I recently got embroiled in a discussion about NHS IT, and commented how people in the NHS need simple, cheap tools to help keep their head above water on maintaining systems, not necessarily complex security tooling.
One practical example raised was website security, with a quick Google search revealing a number of websites under the “nhs.uk” domain which had been compromised by attackers.
It can be hard for people whose main role is clinical or managerial to form a view on if the website vendor is maintaining the website properly, or to get a timely alert if their website is compromised by hackers, or just broken. This is not unique to the NHS, many other people who commission websites need similar tools.
Two tools I’d recommend for these types of users that are free, very easy to use, and low maintenance are:
Google Webmaster tools can tell you a bunch of important but technical stuff about search terms, HTML mark-up, and accessibility which most people not into web design probably won’t understand.
However registering your email against your website tells Google who to contact when they see a problem. That may be a bunch of pages no longer exist, or your Content Management System (WordPress, Drupal etc) is out of date, or they find your website distributing malicious software. It only works for websites that Google is indexing, but that is just fine for most of us.
Sometime the alerts from Google will use technical language, they’ll use “rise in 404 errors” to mean pages have gone missing, but since it is such a popular service you can always search up what the message means if it isn’t obvious.
The sign-up process may be a little fiddly, but they have a selection of methods to prove it is your website so hopefully one will be easy for you.
NHS organisations (and other UK public sector organisations) can also use the NCSC Web Check service. This is a free service from the National Cyber Security Centre, which checks your website is up and that it is configured correctly. Most of the alerts are on availability and correct configuration, but they recently did an urgent alert for a major Drupal security vulnerability. This meant that owners of registered sites affected with the vulnerability got a heads up in a timely fashion that now was a good time to get Drupal upgraded.
The advice is easier to follow, and the support is more personal and customised to UK needs than Google’s service; but perhaps a little less developed.
There is a bias from the NCSC towards the security controls the UK government wants to see on government websites, but the advice is easy to understand and follow, and like Google’s service, not so frequent you are overwhelmed.
If you qualify for NCSC WebCheck, I’d suggest registering for both services.
Neither of these services are going to spot everything going wrong with a website, or replace protective monitoring controls you should have if handling sensitive data on your website. But they provide a practical way for busy people to get some high level feedback on what is happening for less sensitive websites, without expending more time, energy, or money than the task deserves.