1. You are asked to create a secure and memorable password. Which of the below would make the best password for your everyday use? 

• joebloggs
• x92nk$5Aa67@zpw%1?9
• Red!Summ3rD0g ✔
• Password123

The strongest password is almost certainly x92nk$5Aa67@zpw%1?9 – but it is so complex you couldn’t expect to remember it, so you would have to write it down. The best password here is Red!Summ3rD0g. It uses three random words so is easier to remember, but because you avoid a common phrase it is unlikely to be ‘cracked’. If you routinely swap certain letters for characters (change e to 3, o to 0 etc) you can create a really safe password that you will remember quite easily. You should avoid names and simply adding numbers to a password is not recommended as good practice.

 

2. What is the best approach to setting a password for your work NHS mail account?

• The same password you use for all your accounts, so it’s easily remembered
• A strong and separate password that’s not used for any other system or account at home or at work✔
• Email accounts are rarely targeted by hackers, so any password will do

Passwords to access our online accounts should be really strong, and not to use them anywhere else. This is especially true for the password for your email account. If you’ve used the same password across different accounts, cyber criminals only need one password to access all your accounts.

Having a strong and separate password for your email means that if cyber criminals steal the password for one of your less-important accounts, they can’t use it to access your email account. The NCSC encourages people to use password managers, which can create strong passwords for you (and remember them).

If you have re-used your email password across other accounts, change your email password as soon as possible. It should be strong and different to all your other accounts.

Ideally, you should use unique passwords for all your important online accounts (such as banking accounts, shopping/payment accounts and social media accounts), not just your email account.

3. You need to do some online banking with your bank, Your Bank Ltd. Which one of these addresses would you use:

• www.yourbank.co.uk
• https://www.yourbank.co.uk ✔
• http://www.yourbank.co.uk
• any of the above – they are all the same

The key point here is to look for a web address that includes https. This means that the site is secure – depending on your browser you may also see a padlock icon.

This means that all information you type is scrambled before being sent and then unscrambled at the other end of the connection – anyone snooping on your website will only see gibberish. Lots of websites don’t need to be secure if they are just displaying non-confidential information, so don’t worry if you visit a site that just shows http…

But never enter any sensitive, confidential or personal information unless you see the padlock or https – everything you type is being sent in plain text and could be seen by a hacker ‘sniffing website traffic’.

If in doubt, don’t follow links in emails – use a reputable search engine to look for the site you are interested in and follow the link from the search engine.

 

4. You receive an email asking you to click the link shown (in the survey) – What should you do?

• Click the link – It looks safe
• Copy the link and paste it into my browser
• Do not click the link – It looks unsafe ✔
• I don’t know

This link is not safe – when you click over a link most browsers will display the destination that you will be taken to when you click your mouse. In this case the innocent looking surveymonkey link is going to take you to a suspicious looking Russian website (.ru).

You may also receive email addresses where the true identity of the sender is hidden – for example, if you bank with Barclays, you may receive an email that looks like it is from Barclays, but the full email address is help@barclaysbank.nastyscammers.com. Read the link from right to left – the true sender in this example is nastyscammers.com, not Barclays Bank.

Be careful to read the full link or email address and if you are ever in doubt regarding a link, don’t click it.

 

5. Where you have had a barrier to delivering work, which of the following actions have you taken to get the job done? Please tick any that apply.

6. Please use this text box to include details of any other workarounds you have used.

These questions are designed to identify where staff feel that they have no option but to circumvent the rules. It is recognised that staff will focus on doing what they need to do to get the job done – and if there are barriers in their way (including lack of equipment or unwieldy systems and processes) it is human nature to look for workarounds. We are grateful to all staff that completed this question honestly.

7. Which of the following statements are correct when using social media in the workplace– Please tick the statement you think is TRUE: 

• I am allowed to use my personal social media during work time
• Sharing a positive public update or announcement from the Trust’s coporate account✔
• Uploading patient/personal identifiable data via social media

You should not use personal social media during work time and within the workplace, this is against the Trust’s social media policy.

Sharing a positive public update or announcement from the Trust can amplify the reach and authenticity of the message. It shows a sense of pride and ownership and promotes the organisation as a desireable place to work. Post’s from the Trust’s corporate account can only be made through the communication department.

You should regularly review your privacy settings on your social media accounts to ensure how much of your information is accessible to any other users, not only patients/customers who you have interacted with.

Even on your own personal Social Media account, what you share reflects on your profession reputation and should always be considered.

8.You receive an email from an NHS Account associated with another organisation. The email suggests that your account will be disabled unless you log in. You follow the link and are then presented with a page that appears to be a Microsoft login screen – what do you do?

• Forward it to colleagues for advice
• Enter your credentials as you do not want to lose access to your account
• Reply to the email requesting further advice
• Report this to the IT department as potential spam✔

The correct answer is to report this to your IT department, either by contacting them or using the ‘Reporting Phishing’ button in Outlook. NHSmail accounts can become compromised by staff entering their details into a phishing link. Once they have those details messages can be sent from a genuine NHSmail account but used by a malicious actor. They will embed links in the email to fake websites attempting to harvest credentials such as email passwords.

9. An individual has phoned you stating they are from the IT department and ask you for your password what do you do?

1. Refuse and let the IT department know via phone or email.
2. You need the computer fixing urgently so give the caller the password.
3. Refer to your manager.
4. Put down the phone immediately.

The incorrect answer is to give the caller the password. If IT need access to your account they have secure administrative tools or elevate privileges that mean they can reset your account without needing your password. Providing a caller with your password, no matter how legitimate the request seems, could lead to account compromise and give someone inappropriate access to the Trust’s systems and sensitive data. The other three options are correct. Ringing the IT department would confirm they wouldn’t request your password. It’s also good practice to let the IT department know about any phishing attempts.

Questions 10 to 14 are survey based questions, so there is no right or wrong answer.

Important information: What to do if you think that a cyber-attack or security breach may be underway, or the organisation may be at immediate risk of an attack: