For many boards and executives, cyber security is a matter for the IT crowd. It’s mildly interesting, and we read the news with mixed horror and fascination about ransom attacks on large companies. It’s probably there somewhere on the risk map and gets occasional attention from the risk and audit committee. But recent events have surely pushed cyber security right up the governance agenda. Housing providers, charities and local government have all been hit by ransom attacks. Others have experienced serious data breaches, sometimes without any malign external agency – unforced errors, as it were.
As it turns out, the first ransom attack was in 1989, using floppy disks. The risk of an attack has risen ever since and quadrupled in the last decade, not least because of certain authoritarian states which sponsor, or at least tolerate, cyber crime. A few weeks ago, the entire health system in the Republic of Ireland was affected by an attack. For some companies, cyber crime has proved an existential risk, with insolvency the eventual consequence.
Weapons of war
On the international stage, cyber attacks have effectively become a weapon of war – just remember the Israeli sabotage of the Iranian nuclear programme. It’s even conceivable that an attack could bring down a major financial institution or, in an extreme case, the entire financial system. To make it more personal, how much would you pay to be released from imprisonment in your smart car or even from your smart home?
The consequences of an attack can therefore be serious. Lives could be lost. Paying the ransom might turn out to be the lesser of various evils, and some UK and other firms have already paid vast sums in cypto-currency ransoms. Personal data can be lost or abused, with business processes disrupted for weeks or even months. Litigation can often follow. The costs and disruption can be huge. And the risk is not just to organisations, but to tenants and service users as well.
A global dark industry at work
Cyber crime has become a global dark industry, alongside illegal drugs, people smuggling and extortion. It is parasitical, remorseless and powerful. Annual ‘turnover’ may be as much as $20 billion, although that is hard to quantify for obvious reasons. As with any other industry, there is assiduous attention to branding; we have all now heard of ‘SolarWinds’, ‘NotPetya’, ‘SoBig’, ‘WannaCry’ and many more besides. And the pandemic, with so much remote working, has opened up new vulnerabilities which have been eagerly exploited.
The key point here is that there can be no fully-effective protection from attack. Precautions are important, of course, but there are many points of vulnerability, some of them inherent in the software systems we use. Human error and corner-cutting add to the risk and can never be eliminated completely. It’s therefore necessary to assume that every organisation may be affected at some point in the future and perhaps held to ransom for its data. Several of our clients, in housing and other sectors, have already been affected in various ways.
What’s to be done? First of all, every housing board and their relevant committees need to give this their full attention. To do this, they will need access to deep expertise. Indeed, it’s becoming highly desirable, if not essential, to have such skills represented among non-executives. Leadership skills are also important; more and more organisations are creating executive-level posts for the chief information officer. Relentless curiosity, scrutiny and questioning need to become the order of the day.
Assume the inevitable
We must assume that cyber crime will happen to us one day. So part of the agenda should be about preparing for such an event; there is some excellent guidance in earlier editions of Housing Technology about the best ways of reacting once the enemy has already breached the outer walls. And don’t use emails to communicate about it – the enemy can read them!
Strong defences should help, but the hackers are smart and well resourced; as the saying goes, it’s more fun to be a pirate than a coastguard. Now is the time to start thinking about back-ups and contingency plans. It would be a good idea to ‘war game’ some scenarios at governance and operational levels. For example, if all of your data were held to ransom and you had to start again from a back-up that was, say, two-months old, how would you go about achieving that? It’s not easy going back now to the Jurassic era of index cards. Ideally, if your data were held to ransom, you would be able to resist the extortionate Bitcoin demand and get back in business relatively quickly, with expenditure and disruption contained within reasonable levels.
It’s about governance, not IT
For boards and risk committees, there are some important questions to consider. One obvious one – are your cyber defences as good as they can be? It may be worth getting some external agency to test them, trying to simulate a hacker attack. A strong and compliant organisational culture is another important line of defence, and this has also been well discussed in previous articles in Housing Technology. However, it goes beyond just your own defences; you also need to consider those of your suppliers and third parties, such as your maintenance contractors with access to some of your systems. Third-party software systems can also be a problem, such as those used for mass mailings.
Another area for attention is that of insurance. After a ransom attack, dealings with insurance companies often becomes contentious because they inevitably look for reasons not to make good the losses. It’s well worth looking at the detail of the relevant policies and also at the track record of your insurance provider in dealing with other clients. As an aside, a recent high-profile victim of a successful ransom attack was in fact one of the major insurers covering cyber risk – and they had to pay up!
The over-riding message here is that this important subject now deserves serious governance bandwidth, based on having access to the necessary expertise and advice, so that proper scrutiny can be done.
The enemy is powerful, well-resourced and busy scanning advanced economies for easy targets. They are the wolves and we are the prey. Housing providers haven’t yet been the main focus but could easily become so.
Now is the time to prepare, test and scrutinise. Yes, it may never happen, but if and when it does, you must be as ready as you can. The danger is indeed clear and present.
James Tickell is a partner at Campbell Tickell.