Martyn Croft, from CxB Cyber Governance for Boards, tells us how non-profit boards can get behind cybersecurity.
Why cyber governance needs to be taken seriously
It’s probably fair to say that historically non-profits have not been focused on cybersecurity. And understandably so. Spending precious funds on firewalls, disk encryption, and awareness campaigns may not seem like board level priorities when beneficiaries are at the top of the list.
But you can’t assume that you are unlikely to be the target of hackers. In 2023, around a third of charities in the UK experienced a cybersecurity breach or attack. The true number is likely to be much higher, since many charities won’t have the technical ability to detect incidents. For larger charities that number increased to two thirds. (Source: Cyber Security Breaches Survey 2024).
The impact of cyber attacks
10 months on from a cyber attack, the British Library was still recovering. Crucial services were still offline. The charity expects to spend millions of pounds – 40% of its reserves – on the recovery. A small charity could be devastated by much smaller impacts.
It’s become apparent that services cannot be delivered if IT systems are crippled by a cybersecurity incident. Stealing and leaking sensitive data does nothing for the reputation and fundraising capability of a non-profit. And it’s worth remembering that ‘hacktivists’ – people or groups who don’t agree with the aims of an organisation – are more than capable of mounting an attack to take down the online services of an organisation.
Who is responsible for cybersecurity in non-profits?
Many non-profits, especially the smaller ones, don’t have a dedicated cybersecurity person. In these days of cloud computing and outsourcing, smaller charities may not even have any IT staff. But the cybersecurity risks to the organisation cannot be ignored by anyone.
Boards, especially trustee boards given their ever-increasing responsibilities and liabilities, need to get cybersecurity at the top of their agenda.
Non-profit boards and cyber governance
Boards must understand the impacts that might arise from a cyber incident, and ensure that staff and suppliers have the knowledge and capability to manage and respond to risks. Boards are also well placed to ensure that staff are aware of their responsibilities, and have the confidence to discuss issues openly with them without fear of blame.
Where to begin with charity cyber governance
Good cybersecurity often starts by identifying the information assets that are important to an organisation, and which could be of interest to others. For charities, these assets can be:
- a database of supporters and donors
- a register of beneficiaries
- a list of volunteers
- employees’ personal data
- data and intellectual property essential to the operation of the organisation
Board members don’t need to be cybersecurity experts. Equally, the board can’t dismiss the threat as an IT problem.
Putting cybersecurity on the board agenda is a great time to ask: what information is important to us, how do we protect it, and what are the likely threats?
How CxB helps with cyber governance
CxB was set up to help address these very issues. We share the expertise and experiences of board members. CxB is free to join and supports its members in raising information security awareness and the importance of cyber governance.
Join CxB for a free monthly webinar: click to find out more about upcoming events.
About our guest author Martyn Croft
Martyn Croft is a non-executive Director of Reliance Bank and co-founder of the Charities Security Forum, which promotes awareness of the cybersecurity challenges facing charities and provides opportunities to share information and best practices. Martyn was previously CIO of The Salvation Army UK and a non-executive director of its trading arm, supporting the mission of the charity through the use of information technology whilst ensuring a strong focus on information security.
