Thanks to Governance and Leadership magazine for publishing our article. You can read it online with Governance and Leadership, or here on our blog.
CxB co-founder Jessica Figueras explains how your charity board can take an active stand against cyber threats.
Until recently it seemed that a cyber attack was something that affected other organisations:
governments, banks, defence companies – not ‘ordinary’ organisations, and certainly not charitable ones.
And then the British Library was brought to a standstill for weeks, thanks to a devastating
attack which cost £1.6m in the first five months alone and continues to seriously compromise
service delivery over a year later.
It might have come as a shock to some, but this was just a high-profile example of what was
already happening: the ‘mainstreaming’ of cyber security threats. Government research
suggests a third of charities experienced some form of attack last year, and a quick scan of
the news reveals the victims.
A Cheshire-based health charity suffered a “relentless” four-month cyber attack, resulting in
a man’s arrest. Confidential data belonging to a Scottish housing charity was leaked on the
dark web after a cyber attack by a criminal gang believed to have links to Russia. A Scottish
mental health charity was the victim of a "sophisticated and criminal" cyber attack. An
English educational charity fell victim to a "highly sophisticated" ransomware attack, leaving
about 37,000 students unable to access their email. A Londonderry-based IT company that
manages data for about 140 charities and community organisations, including groups that
work with victims of sexual crime, was hacked in a ransomware attack.
These are not special cases – they are everyday charities, doing vital work.
How could the board let this happen?
With any other type of serious governance failure, sooner or later the cry will go up: “Why
didn’t the board stop this happening?” Whether it’s a failure of safeguarding or financial
planning, we all understand the buck stops with the board. Why doesn’t this happen after a
cyber attack occurs?
My co-founders and I set up CxB (Cyber Governance for Boards) – a non-profit which
supports trustees and non-executive directors with cyber security governance - because we
think this situation needs to change.
After all, boards can and do effectively oversee other complex, challenging issues. Trustees
scrutinise, set priorities and make confident decisions across all issues of strategic
importance, whether or not they are specialists in those areas. Boards frequently practice
excellent, unsung governance and oversight in the face of extreme uncertainty.
Why is cyber security so different?
A lack of curiosity
Boards can be unusually passive when it comes to cyber security. There are so many ways
to be a passenger, even for boards which are supportive and encouraging:
“I can’t see why anyone would be interested in hacking us.” (We can.)
“Our CEO thinks we’re doing fine.” (How would she know?)
“Our IT Director thinks we’re doing OK and he’s the expert.” (How would you know?)
“We say yes to all cyber-related budget requests.” (How can you know that those particular investments will address the most consequential risks?)
“We’ve set our risk tolerance for cyber security breaches at zero.” (In that case, better switch off the computers and close down the charity!)
An effective board needs to be engaged, which means recognising uncertainty and asking
questions. Lots of them. So why aren’t trustees asking more questions about cyber security?
Drama and intrigue
To my mind, our deeply unhelpful national conversation about cyber security is partly
responsible. It triggers fear about asking the ‘wrong’ questions and looking foolish.
Most trustees don’t have a technical background. But just like everyone else, we read the
news. Cyber security provides a constant source of click-generating drama and intrigue.
One recent headline reads: “Cyber terrorists weaponise AI to bring down UK networks in
seconds.” Is it possible to be any more frightening? We hear of “shadowy hacker groups”,
illustrated with hooded figures in darkened rooms. The counter-response stories feature
plucky cyber heroes who “plot honeypots to catch hackers”.
Most news coverage is uninformative. We are invited to look on passively while the cyber
security insiders – goodies and baddies - slug it out in cyberspace.
Board members also absorb information from vendor marketing, courtesy of a booming
market for cyber security solutions, which unsurprisingly feeds a perception that technology
is the only real fix.
Your average trustee might start to believe the only way they can make a positive
contribution is by learning about all the latest zero-day exploits and advanced tooling. Unless
their charity has no or few staff, that is probably a recipe for unhelpful micromanagement.
What true responsibility looks like
The upshot of this misleading, drama-riven national conversation about cyber security is to
breed a lack of confidence amongst trustees, and to disempower our boards. We assume
that you need to be technically qualified just to be part of the conversation and, because
most trustees don’t have that expertise, they stay silent.
Ironically, the vast majority of IT teams are looking for more strategic direction from their
boards. They want trustees and senior executives to be aware and involved, and they are
frequently anxious when they can’t see the board taking responsibility.
Trustees are often blithely unaware that board decisions may affect cyber security, even
when the topics do not look particularly technical. Risks can arise when non-technical staff
operate insecure processes, or old systems are retained to save money. A long-trusted
supplier or partner may expose us to their cyber risks.
Most charity CEOs are no more technical than their trustees, and often find it challenging to
give direction to their IT teams, which are often given conflicting priorities.
By choosing not to enquire further about security risks, a board has effectively accepted
those risks. So true responsibility for cyber governance starts with curiosity about our own
role in creating the problem.
Prioritising capability and culture
There’s always a temptation to assuage our anxiety by buying something new – such as
technology or external training - rather than getting to grips with what we already have. So, a
board on a journey to good cyber governance will want to start by seeking assurance.
You might have heard of penetration testing, but external cyber assurance takes many
different forms. A good external advisor will help your board take a strategic, risk-based
approach. You need to understand the risks and their business impacts, which are unique to
your organisation, then prioritise and resource your strategy accordingly.
The National Cyber Security Centre’s Cyber Security Board Toolkit provides excellent
guidance describing ‘what good looks like’ from a board perspective. You can use this to
judge whether your organisation has the right protections in place.
Cyber security is about people, process and technology. All three are important. Rather than
thinking about technology, think about capability. What cyber security expertise and resource
do we have in the charity right now? How mature are we? What capability do we need, and
what’s the best way to build it?
It’s the board’s job to support workforce upskilling and positive culture change. Set a good
example by making the conversation about cyber security a constructive one, free from
blame and intrigue, always listening and open to learning.
Managing risk
Good risk management is at the heart of cyber governance. Many boards have a Risk
Committee, which can be a good home for ongoing cyber security oversight, so long as it
enhances board visibility rather than allowing other trustees to ignore it.
Similarly, many boards have considered enhancing their cyber security expertise by bringing
in a specialist as a trustee or committee member. This can be an excellent way to kick-start
cyber governance improvements, so long as that person helps to upskill everyone else
rather than letting them off the hook.
Risk committees often find cyber security hard to map onto a traditional red-amber-green
risk matrix, and complain that “cyber security is always red, from one meeting to the next”.
My tip is to work on a security-specific risk framework with technical staff. You could be
facing dozens of different risks, some of which are much more important than others. Try to
quantify each one in terms of how much it might cost your charity – in clean-up costs, lost
income, fines, and so on – and use your limited resources to mitigate the most costly risks
first.
It will always be a work in progress – and that’s fine. The board does not need to be the
primary source of technical expertise. But a charity that’s on a journey to cyber resilience
needs its board to be a driver, not a passenger.