FTSE 350 boards must answer 5 questions to assess cyber risk: NCSC
8 October 2018
The National Cyber Security Centre recently said that board members at Britain’s largest enterprises must ask themselves five simple yet effective questions to accurately assess their cyber risk and the effectiveness of their response strategies.
In August last year, the Department for Digital, Culture, Media & Sport published its FTSE 350 Cyber Governance Health Check Report 2017 which revealed that while 68% members of company boards never received any formal cyber security training to understand cyber risks, 10% did not have a plan in place to respond to cyber incidents.
The report also revealed that while 13% of board members considered cyber threat as a low-level risk instead of as a high priority risk, 53% of company boards were provided with some information on cyber risk, thereby impacting their ability to effectively respond to emerging risks.
Five questions that will help boards understand cyber risk
According to the cyber security watchdog, these “five core questions” will not only help FTSE 350 boards understand initial risks and areas of improvement, but will also help them understand cyber risk in the same way they understand financial risk, or health and safety risk.
Following are the five questions that the NCSC has asked company boards to ask themselves:
1. How do we defend our organisation against phishing attacks?
2. What do we do to control the use of our privileged IT accounts?
3. How do we ensure that our software and devices are up to date?
4. How do we ensure our partners and suppliers protect the information we share with them?
5. What authentication methods are used to control access to systems and data?
The five simple questions not only seek answers on how the biggest enterprises in the UK respond to phishing attacks on their employees via SMS or e-mail, but also seek answers to legitimate concerns over the emerging concepts such as privileged access management, and the ability of enterprises to carry out audits to assess the strength of security protocols implemented by third-party vendors and suppliers who also store and process customer data on their behalf.
Additionally, by finding answers to the said queries, company boards will be able to determine whether multi-factor authentication has been implemented across all departments, and whether there are shadow IT devices that have not been updated or tested for vulnerabilities.
“Cyber security is now a mainstream business risk. So corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks. But to have the plain English, business focussed discussions at board level, board members need to get a little bit technical. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk,” said Ciaran Martin, chief executive of the NCSC.
“Our sample questions today, which we’ve published in consultation with businesses, aim to equip board members to ask the right questions and begin to understand the answers. There is no such thing as a foolish question in cyber security. The foolish act is walking away without understanding the answer because that means you don’t understand how you’re handling this core business risk,” he added.
According to NCSC, the five basic questions will form part of a broader toolkit for enterprises that will be released this winter to recognise and resolve gaps in boards’ knowledge. Boards must learn how to distinguish good answers from waffle and should continue asking questions about how risks are managed.
“Cyber security is no longer just the domain of the IT department. It can’t be delegated. Those around the board table must understand the constant and persistent cyber threat to their businesses and to educate themselves of the steps they need to take to ensure that they are cyber-resilient,” said Jacqueline de Rojas, president of techUK.
“That is why the NCSC toolkit, specifically aimed at board members, is an important development. It will help de-mystify concerns around cyber security, enabling senior executives to discuss their cyber risk appetite in a confident and proactive manner. techUK will continue to work with the NCSC to raise awareness of the toolkit in order to protect businesses both large and small in the UK,” she added.
NCSC taking the war to hackers
In order to secure Britain’s major industries from cyber-attacks carried out by expert hacker groups or those sponsored by enemy nations, NCSC has, over the years, not only issued a series of advisories to businesses of all sizes but has also taken action on its own to reduce the exposure of companies to cyber-attacks.
For example, the watchdog’s ‘Active Cyber Defence programme’ that it initiated last year allowed it to block 54 million online attacks and to take down 120,000 fake websites run by cyber criminals. The list of blocked websites included some that mimicked websites owned by public sector institutions like HMRC, Crown Prosecution Service, the Bank of England and several UK universities.
According to NCSC, the new programme also helped it remove 121,479 phishing sites hosted in the UK and 18,067 hosted in the rest of the world that spoofed UK government websites. It also blocked a total of 515,658 fake e-mails from bogus ‘@gov.uk’ accounts.
The watchdog’s Web Check service, that was initiated to help all UK public sector organisations fix existing and emerging vulnerabilities in their digital websites and applications, uncovered over 6,000 issues across 8,000 different websites and also helped NCSC release over 4,000 advisories since April last year.
In fact, the Web Check service itself performed 1,033,250 individual scans running 7,181,464 individual tests, scanned 7,791 unique URLs across 6,910 unique domains and produced 4,108 advisories for customers.
These advisories included 2,178 issues relating to certiﬁcate management, 1 relating to HTTP implementation, 184 relating to out of date content management systems, 1,629 relating to TLS implementation, 76 relating to out of date server software and, 40 relating to other issues.