(Thanks to my friends at Association of Chairs for publishing this article. AoC runs a wonderful support network for senior charity trustees. Charity boards oversee a wide range of topics, but we think cyber security is an especially tricky one – for reasons I describe below. So we also ran a session on cybersecurity for charity Chairs and Vice Chairs.)
Cyber security is a topic that’s increasingly hard for boards to ignore. The threat is very real: a recent UK government survey found that over a quarter of charities experienced a cyber attack or breach in 2021, rising to over half of high-income charities. Of those affected a quarter lost money, data or other assets, and four in ten experienced other negative impacts, such as lost staff time and business disruption. Some of these will have suffered reputational damage, too.
It’s also a topic at the very top of government’s agenda, since it impacts on national security, economic wellbeing, the resilience of public services and civil society. We should expect to see new regulations to raise standards in cyber security and data protection, which charities who contract to government and the wider public sector need to be particularly cognisant of. Those in the health and care sector are already seeing their regulators becoming more active and demanding.
Whilst a large majority of charities take cyber security seriously, research carried out by Charity Digital and the National Cyber Security Centre indicated a worrying gap in communication between staff, senior leaders and trustees. The majority of boards do not receive regular updates on cyber security. Even when charity staff are taking appropriate action and creating strategies for cyber resilience, most trustees and as many as half of Chief Executives may be completely unaware of what has been done. And since Chief Executives regard cyber security as seventh in their list of priorities – behind service delivery, governance, fundraising, finance, strategy and IT – how much faith should a board have in its Chief Executive’s appraisal of the risks?
Anecdotally, technical staff within charities often complain that boards aren’t at all engaged with cyber security. That might well reflect low confidence amongst trustees and Chief Executives in handling technical detail, perhaps feeling unsure what questions they should ask a technical specialist. And no wonder – cyber security is very often presented as requiring extremely high levels of technical expertise to grasp. Even those who work in cyber complain about professional ‘gatekeeping’!
So if you’re a Chair – especially one with middling technical confidence – how might you start to incorporate cyber security within the full range of risks that your board has oversight of?
First, it’s good to remember that charity boards typically handle many other technically complex topics with confidence. Some – such as data protection, fraud and even safeguarding – may even overlap with cyber security. Good governance is possible even when we don’t have trustees with pre-existing specialist expertise, welcome though that is.
The place to start is risk – and your risk committee, if you have one. A well-developed approach to managing and overseeing risk is by far the most important tool. Many boards use a risk matrix to prioritise the most important risks, and some are refining this further using a risk appetite approach. Cyber security covers a broad range of threats, so start by identifying your ‘crown jewels’ – what are the most important data, systems and assets that would damage your charity most severely if compromised? The National Cyber Security Centre has a very helpful board toolkit which can help you to start exploring these issues.
Certification schemes like Cyber Essentials Plus and ISO 27001 are helpful, since they provide a board with an external benchmark. A supplier providing certification can give advice and support about improvements required, which may often be about training and changes to processes rather than investments in advanced technology. For small charities, the government-funded Cyber Resilience Centres are a great source of free advice and support.