At our recent Innovate for Impact: Empowering charities through technology event, one message stood out above all others: cyber resilience is not just a technology issue — it is an organisational one. As charities increasingly rely on digital tools to deliver services, engage supporters and manage sensitive information, the impact of a cyber incident can extend far beyond IT systems. A ransomware attack, data breach or system outage can affect operations, communications, governance, reputation and, ultimately, the people organisations exist to serve.
The discussion explored practical lessons from organisations that have experienced significant cyber incidents, alongside insights on how charities can strengthen their resilience before, during and after an attack.
Catch up on the key takeaways from our other panel sessions:
- Innovate for Impact: How technology can empower charities to drive positive change
- Innovate for Impact: Managing IT supplier relationships: Risks, red flags and reducing the impact of disputes
Cyber incidents are human challenges
When systems become unavailable, normal methods of communication can disappear overnight. Staff must make decisions under pressure, leaders need to balance competing priorities and service delivery teams often have to find ways to continue supporting beneficiaries and other stakeholders while critical systems are offline. This highlights the importance of viewing cyber resilience as a core organisational capability rather than a responsibility that sits solely with IT teams.
Preparation matters more than perfection
A recurring theme throughout the discussion was that no organisation can eliminate cyber risk entirely. The question is no longer whether an incident will occur, but how prepared an organisation is to respond when it does.
Rather than attempting to predict every possible scenario, charities should focus on building flexible response frameworks that can adapt to rapidly changing circumstances. Effective incident response plans, business continuity arrangements and clear decision-making processes can significantly reduce disruption when an incident occurs.
Response plans should also address regulatory reporting requirements from the outset. Depending on the circumstances, organisations may need to assess whether notifications are required to bodies such as the Charity Commission and the Information Commissioner’s Office (ICO), alongside other relevant regulators and – in some cases – affected individuals. Having clear reporting processes in place can help ensure timely, accurate and coordinated communications during an incident.
Regular testing is essential. Plans that appear effective on paper may prove far more challenging in practice, particularly when communication channels or key systems are unavailable.
Simple but effective cyber security measures
The panel emphasised that cyber resilience is not achieved through a single technology solution. Instead, it is built through a combination of robust controls, effective governance and a culture of awareness. Nevertheless, the panel highlighted that some of the simplest and most cost-effective cyber security measures can also be the most effective including:
- Multi-factor authentication.
- Regularly tested backups.
- Prompt patching of known vulnerabilities.
- Careful management of administrative access.
- Accurate asset and device inventories.
- Ongoing cyber awareness and phishing training.
Regular testing of incident response and business continuity plans.
The importance of people and culture
One of the most powerful themes was the critical role played by people. Employees can be an organisation’s strongest defence against cyber threats. However, they can only fulfil this role if they understand risks and feel empowered to raise concerns. Creating a culture where staff can report mistakes, suspicious activity or potential vulnerabilities without fear of blame is essential. Early reporting often allows organisations to contain incidents before they become more serious. Leadership also plays an important role. When senior leaders visibly prioritise cyber security, it becomes embedded within organisational culture rather than being viewed as a specialist issue for technical teams alone.
Governance and oversight are critical
Boards and trustees have a key role in overseeing cyber risk. Effective governance requires organisations to move beyond asking whether they could be targeted and instead focus on their preparedness. Critical questions include whether the organisation can detect incidents quickly, respond effectively, maintain essential services and obtain meaningful assurance regarding the effectiveness of its controls. Strong governance is not about eliminating risk altogether; it is about ensuring that organisations understand their risks and are equipped to manage them appropriately.
Recovery is a long-term process
One important lesson from the discussion was that recovery does not end when systems are restored. The aftermath of a significant cyber incident can continue for months as organisations review controls, engage with stakeholders, implement improvements and address lessons learned. True resilience involves not only responding to an incident but emerging stronger from the experience.
Key takeaways
For charities looking to strengthen their cyber resilience, several practical lessons emerged:
- Treat cyber resilience as an organisation-wide responsibility.
- Invest in strong cyber security fundamentals before pursuing more complex solutions.
- Regularly test incident response and business continuity plans.
- Foster a culture where staff feel confident reporting concerns.
- Engage trustees and senior leaders in resilience planning.
- Review external support arrangements, especially the nature and scope of insurance, before an incident occurs.
Focus on preparedness, response and recovery as well as prevention.
Ultimately, cyber resilience is about more than technology. While robust systems and controls are essential, an organisation’s ability to communicate, collaborate, make informed decisions and learn from adversity will often determine how successfully it navigates a crisis.
If you have any questions about this article, or would like to discuss your cyber resilience and steps to take now to prepare, please get in touch.
If you are interested in attending Innovate for Impact next year, you can register your interest here.
The material in this article is provided for guidance and general information only and is not intended to constitute legal or other professional advice upon which you should rely. In particular, the information should not be used as a substitute for a full and proper consultation with a suitably qualified professional. Please do contact the Bates Wells team if you require further advice.