You might be wondering: why am I doing a cybersecurity course? Isn't this something IT deals with?

It's a fair question. And the honest answer is that for a long time, most of us in marketing and digital roles may have felt able to treat security as someone else's problem. We've assumed there's a firewall somewhere, or an IT person keeping an eye on things, and that our job is just to get on with the work.

But that assumption doesn't hold up anymore. Not because the IT people aren't doing their jobs, but because the way attacks actually happen has evolved. The arts and culture sector has learned this the hard way.

Why go after arts and culture organisations?

You might think that theatres, museums, galleries and festivals wouldn't be obvious targets. We're not banks. We're not holding military secrets. But that's exactly the point.

Attackers know that smaller organisations, charities and cultural institutions often have limited resources, complex tool setups, and teams that are stretched thin. That makes them easier to get into.

Some recent examples:

• 2020: Hackney Museum was caught up in a wider attack on the London Borough of Hackney's systems.
• 2021: the Royal Armouries were attacked, with their collections management system down for some time.
• 2023: the British Library suffered a major ransomware attack that took its systems offline for months. The recovery cost tens of millions of pounds.

There are also numerous stories of hijacked Instagram accounts and (a problem waiting to happen) accounts that people can't log into anymore because nobody can find the logins.

It's not always external attackers. The British Museum recently disclosed that a former freelancer, who still had access to internal systems, logged in after their contract ended and caused significant disruption.

So, where do marketing and digital teams come into this?

Think about what you have access to on a typical day. You might be logging into Meta Ads to manage ad campaigns. You're in Mailchimp or WordFly, sending emails to thousands of contacts. You're updating the CRM. Pulling reports from the ticketing system. Updating content on the website. You might have admin rights to the Instagram and TikTok accounts.

Think about what an attacker could do with that access.

They could send emails to your entire mailing list with a malicious link. They could post on your social channels, damaging your reputation in minutes. They could export your audience data. They could redirect customers to a website that looks like yours but isn't. They could lock you out entirely and demand payment to give it back.

Marketing teams often have wide access across multiple platforms, with high privileges. And because we're all busy, sometimes logins are shared, passwords are reused, or old accounts are left active longer than they should be.

It's not a criticism. It's just the reality of how teams work, especially in under-resourced organisations.

But it does mean that if someone wants to get into your organisation, a person in your position could be a very enticing target.

How incidents begin

Most cyber incidents don't start with someone breaking through a firewall or writing clever code.

They start with a human being making a reasonable decision based on bad information.

Someone clicks a link in an email that looks like it's from Instagram, warning them their account is about to be suspended. Someone shares a login with a freelancer who then gets phished themselves. Someone reuses a password from another site that's already been breached.

They're the kinds of decisions any of us might make on a busy afternoon when we're trying to get through our to-do list. They're understandable, but they're also avoidable.

About this course

The aim of this course isn't to make you a security expert, but to help you recognise the moments where slowing down and checking could prevent something serious. And to make sure that if something does go wrong, you've taken reasonable steps and you know what to do next.

By now, I hope three things are clear.

• First, arts and culture organisations are targets. The idea that they're too small or too niche to bother with simply isn't true.
• Second, marketing and digital roles carry real security responsibility, whether or not that's written into your job description. The access you hold, the platforms you manage, and the decisions you make every day all affect your organisation's risk.
• Third, most incidents start with ordinary actions, not technical failures. That means prevention is largely about habits, judgment and professional standards. Which is exactly what the rest of this course will help you build.

Let's make a start.