If you are providing essential services, and more specifically for an NHS organisation, there are free cyber-related guidance, and services available via the UK National Cyber Security Centre, NHSE, and the former NHS Digital (now part of NHS England).
Before purchasing your next cyber security system, you should look through the below lists and information as you may find that what you are looking for can be provided for free. Alternatively, if you have little available money to spend, you can begin onboarding to the freely provided services and systems in line with any gaps identified during your maturity assessment.
Central bodies are putting a huge amount of resource into providing these services and advice, so if the opportunity is there we should take advantage of them.
Let’s start with the NCSC whose free resources can be found here.
- Early Warning – Early Warning helps organisations investigate cyber-attacks on their network by notifying them of malicious activity that has been detected in information feeds.
- Exercise in a Box (EIAB) – EIAB is a toolkit of realistic scenarios that helps organisations practise and refine their response to cyber security incidents in a safe and private environment.
- Mail Check – Mail Check helps organisations assess their email security compliance and adopt secure email standards which prevent criminals from spoofing your email domains.
- Web Check – Web Check helps you find and fix common security vulnerabilities in the websites that you manage.
- Check your Cyber Security – The NCSC is in the process of developing tools for organisations to run instant checks on their cyber security. These include the following.
- Email Security Check to confirm correct configuration of DKIM, SPF, DMARC and TLS.
- IP Address and Website Check allows you to run a check to identify if cyber criminals could gain access to systems via the internet.
- Web Browser check to discover if your browser is out of date and vulnerable to exploitation.
- Protective Domain Name Service – PDNS prevents users from accessing domains or IPs that are known to contain malicious content and stops malware already on a network from calling home.
The NCSC also has a massive amount of guidance for UK organisations, and it is recommended to read those in the list below.
- Cyber Assessment Framework (CAF) – The NCSC CAF is framework which can help organisations meet the NIS (Network & Information Systems) Regulations which apply to all providers of essential services (including the NHS and Health Care). The Cyber Assessment Framework 3.1 – NCSC.GOV.UK
- Cloud Security Guidance – If you want to store and process data in the cloud or use cloud platforms to build and host your own services, this guidance will help you do so securely. Cloud security guidance – NCSC.GOV.UK
- Cyber Security Toolkit for Boards* – The NCSC’s Board Toolkit helps boards to ensure that cyber resilience and risk management are embedded throughout an organisation, including its people, systems, processes, and technologies. Cyber Security Toolkit for Boards – NCSC.GOV.UK
- 12 Principles of Supply Chain Security – A series of 12 principles, designed to help you establish effective control and oversight of your supply chain. The principles have been divided into four separate stages: understand the risks, establish control, check your arrangements and continuous improvement. Supply chain – NCSC.GOV.UK
* especially helpful for board members
NHS Digital (Now part of NHS England) also provide a suite of great tools which NHS organisations can implement free of charge.
- NHS Secure Boundary – Can provide protection for both outgoing and inbound traffic so not only can you protect users while they are connected to the internet or remote working, but you can also protect internet facing websites and applications.
- Cyber Assurance Service* – The assessment will measure your performance in cyber and data security standards, by completing an IT Health Check and assessing your adherence to key DSPT assertions relating to cyber security. Reports completed after the assessment will detail where improvement is needed, also considering the urgency to correct.
- Technical Remediation – This work includes a secure backup review, and an Active Directory review, which can lead to further bespoke assessments such as a backup remediation assessment, secure backup design review, and remediation packages.
- Advanced Threat Protection – Advanced Threat Protection (ATP) gives local organisations such as hospitals and GP surgeries better cyber security protection. It is also linked to the Data Security Centre (DSC), which improves cyber security protection for local health and care communities, and the NHS as a whole.
- Vulnerability Monitoring Service – Provide your organisations IP ranges and receive a detailed report each month to help identify vulnerabilities, with additional remediation help available if required.
- BitSight – The BitSight platform uses externally observable events, data sinkholes and third party data to continuously assess cyber security ratings. It is a non-intrusive solution and does not collect any data directly from organisations. This provides visibility of externally facing risk and can produce executive level reports you can provide to the board for assurance.
* especially helpful for IT Admins
Further information on all of the above can be found here.
These services combined could drastically improve the cyber security maturity of most organisations, and considering they are free to most public sector organisations, there is little reason not to make use of them if you are eligible.
If you’re a board member struggling to understand your cyber security risk exposure, there is the NCSC Board Toolkit. If you’re struggling to manage supply chain risk, there is the NCSC guidance.
If you’re an IT admin and are concerned about the security posture of the internal network and you want to show you need to make improvements, you can use the Cyber Assurance Service from NHSD. If you’re concerned your internet facing infrastructure is exposed to web-based threats, you can implement the Secure Boundary Web Application Firewall.
To find out more about how to assess your cyber security maturity, contact Cloud21. We don’t just understand cyber security, we understand NHS cyber security.