Lancashire & South Cumbria NHS Foundation Trust
Tameside Metropolitan Borough Council – NAFN Data and Intelligence Services
Chorley Council and South Ribble Borough Council
Chorley Council and South Ribble Borough Council
zED with zED to the Max
Original Initiative that Inspired your Project
The system is based on the work of the zED the email scanner, created by Bruce Thompson from CTAG and the work by Matt Smith to visualise that data for WARP consumption. This original system allows organizations to assess the email hygiene of their peers and suppliers. We have built upon and added to the original system and created an extra automated functionality. The aim of the project is that staff who are communicating via email have access to real time information on the recipients email hygiene. This would allow for a dynamic view on a weekly basis of which email domains are trustworthy and which are not. It should also be easy for non-technical staff to use and understand. There was also the issue that previous allow lists using Enforced Encryption had become unusable due to various email migrations in our region. Finally there has been a range of new guidelines based around opportunistic encryption, anti-spoofing technology and MTA-STS.
Out of this there was a simple idea, zED already has all of this information and we could use it to help our staff determine who was safe to send to and improve our supply chain security as well. The system can check hundreds of thousands of email domains at the same time. Essentially we have a scheduled script which;
- Collects the original zED report each week.
- Creates a file for the Outlook button to reference. The file has two fields, domain name and whether this is Trustworthy or Unsafe.
- Gets a 7 day report of delivered email from Exchange Online -determines new domains to add to zED validates them and sends to zED
- Creates a domain breakdown report which adds zED Trust Rating and score to each email sent With this script output we can create
- A button in Outlook that can inform whether recipient domains are Trustworthy or Unsafe, just before sending.
- A website that can do the same in bulk, but can also inform if the domain is Unknown
- Another website (set of tooling ) to help with creating content for supply chain investigations.
- Analysis of all email sent in terms of number of emails sent by domain, safety and recipient type. We currently have two websites for this the rolling 7 day analysis and one that holds all (all time) breakdown reports.
- A dashboard highlighting the top safe and unsafe email domains.
In the vein of zED this is freely available to the public and third sector and the website is available to everyone in the region of the Lancashire and South Cumbria Trust. Other partners across the UK are also beginning to adopt the system.
Adoption and Adaption
It is a major boost to performance for staff to now have a button within Outlook to instantly understand which email domains are trustworthy or unsafe. This is a very effective tool for organisations to assess their supply chain and wider network security. This being one of biggest issues currently in the cyber security space. It also cuts down our reliance on further encryption products and minimises the pushback which always comes from these clunky solutions.
Teams also utilising the domain checker to look at the posture of groups of domains for possible new services which is being well received. It has helped with our withdrawal from NHS.net.
This is also used for assurance that new domains to add to zED as mentioned above have actually landed in the latest report. This is a very effective tool for organisations to assess their supply chain and wider network security. This being one of biggest issues currently in the cyber security space. A recent report said that ‘Half (51%) of UK IT decision-makers across healthcare, education, and government organizations received notification of an attack or vulnerability in their software supply chain in the last twelve months – and 42% took more than a week to recover’. It gives a new way to engage our supply chain in a meaningful way which grabs their attention by highlighting possible vulnerabilities alongside all of the other information security questions during DPIA, etc.
It also supports organsations to better link to the current Cyber Essentials framework, including smaller organisaitons within the supply chain by providing them with up to date information on the cyber security posture.
The project is making a massive difference and the evidence can be seen with really strong engagement with many domains having moved from Unsafe to Trustworthy because of this work. Since its inception, a range of public sector organisations have begun to adopt or looking at adopting the system. As well as the organisaitons within our Trust, we are also working with Tameside Council, Manchester City Council, Kent West Suffolk and a range of Housing Associations. There is also a huge number of other bodies becoming increasingly interested in the system.
The system helps everyone everywhere, once a domain becomes Trustworthy for everyone that UK is a little more safe to live and work online. It is also important as it provides a tool to hold organisaitons to account and can actually help their internal IT teams get support to do necessary work to strengthen their cyber resilience. To tell a short story, we have a leaderboard (from the analysis domain breakdown system) for Trusted and Unsafe domains based on the number of emails sent to them, at the top of our Unsafe chart is an organisation that when confronted on a Teams call, clearly were not happy to see themselves at number one that week and did admire all that we had put together for them . . . because . . . they had tried to get to Trustworthy but it broke an internal system so leadership told them to leave it alone. But, we were their first partner to confront them and we did need the partnership so I had given them leverage to go back to leadership and ask for the resource to get to a Trustworthy state and they thanked us for this. There are other similar stories. The analysis websites have been hugely popular by many groups as a quick way to see where we are from the many metrics put in there particularly those in leadership roles.
Organisations in the local public sector can often be very internally focused but external/supply chain threats are really important and represent one of the greatest threats to cyber security. The wider the system becomes used, the more pressure it puts on supply chain actors to improve secrurity.
It’s also a great example of strong collaborative working with continued support from Bruce Thompson who developed the original system and further partnership working with regional WARPS and other public sector bodies to design and improve the system.
Due to capacity the system is not a supported service for those outside of the Trust. However the open source nature of the system means that organisations can adapt and build on it further to meet their own needs. This creates further opportunities for sharing, collaboration and development.
Supply chain attacks, in particular, can be more costly due to their complexity and the potential for widespread disruption. For instance, the costliest initial attack vectors, such as phishing and business email compromise, can reach up to £4.43 million. Therefore a free to use tool which can help mitigate this is of huge potential value to the local public sector. Particularly when systems bought privately can cost huge sums and also in the current financial conditions that the sector finds itself in.
Level of Impact
This is a completely unique service, both within the public sector and also privately. No one else from what I can see does any of this, I have shown Egress and they will certainly be taking lessons from it; No one is looking at the supply chain posture based on the NCSC secure email guidance. Most organisations have safe lists of domains to send to however they are not dynamic and real time systems like this. Certainly there are none that are made free of charge without extra appliances. NCSC have seen this and are looking at the Outlook button as something they could make and offer to all in the same vein as the phishing button already offered. The fact that we have built this for no licensing cost in house between three of us and that this is so simple useful and innovative to so many exceeding original objectives is very satisfying to us all.
What are the key learning points?
There is a gap in supply chain assurance that this can effectively fill, our hope would be that organisations many take on this challenge, used across the sectors we can really get our supply chain in line with regard to public sector. We have already rolled this out at another hospital, we are currently engaged with roll out to a housing association and councils. We have other interested organisations that want this but have not started the full engagement process. There is a ‘lite’ version available for those organisations that do not use Exchange Online
Additional Evidence or Information
This whole project has been done as an added project of top of our normal roles. This is something we do because we see it is needed and the value it can add.
![5547](https://i-network.org.uk/wp-content/uploads/2024/01/5547.jpg)