The National Cyber Security Centre (NCSC) has reminded boards of their role in mitigating cyber risk in their organisations, publishing a blog just before Christmas on a critical new vulnerability impacting a wide range of companies. In their blog the NCSC set out a list of questions boards should be asking their IT teams in relation to this new risk.
How concerned should boards be?
The NCSC blog explains that the Log4j issue has the potential to cause severe impact to many organisations. The critical vulnerability, which the NCSC says is ‘potentially the most severe computer vulnerability in years’ does not relate to a single piece of software, but rather to the widely used log4j logging tool – a software component used by millions of computers worldwide running online services. Initial reports suggest attackers will use the vulnerability to launch new remote control malware and ransomware attacks. As a result, organisations need to act now to identify which of the services they use include the Log4j component, and whether any of these are vulnerable.
10 Questions for the board to ask
The blog provides advice for board members of medium and large organisations, recognising that senior managers will need to work with their technical teams to understand their organisation’s exposure and take appropriate action to mitigate the risk. It suggests a set of 10 questions for the board to ask their IT teams. These range from basic incident response questions such as ‘who is leading our response’, ‘what is our plan’ and ‘when did we last check our business continuity plans’ to more specific / technical points. The latter include:
- Does anyone in our organisation develop Java code: Log4j is frequently used in enterprise Java software.
- How are we addressing shadow IT/appliances: it can be more difficult to mitigate risks when the IT used is not a corporately managed asset – increased working from home as a result of the pandemic has increased the risk of shadow IT being used.
- Do we know if key providers are affected and are they monitoring and mitigating this risk (for example, have available patches been applied): supply chain is a key risk to consider in any cyber mitigation plans, and the response to Log4j is no different. The NCSC suggests engaging with key suppliers, particularly those with remote admin access to your systems.
A full list of the questions can be found in the blog and is set out below. More general information on the Log4j threat can be found in the NCSC’s publications Log4j vulnerability – what everyone needs to know.
It is interesting that the blog addresses boards directly. The government, and NCSC, have for some time emphasised both the critical nature of the UK's cyber threat and that organisations should treat cyber risk as a board level issue. However, the NCSC is backing up this expectation with guidance for boards - both short blogs such as this one, and with its boardroom toolkit (which is currently in the process of being updated - see my blog from last year). While some of this guidance may be on the slightly obvious side, other aspects highlight the NCSC's expectation that boards understand some of the more technical issues facing their organisations.
NCSC questions for boards regarding the Log4j threat:
Log4Shell [is] potentially the most severe computer vulnerability in years.....Managing this risk requires strong leadership, with senior managers working in concert with technical teams to initially understand their organisation’s exposure, and then to take appropriate actions.