We all know that cyber-attacks are on the rise. Vendors and partners are in agreement that for businesses, it isn’t a question of if a data breach will happen, but rather what contingencies are in place to deal with it when one happens.

To that end, disaster-recover-as-a-service (DRaaS) and backup-as-a-service (BaaS) solutions are growing more advanced and more integral to comprehensive security offerings. But while the technology is evolving to establish some sort of industry best practice for dealing with cyberthreats, there still seems to be confusion on how to handle the regulatory and public relations pieces.

Yesterday, Google (GOOG) divulged a zero-day vulnerability in Microsoft (MSFT) Windows software. “[W]e are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Google security engineers Neel Mehta and Billy Leonard in a blog post. “This vulnerability is particularly serious because we know it is being actively exploited.”

Microsoft was not pleased. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk,” the company said in an email. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

This disagreement between two of the most powerful tech companies is reflected in the breaches that are nagging the most powerful levels of government these days. We’ve written about how unprepared both presidential candidates seem to be to really address the looming cyberthreat posed by nation-states such as Russia and sites like WikiLeaks. In both business and government, everyone seems to be feeling their way.

It seems to come down to two camps: those who believe breaches and vulnerabilities should be made public sooner rather than later, and those who wish to keep such events under wraps as long as possible. In the case of the channel, you may run into vendors pressuring you to wait until they have countermeasures and a crisis communication plan in place. But ultimately, businesses have to look out for their paying customers—and the rather large megaphone that the internet has provided them.

“How you respond depends on the severity of the situation (what kind of data was stolen, how many accounts, how long the hackers were in for, etc.), but it is your responsibility to let those affected know,” says Amanda Long, senior account director at PR firm Hughes Agency. “Do you have to hold a press conference or send out a press release?  Maybe not, but you better let those affected know it happened and what you are doing to fix it before the story gets ahead of you and spirals out of your control.  Those affected (and naysayers who aren’t) will talk about it, probably on social media, so be prepared to respond appropriately.”