Questions the board should ask

The National Cyber Security Centre (NCSC) board toolkit sets out some key questions that a board should ask its network defenders to understand its security vulnerabilities. The toolkit provides advice on why these vulnerabilities matter and what action an organisation should take to mitigate them. The questions include: 

How do we defend our organisation against common and well-known attack techniques, such as phishing attacks?  

Tip: Phishing is one of the most likely ways by which an attacker will first gain access to an organisation. 

How do we ensure the security of administrator, privileged or high access accounts and are they separated from ‘day to day’ accounts? 

Tip: Attackers will wish to compromise administrator accounts because they hold elevated access. These accounts must be given additional protection.  

Do digital teams have a lifecycle management for technology to ensure we are not running out-of-date software, which would lead to vulnerability?

How do we make sure our partners and suppliers protect the information we share with them? 

How do we understand the links between our suppliers and the key systems and services they provide to us? What are our key suppliers doing to protect their own systems, so they can provide our organisation with resilient services?

Tip: All NHS organisations will be dependent on third parties as part of their supply chain : this will mean that data is shared, and there may be direct connectivity. Steps need to be taken to minimise the risk that these connections represent.

Suppliers of digital services – how do we ensure that other critical supply chains (for example, not only digital supply chains) are resilient to cyber disruption? This may overlap with the assurances required to ensure we are meeting our GDPR data controller obligations when sharing personal data to external data processors and may extend to delivery of services as well as data protection and information security. 

Do we have multi-factor authentication (MFA) securing all access into our data, information and systems from outside of our internal network?

Tip: Attackers exploit any weaknesses in access control measures (passwords etc). Implementing measures such as two-factor or multi-factor authentication (2FA or MFA) can reduce this risk.

Thinking across the organisation, do you feel that there is a positive, negative or indifferent security culture?

When was the last cyber security awareness campaign for our organisation?  What did we do and what did we do with our findings?

Tip: NHS England has produced security awareness materials that have been widely tested and are available for your organisation to quickly deploy, saving time and money for your organisation.

Do you have a dedicated and skilled team responsible for cyber security?

Tip: Recruiting and retaining cyber security professionals is very challenging. You may need to consider collaborating with other NHS organisations or outsourcing some security functions.

You will need assurance of the following

Are backups validated and assured when taken, can they be relied upon when needed? Also, are backups and their data protected from attackers who may wish to delete, change or steal them?

Tip: Attackers who deploy ransomware seek out back-ups to disable or delete. Therefore, having a secure off-line back-up is essential if an organisation is going to be able to recover quickly from a ransomware attack.

Are incident management and business continuity plans in place and when were they last reviewed and exercised?

Do our incident management and business continuity plans include cyber risk scenarios, and ensure critical services can be maintained over a potentially extended period? 

Do we fully understand our governance, legislative and regulatory responsibilities around cyber security and the potential penalties for non-compliance?

Have there been any recent changes to legislation/regulations that we need to be aware of?