7th May 2025Charity Trustee Roundtable – Cyber Security

At our first Charity Trustee Roundtable for 2025, we were joined by Paul Chichester, Director of Operations at the National Cyber Security Centre who shared his insights. The key points discussed during the session were as follows:

National Cyber Security Centre (NCSC) Overview:

The NCSC was established in 2016, during a period of political optimism in the UK with a majority government focused on growth and prosperity. Cybersecurity was seen not only as a national security concern but also a means to protect businesses, citizens, and foster economic prosperity. The government recognised the importance of cybersecurity for national safety and as an economic sector, particularly as the UK has a growing cybersecurity industry.

Prior to the NCSC, there was no centralised body offering cybersecurity advice outside of government. The NCSC was set up to fill this gap, providing a one-stop shop for advice, guidance, and support for everyone—from government to the public. Its mission is to make the UK the safest place to live and work online. The NCSC focuses on areas such as critical infrastructure (e.g., power stations, water systems), businesses, SMEs, academia, charities, and individual citizens.

Key NCSC Responsibilities:

The NCSC manages national cybersecurity incidents, such as ransomware attacks or spear-phishing, and provides guidance for organisations experiencing cyberattacks. It acts as a central hub for reporting incidents, helping manage and mitigate attacks. The charity sector, in particular, faces a range of cyber threats, including ransomware and data breaches, often due to their access to financial resources and personal data.

Common Cybersecurity Threats:

• Ransomware: Increasingly common, ransomware involves criminals encrypting or stealing data and demanding payment to restore access or avoid leaking sensitive information. This not only causes operational disruptions but can also damage an organisation’s reputation.
• Business Email Compromise (BEC): A fraud tactic involving social engineering to trick staff into transferring funds to malicious accounts.
• State-sponsored Attacks: Some organisations, particularly charities working in sensitive regions, face threats from state actors like Russia, China, and Iran. These attacks often aim to steal sensitive personal data or disrupt operations.

Cybersecurity Challenges for Charities:

Charities are frequent targets due to their access to funds and personal data. Criminals and state actors often exploit these vulnerabilities for financial gain or intelligence gathering. Ransomware remains a persistent issue, and preparation is crucial. Organisations are advised to implement cybersecurity measures and prepare for potential attacks, as prevention is cheaper and more effective than reacting to an incident.

Cybersecurity Preparedness:

• Planning: Organisations should have clear, tested plans for dealing with cyber incidents. Board members should understand their roles during a cybersecurity breach, including operations, finances, communication, and HR.
• Backups: Ensure that data backups are secure, regularly tested, and stored in separate locations to protect against ransomware attacks.
• Continuous Risk Management: Cybersecurity is an ongoing risk, much like financial or health and safety risks. The threat landscape evolves, and regular assessments are essential. Boards should continuously monitor risks and ensure the organisation is prepared for potential incidents.

Key Actions for Organisations:

• Governance: Treat cybersecurity as a board-level risk, similar to financial or operational risks. It should be regularly discussed at board meetings and monitored continuously.
• Preparation: Organisations must prepare for cyber incidents, not just react when they happen. Have clear response plans in place, and use resources such as NCSC’s “Exercise in a Box” [1] to simulate potential attacks.
• Collaboration: Cybersecurity is a team effort. Encourage communication with other organisations and industries to share best practices and stay informed about emerging threats.

Cybersecurity Best Practices:

• Multi-Factor Authentication (MFA): Implement MFA across your organisation to reduce the risk of unauthorised access.
• Patching and Security Measures: Regularly update systems and maintain security measures to protect against known vulnerabilities.
• Cyber Essentials: The NCSC’s Cyber Essentials certification helps organisations assess and improve their cybersecurity posture. It’s a useful tool for boards seeking independent verification of their security practices.

NCSC’s Role Beyond Direct Support:

The NCSC works with international partners and vendors to improve the security of the technology we use. Through initiatives like “Secured by Design,” the NCSC aims to set security standards for consumer technology and address market incentives. This includes efforts to ensure that Internet of Things (IoT) devices, such as smart home products, meet basic security standards like having non-default passwords and automatic updates.

Growing Cyber Talent:

The NCSC is actively working to grow the UK’s cybersecurity talent pipeline through initiatives like CyberFirst, which aims to develop a more diverse and skilled workforce from primary school through university.

Top Actions for Boards:

1. View Cybersecurity as a Business Risk: Incorporate cybersecurity into organisational risk management, just like financial or operational risks.
2. Ensure Preparedness: Develop and test plans for handling cyber incidents, and ensure your organisation is ready for “when, not if” an attack occurs.
3. Foster Collaboration: Make cybersecurity a team sport by sharing knowledge and strategies with other organisations, helping to create a broader culture of awareness and preparedness.

[1] https://www.ncsc.gov.uk/section/exercise-in-a-box/overview

Our next Charity Trustee roundtable will be taking place at 9am on Wednesday 11 June 2025 where we will be joined by David Holdsworth, Chief Executive of the Charity Commission. Contact Louise Hughes: lhughes@hwfisher.co.uk to reserve your place.