Cyber Security: A Leadership Responsibility You Can't Delegate Away

In 2026, that duty of care extends firmly into the digital world.

Cyber attacks are no longer something that only happens to large corporations or government departments. Small and medium-sized organisations, including charities, are targeted precisely because attackers assume they'll be less well protected.

This isn't about fear. It's about responsibility.

Two risks, one issue

When leaders think about cyber security, data protection usually comes to mind first. And rightly so. The information you hold about staff, supporters, donors, and beneficiaries is valuable and sensitive. A breach doesn't just risk regulatory fines; it risks the trust you've built over years.

But there's a second risk that deserves equal attention: operational resilience.

Consider how much of your organisation's daily work depends on technology. Email, finance systems, databases, case management, fundraising platforms, communications. Now consider what happens if all of that stops working tomorrow, not for an hour, but for days or weeks.

A ransomware attack doesn't just steal data. It locks you out of your own systems. Staff can't work. Services can't be delivered. Payroll can't run. For charities, this might mean beneficiaries going unsupported. For businesses, it means contracts unfulfilled and customers let down.

Funders, partners, and customers increasingly understand this. Operational resilience is becoming a key requirement in supply chains and funding relationships. Organisations want to know that the partners and charities they work with can continue to function if something goes wrong.

Good cyber security protects both your information and your ability to operate.

Good stewardship includes digital stewardship

Most leaders I speak with understand that cyber security matters. What they often lack is clarity on what "good" actually looks like, and confidence that they're doing enough.

The good news is that you don't need to invent your own approach. The UK's National Cyber Security Centre (NCSC) has already defined what good cyber security looks like for organisations of all sizes, through two practical, accessible frameworks: Cyber Essentials and IASME Cyber Assurance.

Cyber Essentials focuses on five technical controls that protect against the most common internet-based attacks. It's straightforward, affordable, and designed for organisations without large IT teams.

IASME Cyber Assurance goes further, adding governance and risk management elements alongside the technical controls. It's particularly well suited to organisations that handle sensitive data or want to demonstrate a mature approach to information security.

Both frameworks give you something concrete to work towards, and something credible to show stakeholders, funders, regulators, and partners when they ask about your security posture. If your organisation bids for public sector contracts or works within supply chains, you may already be seeing Cyber Essentials appear as a requirement. This trend is accelerating.

What leaders can do

You don't need to become a technical expert. But you do need to ensure someone in your organisation owns this issue, that you have visibility of your risks, and that you're making proportionate progress.

Taking cyber security seriously is an act of faithfulness to those who support you and depend on you.

A practical next step

In partnership with GLN, I'm offering a free 30-minute Cyber Review with an NCSC-certified Cyber Advisor. It's a chance to talk through where your organisation stands and what proportionate next steps might look like. No sales pitch, just an honest assessment.

You can book directly via the Cool Waters Cyber website.

Protecting your organisation isn't just an IT issue. It's a leadership issue. And like all leadership responsibilities, it starts with the decision to take it seriously.

‍

Mark Faithfull

CEO, Cool Waters

‍