Ransomware Is Not an IT Event. It's a Customer Service Event.

I have been doing this work long enough to remember when "business continuity" meant keeping stacks of papers, including customer lists, in a fireproof safe and hoping for the best. Today the threat landscape looks considerably more expensive, expansive and constantly evolving and adapting. Nothing illustrates that gap quite like a ransomware event.

The Story Nobody Tells You

A few years ago, I worked with a mid-sized company that got hit with ransomware. To their credit, they did a lot of things right — leadership engaged immediately, forensic experts were brought in, backups were assessed, legal and insurance were notified. By any technical measure, the response was organized and serious. But...the company went completely dark on its customers.

This was not intentional or by design. Nobody in the conference room said, "You know what would be a great idea? Let's say nothing to anyone for four days." but that is effectively what happened. Every ounce of organizational energy went toward the technical fire, and the customer-facing side of the business was left to improvise, which mostly meant saying nothing at all. Calls went to voicemail, emails bounced and for customers trying to reach them, the experience was indistinguishable from calling a company that had simply ceased to exist.

Two significant customers drew their own conclusions and started making other arrangements. By the time anyone thought to call them directly, one had already signed with a competitor. The systems came back but the customers? Not so much.

What still bothers me is that the technical outcome was actually pretty good. The ransom was not paid, data was not meaningfully exfiltrated and by most scorecards, a relative success. Yet the business took a relationship hit that might take years to repair because of the silence. The company could have turned this into an opportunity to assure their clients that the company can weather any storm. The message didn't need to be sophisticated, it needed to exist.

What It Actually Costs

Most executives, when they hear "ransomware," picture the ransom note — Bitcoin wallets, shadowy criminals with names that sound like rejected heavy metal bands. But the ransom payment, if one is even made, is rarely the most expensive part.

IBM's 2024 Cost of a Data Breach Report puts the average cost of a data breach in the United States at $9.36 million, including detection, legal response, notification, and lost business. Sophos' 2025 State of Ransomware report puts the average recovery cost for mid-sized organizations at $2.73 million — before any ransom is factored in. For a company doing $15 to $20 million a year, that is not a bad quarter, that is an existential stress test.

Build the Communication Plan Before the Crisis

While your internal team is working through containment, investigation, and restoration, your customers are asking much simpler questions:

• Can you still help me?

• Is my data safe?

• Do I need to find someone else?

If they can't get a clear answer, they will start protecting themselves which usually means finding another vendor. In business continuity circles, we call that a secondary impact. In ransomware events, the secondary impact on customer relationships is often more damaging than the primary technical event.

Every business has an 80/20 dynamic: a small number of customer relationships represent a disproportionately large share of revenue. Those relationships, and the real contact information for the people who manage them, need to exist somewhere your team can access when the primary systems are down. Not an account number in an encrypted CRM, an actual list, with names, mobile numbers, and escalation paths.

When an event hits, your top customers should hear from someone they recognize, with a calm and honest message: you are still operating, you understand the impact on them, and you will follow up by a specific time. Something like: "We're experiencing a technology disruption and are working with outside experts to restore operations. Some services may be temporarily delayed, but we are still here. We'll update you by 3:00 p.m. — for urgent needs, please use the contact below." That message doesn't overshare. It doesn't make promises that can't be kept. It simply confirms you haven't disappeared — and in a ransomware event, that is often the most important thing a customer needs to know.

To help you with your communications plan, below you will find a visual-graphic as well as an ECP Template that you can download and use however you see fit.

I run tabletop exercises regularly, and the discussions tend to follow a familiar pattern of focus:

1. Technical response

2. System dependencies

3. Recovery objectives

4. Backup testing.

All are necessary but there is one question that produces a longer pause than any of the technical ones:

"Who is contacting customers to let them know what is going on?"

In most organizations, the honest answer is that nobody has thought about it. Your Business Continuity Plan needs to specify who owns customer outreach during a disruption, what they are authorized to say, and how often updates go out. These are operational controls, not soft organizational niceties, and they belong in the plan right alongside the technical recovery sequence.

Ransomware starts in the network. Within hours, it is living in your phones, your inboxes, and your customer relationships. If you don't know who's managing that side of the response, you know where your next tabletop exercise should begin.

Click Here to download the FREE 2026 Tempest Emergency Communications Plan