makes decisions, who speaks externally and how information flows between IT, legal, leadership and communications teams. These roles should not be improvised in the middle of a crisis.

Scenario planning is equally important. Cyber incidents are rarely neat or fully understood at the outset. Manufacturers need to plan for uncertainty, including how to communicate when facts are incomplete and timelines unclear.

Practising these scenarios helps leadership teams become comfortable explaining what is known, what is still being investigated and what is being done next.

Senior leadership readiness also matters. In serious incidents, stakeholders expect to hear from the people in charge. Leaders must be able to explain complex issues in plain language, show calm under pressure and demonstrate accountability.

Media training and rehearsal are not indulgences; they are practical risk-management tools.

Finally, alignment between IT, legal and communications teams is essential. Each function has legitimate priorities, but without agreed processes those priorities can clash, leading to delay, inconsistency or silence at precisely the wrong moment.

The first 48 hours shape the entire story

When a cyber incident occurs, the first public response sets the tone for everything that follows.

Organisations that handle this well acknowledge the issue early. Even a brief statement confirming awareness of the incident and outlining immediate steps being taken is better than silence, which is often interpreted as confusion or avoidance.

They focus on impact rather than technical detail. Customers, suppliers and staff want to know what the incident means for them. Overly technical explanations may be accurate, but they rarely reassure non-technical audiences.

They avoid speculation. Guessing the cause or scale of an incident before investigations are complete almost always leads to corrections later, undermining credibility. It is better to be clear about what is not yet known.

They communicate regularly. A single statement followed by silence creates uncertainty. Even when there is little new information, consistent updates signal that the situation is being actively managed.

Internal communication is just as important as external messaging. Staff are both an audience and a channel. If they are left in the dark, speculation fills the gap and often leaks outside the organisation. Clear internal updates help maintain focus, alignment and trust.

Recovery is where trust is either rebuilt or lost

Once systems are restored, many organisations are keen to move on quickly. From a reputational perspective, that can be a mistake.

Stakeholders remember how an organisation behaved during a crisis long after the technical details fade. Manufacturers that communicate openly about lessons learned and improvements made often emerge with stronger trust than before.

This does not require sharing sensitive security information. It requires demonstrating accountability and a commitment to improvement.

Post-incident communication should reinforce reliability and leadership, not defensiveness. It is an opportunity to show that the organisation has taken the incident seriously and acted responsibly.

Working with external advisers

For many manufacturers, the most challenging moments in a cyber incident are not technical, but human. Decisions are made under pressure, information is incomplete and the consequences of getting it wrong play out publicly. In those moments, having trusted external advisers can provide clarity and discipline when it matters most.

Specialist crisis communications advisers work alongside leadership, legal and technical teams to help organisations make sound judgement calls, communicate with confidence and maintain credibility under scrutiny.

Engaging this expertise early allows response plans to be tested, roles clarified and expectations aligned well before an incident occurs.

Firms such as Impact PR work with manufacturers to prepare for high-pressure scenarios, pressure-test response plans and provide calm, practical guidance when incidents happen. When cyber risk becomes a public issue, the value of experienced external perspective is often felt most acutely.

The reality manufacturers need to plan for

Cyber incidents are no longer rare, and they are not limited to careless or underprepared organisations. Even well-run manufacturers can be targeted. It is no longer credible to assume it will not happen. The real test is how prepared you are when it does.

Cyber security may begin as a technical issue, but for manufacturers, it ends in public. Treating it as a leadership and reputation challenge is no longer optional.