How to get trustee buy-in for cyber security

Trustees may be completely unaware of just how common, and therefore likely, cyber breaches and attacks are — particularly in the charity sector. So, collate the latest statistics to show them that it’s more common than they think. You can find the latest statistics on GOV.UK, specifically in the Cyber Security Breaches Survey 2024.  

Share relatable stories  

There are, sadly, a wealth of real-life stories and case studies from charities of all sizes who have experienced cyber attacks or breaches. Trustees of a small charity may feel that hackers would only target bigger charities, but no charity is safe from these malicious practices. 

One example, cited in the Cyber threat report: UK charity sector (2023), shows how easy it is for criminals to gain access to your systems.  

A staff member at a small hospice charity in the West Midlands received an email that they thought was from Microsoft, asking them to change their email password. They changed it and then received a confirmation email that their password had been changed but that they needed to re-enter their old password, which they did. The next day, the charity received calls from donors who were concerned about an email they had supposedly received from this staff member.  

Upon investigation, it was discovered that criminals had taken control of that email account and changed the settings so that the staff member couldn’t see their ‘sent’ emails. It was also found that these criminals may have had access to the credit card details of 35,000 people stored on the hospice’s database. Thankfully there was no evidence that the credit card details were used, however it cost the charity £17,000 to deal with, and recover from, the cyber attack.   

This is a good example of how easy it is for breaches to happen if the charity hasn’t taken appropriate cyber security measures — for example, providing training in how to spot a phishing email.  

Present trustees with solutions 

Thankfully, the most common cyber threats are relatively unsophisticated. Government guidance suggests that charities protect themselves using a set of “cyber hygiene” measures.  

These include: 

As well as having measures in place to try to prevent cyber attacks, it’s advisable to have cyber security insurance, particularly as there are cyber security risks posed by supply chains and third parties. The Cyber Security Breaches Survey 2024 reported that only 34% of charities had cyber security insurance.  

Recruit a trustee with cyber security skills 

According to the Cyber Security Breaches Survey 2024, only three in 10 charities said they had board members or trustees who were responsible for cyber security as part of their trustee role.  

Given how common cyber security threats and breaches are, consider recruiting for a trustee with cyber security skills. They can then review current cyber hygiene measures and recommend steps to improve them, such as investing in software, anti-malware programmes and cyber security training for staff and volunteers.