Skip to main content

Social Sector Challenges | Cyber Awareness

In today's digital age, Social Sector organisations have become increasingly reliant on technology and data as enablers to carry out their mission. However, this reliance also makes organisations increasingly vulnerable to cyber-attacks. In 2022 alone, there were 76,000 cybercrime reports in Australia— a 38% increase from the year before (ACSC, 2022 and Check Point Research, 2023).

Our Deloitte Social Impact Team recently partnered with our Cyber Risk Team, led by Gautam Kapoor, to host an Executive Roundtable on Cyber Security | The 7 Habits of Cyber Aware Executives.

In this blog we reflect on the key learnings from this thought-provoking session with Board Directors and Executives from across Australia’s Social Sector, focusing on how Social Sector Leaders can evolve their cyber awareness through three key principles: (1) Build Capabilities, (2) Never Trust, Always Verify and (3) Report & Measure.

It is widely recognised that building strong cyber security capabilities begins with a comprehensive understanding of the threats and vulnerabilities faced by organisations today, which are increasingly reliant on data running on its digital and IT infrastructure. 

However, a critical step in this process is aligning on current cyber security maturity and future aspirations. Some organisations may strive for top levels of cyber security, while others may only seek to achieve an average level of cyber security based on their investment capacity. These two alternatives are acceptable outcomes, provided that Board Directors and Executives have accurately identified where they currently sit in terms of maturity and have allocated adequate resources towards achieving their cyber security objectives.

Another key consideration is who in the organisation should be responsible for managing the security of sensitive organisational data. Board Directors and Executives should nominate clearly who is responsible for managing cyber security in the organisation and support them with the right resources. The safeguarding of organisational data cannot solely rely on the actions of a few executives. Instead, it is the collective responsibility that requires buy-in from every member of the organisation to effectively minimise threats and protect sensitive information. 

 Key Questions for Board Directors and Executives to reflect on:

  • What is our organisation’s cyber security maturity level (current state) and what do we aspire it to be (future state)?
  • Are we willing to invest appropriately to achieve this aspiration?
  • Do we know what our most precious ‘crown jewel’ assets are, and how we should protect them?
  • Have we adopted a comprehensive cyber security framework? 
  • Who is leading the charge for cyber security in the business? Is this person sufficiently empowered and given enough resources?

Cyber security strategies have evolved over the last decade. As organisational perimeters deteriorate in this cloud dominated, mobile-driven, and ‘work from anywhere’ world, Social Sector Leaders need to stay up to date on the changing threat landscape and refreshed strategies to protect organisations from cyber attacks.

‘Never Trust Always Verify’ is the basic principle to implement the ‘Zero Trust’ model in an organisation and should underpin the development of protective controls. This means that access to data, resources, assets, or services should not be granted based on trust alone, but must be verified first. It is crucial to integrate this design principle into business processes for it to be effective and Board Directors and Executives have a critical role to play in ensuring its implementation.

Further, given that the occurrence of cyber attacks is no longer a matter of ‘if’, but ‘when’, the best course of action is to be proactive in preparing for these inevitable breaches. One way to accomplish this is through comprehensive and holistic cyber attack simulations that drive alignment across the Board Directors and Executives on how to act and verify efficient detection and remediation protocols in the event of an attack. By doing so, an organisation can better prepare for cyber security incidents and minimise the repercussions of cyber criminal activity.

Key Questions for Board Directors and Executives to reflect on:

  • Are our protective controls aligned to the ‘Never Trust Always Verify’ principle?
  • If we are breached, how can we quickly detect and remediate it?
  • How fast can we respond to a breach?

It is imperative for Social Sector organisations to prioritise the reporting and measurement of their cyber security efforts. This includes monitoring key performance indicators such as the number of attacks incurred and prevented, as well as comprehensive risk management that includes the level of residual risks and reasons why previous controls failed.

Reporting and measuring cyber security efforts not only helps Social Sector organisations identify areas for improvement, but also demonstrates to stakeholders that the organisation takes the protection of their ‘crown jewels’ seriously, building trust and confidence in an organisation's ability to protect sensitive data and demotivate cyber criminals from targeting them.

When bench-marking performance, it may be more pragmatic to compare a Social Sector organisation’s performance within the Social Sector to gain an understanding of their level of maturity. However, it is also important for Social Sector organisations to look beyond their own industry to draw lessons from and develop a broader perspective on what best practices are applicable to bolster their own efforts. By doing so, organisations can proactively take steps to mitigate cyber security risks and reduce their vulnerability to cyber attacks. 

Key Questions for Board Directors and Executive to reflect on:

  • How are we tracking incidents and what can we learn from these incidents (i.e. why did our controls fail and what can we do to improve)?
  • Once controls are in place, what is our organisation’s residual risk and how are we managing this?
  • What are our open cyber risks? How is our organisation handling exceptions/ deviations to cyber policies?

Next Steps

Cyber security is an essential component of any organisation's operations. With the increasing likelihood of cyber criminals targeting Social Sector organisations, it is crucial that Board Directors and Executives of Social Sector organisations adopt a cyber aware mindset to take the necessary measures and make the required investments to maintain the trust of stakeholders and protect the reputation of their organisations, and the sector.

Need help?

Deloitte Social Impact Consulting

Deloitte Australia’s Social Impact Consulting Practice supports Social Sector organisations, government agencies and businesses to deliver greater social impact aligned to their vision and mission. Our team is passionate about bringing the latest trends in strategy, technology and innovation from adjacent industries and global players to support Social Sector organisations to be ‘future fit’ in an increasingly complex, disrupted and competitive market.

Should you require any support, please feel free to reach out to either Tharani Jegatheeswaran (Partner – Social Impact Consulting) or Vivian Stephens (Director – Social Impact Consulting).

Deloitte Cyber Risk Services

In an increasingly digital world, cyber brings new opportunities and threats. Our Deloitte Cyber Risk Services help clients address those threats to build smarter, faster, more connected futures. Using human insight, technological innovation, and comprehensive solutions, we manage cyber everywhere so society—and your organisation—can go anywhere.

Should you require any support, please feel free to reach out to either Gautam Kapoor (Partner – Cyber Risk Services) or Ian Blatchford (Partner – Cyber Risk Services).