Questions that Boards should ask

The National Cyber Security Centre (NCSC) Board toolkit sets out questions that a Board should ask its network defenders to understand its security vulnerabilities. The toolkit provides advice on why these vulnerabilities matter and what action an organisation should take to mitigate them.

The questions include:

• How do we defend our organisation against phishing attacks?

Phishing is one of the most likely ways by which an attacker will first gain access to an organisation.
 

• How does our organisation control the use of privileged IT accounts?

Attackers will try to compromise administrator accounts because they hold elevated access. These accounts must be given additional protection.
 

• How do we ensure that our software and devices are up to date?

Patching is the process by which hardware and software are kept up to date. Systems that are not up to date are vulnerable to attack and will be exploited by attackers. Legacy equipment (a major problem for most NHS organisations) cannot be updated and must therefore be treated as untrustworthy. The level of unsupported systems and software is an indicator of a lack of investment in IT infrastructure.
 

• How do we make sure our partners and suppliers protect the information we share with them?

All NHS organisations will be dependent on third parties: this will mean that data is shared, and there may be direct connectivity. Steps need to be taken to minimise the risk that these connections represent.
 

• What authentication methods are used to control access to systems and data?

Attackers exploit any weaknesses in access control measure (passwords etc). Implementing measures such as two or multi-factor authentication (2FA or MFA) can reduce this risk. 

• Does the organisation have the right cyber security culture and capability to manage the risk? 
   
• When was the last cyber security awareness campaign for our organisation?

NHS Digital have produced security awareness materials that have been widely tested and are available for your organisation to quickly deploy, saving time and money for your organisation.
 

• How experienced and capable is our cyber security team? What gaps do we have?

Recruiting and retaining cyber security professionals is very challenging. You may need to consider collaborating with other NHS organisations or outsourcing some security functions.

You will need assurance that: 

There is a secure offline back-up and that the IT team have practised recovery from it. Comment. Attackers who deploy ransomware seek out back-ups to disable or delete. Therefore, having a secure off-line back-up is essential if an organisation is going to be able to recover quickly from a ransomware attack. 

There is an Incident Management (IM) plan and Business Continuity Plan (BCP), and you will want to know when they were last reviewed and exercised.