The Scottish Council for Voluntary Organisations is the membership organisation for Scotland's charities, voluntary organisations and social enterprises. Charity registered in Scotland SC003558. Registered office Caledonian Exchange, 19A Canning Street, Edinburgh EH3 8EG.
Top tips for trustees: Make space for cyber
Looking at data from SCVO’s Good Governance Checkup, we see that lots of trustees aren’t sure whether cyber resilience is a board responsibility and how this area of risk should be managed – so how should you be tackling cyber risk?
You are already managing risk
Every governance body has to think about potential risks their organisation might face and how to control them. Exactly how you do this will vary, every voluntary organisation is different in their attitude to risk and what they are prepared to tolerate based on their unique set up.
You’re likely already managing risk as part of your daily operations and strategic planning, even if you haven’t realised it. You can take it further through board discussions on business resilience, considering and maybe even planning how your organisation would continue to operate when a risk undoubtedly materialises.
Driving a culture of accountability and resilience within an organisation is so important, everyone plays a role in spotting risks and taking appropriate action to help stay safe.
Start asking questions about cyber
Cyber risk is just another type of risk, and so should be managed in the same way as all business risks. Unfortunately the third sector is not exempt from cyber attacks. According to 2025 UK Cyber Security Breaches Survey, almost one in three charities experienced some form of cyber security breach or attack in the past year.
Trustees are responsible for recognising cyber risks and keeping up-to-date with common threats to help inform their understanding of risk and mitigation. Ensuring these risks are well managed means that boards can be confident of their organisation’s cyber position.
As a trustee, you can obtain a level of assurance by asking…
- Are we taking appropriate technical steps to protect our systems and data from common threats? Make sure your organisation has taken practical steps to improve your organisation’s cyber security, e.g. backing up data, keeping mobiles and laptops safe, preventing malware, avoiding phishing attacks and using strong passwords.
- Do our staff and volunteers understand their role in helping us stay safe online? Giving your team the right awareness and basic training can help reinforce key cyber security principles and make your organisation less vulnerable.
- Do our staff and volunteers know how to report anything suspicious? People on the front line will likely be the first to notice a cyber incident or suspected phishing activity, it’s important they know how to report so you can quickly work out what’s happening.
- Have we recently tested our cyber incident response plan? You can reduce a lot of the stress and risk of a cyber attack by having an up-to-date incident response plan prepared in advance.
Acting now can make a big difference in helping protect your organisation from the inevitable.
Reach out if you need help
For further information check out SCVO's Cyber Resilience page, where you can keep up to date with all things cyber, and/or get in touch with our Cyber Resilience Co-Ordinator if you’d like to chat through in more detail.
