Facing up to a major cyber attack is a nightmare scenario for any CEO, let alone one that is just two days into the job.

Norsk Hydro, one of the world’s biggest aluminium producers, was put in this position earlier this week, but the way the company has dealt with the crisis, both operationally and from a PR perspective, may well become the blueprint for the industry.

In the first instance, Hydro had backups of its data ready for when the attack had been neutralised. In the meantime, they were going old-school; production methods were performed manually and some workers are even using paper order lists in the absence of computerised data.

However, as someone working in the communications industry, the way that Hydro has owned and controlled the narrative (as far as possible) has really stood out. The company has been open from the beginning about the scale of the incident, constantly reassuring stakeholders and media about their efforts to tackle it. 

For example, they have used social media (particularly Facebook) for real-time updates, redirected their website to a temporary Azure hosted area listing key information and contact details, and also hosted regular webcast briefings with senior spokespeople to address any questions from media.

Hydro has been proactive, honest and communicative throughout a very challenging process and demonstrated the importance of forward planning and transparency in navigating crises like this. Tellingly, their share price has remained more or less constant since the attack.

Organisations should now be treating the prospect of a cyber attack or data breach as a “when”, not an “if”, and Hydro has shown that, when handled correctly, it needn’t be a doomsday scenario.