Many housing providers have embraced rapid digital transformation yet their progress towards cybersecurity maturity hasn’t progressed at the same pace. What can we learn from those whose approaches to cybersecurity are more developed?
Over the years, many of you will have focused on getting the essential elements of your cybersecurity right, including implementing multi-factor authentication (MFA) and the latest security patches. In addition, you’ve probably carried out training to inform staff about how they can play their part in helping to keep your organisation secure. As part of this programme, you may have carried out phishing simulations to help staff identify how an adversary might try to target them to steal their credentials.
10 steps to cybersecurity
Wherever you are on the spectrum of cybersecurity maturity, a good point of reference is the ‘10 steps to cyber security’ framework published by the National Cybersecurity Centre (NCSC). Much has been amended since its introduction in 2012 because the technology we use and the risks we face online continue to change significantly (with consequent regular updates to the framework). However, the main themes of the document have remained consistent: understand your organisation’s risks; implement appropriate mitigations; and always prepare for cyber incidents.
So far, so good, but we know that the cyber-threat landscape is becoming increasingly complex and challenging for many housing providers to deal with alone. Knowing the limits of your team’s cybersecurity expertise and how long you could maintain a response in the face of a sustained attack is essential when working out what to do next.
There is a global shortage of cybersecurity professionals, not just in the UK housing sector. The 2022 Cybersecurity Workforce Study reported a gap of over three million cybersecurity professionals worldwide, with a gap of almost 60,000 in the UK. Nearly 70 per cent of cybersecurity workers said that their organisations didn’t have enough skilled staff to provide effective security, and more than half the employees at organisations with recognised workforce shortages thought that staff deficits put them at a ‘moderate’ or ‘extreme’ risk of cyberattack.
Even if your housing provider is fortunate enough to have some cybersecurity skills in-house, running a security operations centre (SOC) around the clock isn’t something that many of you can do. Attackers don’t respect the hours that your staff can cover; they wait for the most opportune times to launch their attacks. This may be in the middle of the night, at weekends or during bank holidays when you’re unlikely to be sitting in front of a console keeping an eye on what’s happening on your network.
Managed detection and response
To cope with this skills shortage and the complexity and scale of today’s threats, we see a growing number of housing providers adopting a more developed and advanced approach to cybersecurity, and choosing to partner with a managed detection and response (MDR) provider such as Sophos.
Sophos’s MDR service provides you with three modes of engagement. We can simply notify you if we see a security incident and let you handle it, we can collaborate and perform security operations such as threat hunting or incident response together, or you can authorise us to take care of everything for you if we see something malicious happening on your network.
Not only do we provide you with the flexibility of what action to take when you discover a threat, but we are also truly vendor agnostic regarding our ability to work with third-party security tools, enabling you to get the maximum value out of your existing security investments. If you wish to use Sophos’ protection tools, that’s great – or if you want to use what you already have, that’s fine too.
One thing that we can be sure of is that threats will keep coming thick and fast, and they will continue to be too complex for most housing providers to deal with alone.
Getting the fundamental aspects of cyber hygiene and staff training right will only take you so far; in today’s world you need to be on the front foot and take a proactive approach to cyber security. Partnering with an MDR provider is an easy way to increase your security and preparedness for future breaches.
Jonathan Lee is the former director of public-sector relations at Sophos.