It is widely recognised that building strong cyber security capabilities begins with a comprehensive understanding of the threats and vulnerabilities faced by organisations today, which are increasingly reliant on data running on its digital and IT infrastructure. 

However, a critical step in this process is aligning on current cyber security maturity and future aspirations. Some organisations may strive for top levels of cyber security, while others may only seek to achieve an average level of cyber security based on their investment capacity. These two alternatives are acceptable outcomes, provided that Board Directors and Executives have accurately identified where they currently sit in terms of maturity and have allocated adequate resources towards achieving their cyber security objectives.

Another key consideration is who in the organisation should be responsible for managing the security of sensitive organisational data. Board Directors and Executives should nominate clearly who is responsible for managing cyber security in the organisation and support them with the right resources. The safeguarding of organisational data cannot solely rely on the actions of a few executives. Instead, it is the collective responsibility that requires buy-in from every member of the organisation to effectively minimise threats and protect sensitive information. 

 Key Questions for Board Directors and Executives to reflect on:

• What is our organisation’s cyber security maturity level (current state) and what do we aspire it to be (future state)?
• Are we willing to invest appropriately to achieve this aspiration?
• Do we know what our most precious ‘crown jewel’ assets are, and how we should protect them?
• Have we adopted a comprehensive cyber security framework? 
• Who is leading the charge for cyber security in the business? Is this person sufficiently empowered and given enough resources?

Cyber security strategies have evolved over the last decade. As organisational perimeters deteriorate in this cloud dominated, mobile-driven, and ‘work from anywhere’ world, Social Sector Leaders need to stay up to date on the changing threat landscape and refreshed strategies to protect organisations from cyber attacks.

‘Never Trust Always Verify’ is the basic principle to implement the ‘Zero Trust’ model in an organisation and should underpin the development of protective controls. This means that access to data, resources, assets, or services should not be granted based on trust alone, but must be verified first. It is crucial to integrate this design principle into business processes for it to be effective and Board Directors and Executives have a critical role to play in ensuring its implementation.

Further, given that the occurrence of cyber attacks is no longer a matter of ‘if’, but ‘when’, the best course of action is to be proactive in preparing for these inevitable breaches. One way to accomplish this is through comprehensive and holistic cyber attack simulations that drive alignment across the Board Directors and Executives on how to act and verify efficient detection and remediation protocols in the event of an attack. By doing so, an organisation can better prepare for cyber security incidents and minimise the repercussions of cyber criminal activity.

Key Questions for Board Directors and Executives to reflect on:

• Are our protective controls aligned to the ‘Never Trust Always Verify’ principle?
• If we are breached, how can we quickly detect and remediate it?
• How fast can we respond to a breach?

It is imperative for Social Sector organisations to prioritise the reporting and measurement of their cyber security efforts. This includes monitoring key performance indicators such as the number of attacks incurred and prevented, as well as comprehensive risk management that includes the level of residual risks and reasons why previous controls failed.

Reporting and measuring cyber security efforts not only helps Social Sector organisations identify areas for improvement, but also demonstrates to stakeholders that the organisation takes the protection of their ‘crown jewels’ seriously, building trust and confidence in an organisation's ability to protect sensitive data and demotivate cyber criminals from targeting them.

When bench-marking performance, it may be more pragmatic to compare a Social Sector organisation’s performance within the Social Sector to gain an understanding of their level of maturity. However, it is also important for Social Sector organisations to look beyond their own industry to draw lessons from and develop a broader perspective on what best practices are applicable to bolster their own efforts. By doing so, organisations can proactively take steps to mitigate cyber security risks and reduce their vulnerability to cyber attacks. 

Key Questions for Board Directors and Executive to reflect on:

• How are we tracking incidents and what can we learn from these incidents (i.e. why did our controls fail and what can we do to improve)?
• Once controls are in place, what is our organisation’s residual risk and how are we managing this?
• What are our open cyber risks? How is our organisation handling exceptions/ deviations to cyber policies?