• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Housing Technology Main Logo

Housing Technology

Housing | IT | Telecoms | Business | Ecology

  • Free Subscription
  • Contact
  • Home
  • Research
  • Magazine
  • Events
  • Awards
  • Recruitment
  • On Demand
Home / Free Subscriber Access / An anti-phishing recipe – MFA & security awareness

An anti-phishing recipe – MFA & security awareness

Link embarked on a transformative cyber-security journey in 2019 by implementing mandatory multi-factor authentication (MFA). This initiative empowered all colleagues to combine their password with a one-time code provided by SMS, voice call or authenticator app. This article delves into the strategic approach taken by Link to fortify its cyber-security posture and reduce the threat of business email compromise.

Phishing threat

Phishing is an incredibly common initial step in cyber attacks. It is estimated that around 90 per cent of all cyber attacks begin with a phishing email. A recent ICO report noted that “56 per cent of businesses and 62 per cent of charities that reported having had breaches or attacks in the past 12 months felt phishing attacks were the most disruptive type of attack.”

The ICO’s report also noted that over 90 per cent of the UK companies responding to its survey had experienced at least one successful email-based phishing attack during 2022, with around a quarter having also reported direct financial losses as a result.

Link’s cyber-security strategy

We continually improve our cyber-security posture across all layers of our defence-in-depth strategy, and at the core of our approach is security awareness to reduce the effectiveness of social engineering attacks. Link maintains a culture that encourages a cyber-conscious workforce which has proven to directly improve our security posture.

Implementing mandatory MFA

The introduction of mandatory MFA had the potential to be disruptive, so careful planning and support was essential to the success of this change. Creating the ‘rails’ to support colleagues required cohesion between our group leadership team, digital services, communications and learning and development.

Recognising the diverse roles and working patterns within Link, a comprehensive roll-out plan was developed, accounting for office- and field-based roles. The digital services team drafted instructions, facilitated in-person support sessions and had support from across the business which ensured universal adoption of MFA. The chief executive of Link Group, Jon Turner, showed his support by communicating the importance of MFA to the entire workforce. This multifaceted approach kept the change to MFA high on people’s agendas.

Fostering cyber-security awareness

Link prioritises cyber-security awareness training. This is achieved through e-learning paired with instructor-led and web-based annual training which conveys the rationale behind security controls and empowers employees to identify and report potential cyber threats.

Thanks to our tailored approach to security awareness training, we secured a finalist spot at the Chartered Institute of Housing Excellence Awards in 2019 and at the Housing Technology Awards in 2024. The University of Abertay has also previously shared our security-awareness training materials with the NHS Cyber Fraud Unit.

Phishing reduction efforts

Link is subject to continuous phishing attacks. We have noticed that many ‘credential harvesting’ phishing emails now also try to harvest MFA tokens. Thanks to our colleagues across Link consistently and diligently reporting phishing emails, the reports have informed threat analysis techniques which serve to inspect all emails for suspicious markers.

This iterative and continuously-improving technical process means that most phishing emails never reach an inbox; suspicious emails are quarantined where they are reviewed multiple times per day by our digital services team. The purpose of the control is to shift the phishing assessment effort toward digital services and reduce the impact of phishing on the wider business.

For example, over a 30-day period we tracked 2,009 suspicious emails sent to Link. 914 were quarantined, 981 were sent to ‘junk’ and only 112 were delivered to mailboxes. Critically, in every case where malware was sent to colleagues (37 times over the past month), every infected email was directed to quarantine.

Phishing playbook

If we widen our view to six months, 430 phishing reports were made using an integrated phishing ‘reporting button’. In cases where a phishing email is confirmed, we search all mailboxes for the email to remotely remove them. This action meant that another 492 phishing emails were remediated and due to these reports, we identified and neutralised around 30 phishing campaigns where multiple colleagues were targeted. Following our ‘phishing response playbook’, phishing email threats are mitigated, removed and blocked.

Continual improvement

In October 2023, Link enhanced the security and convenience of MFA by eliminating support for insecure methods such as one-time codes provided by voice or text. Drawing on recommendations from Microsoft and industry best practices, we decided to move to support app-based MFA only.

With app-based MFA:

  • The threat of SIM-swapping attacks and SMS interception is avoided.
  • The ‘replay attack’ window is reduced due to the lifespan of one-time MFA codes being reduced from 300 seconds to just 30 seconds.
  • ‘Number matching’ displays a two-digit number during login, which is then entered into the authenticator app.
  • Authenticator apps enhance usability by generating one-time codes without needing a connection, making them functional in poor signal areas.

Link Group remains committed to strengthening its security controls around identity management and continually refining our defence-in-depth approach to cyber security. By adhering to industry best practices and fostering an inclusive culture of cyber awareness, Link strives to uphold the trust placed in us by our customers and stakeholders, safeguarding data integrity and confidentiality.

Gareth Renaud is the senior information security officer at Link Group.

See More On:

  • Housing Association: Link Group
  • Topic: Infrastructure
  • Publication Date: 100 - July 2024
  • Type: Contributed Articles

Primary Sidebar

Most Recent Articles

  • Artificial intelligence in housing
  • Mobysoft – Data problems affecting complaints’ handling
  • Data, AI and private-sector strategies
  • Smart repairs & smarter homes
  • From firewalls to fortresses
  • Achieving three quick wins in AI
  • Rebuilding Selwood Housing’s IT infrastructure
  • Are you ready for organisational AI?
  • PIMSS releases AI Document Reader for compliance
  • Calico Homes cuts arrears with RentSense
  • FourNet launches digital transformation index
  • New income recovery software from Voicescape
  • Asprey Assets at YMCA
  • I love spreadsheets…
  • All watched over by machines of loving grace – AI assistants and adult social care
  • The rent revolution – The case for AI-powered payments
  • Unlocking safer living through data
  • Aareon acquires MIS ActiveH
  • Vericon launches MouldSense
  • Back to the future at Housing Technology 2025
  • FireAngel wins Which? Award
  • Maximising income and preventing homelessness
  • Anchoring digital innovation with Plentific
  • Cynon Taf Community Housing gets Housing Insight’s Arrears Manager
  • Tenants, AI & your biggest compliance risk
  • EDITOR’S NOTES – Data, standards & straight-through processing
  • AI as a social housing expert
  • South Yorkshire Housing halves arrears with Mobysoft
  • Bromford Flagship wins Aico’s smart-home competition
  • Putting VIVID’s customers in control of their tenancies

Footer

Housing Technology Main Logo
  • Instagram
  • LinkedIn
  • YouTube
  • Contact
  • Free Subscription
  • Book an event
  • Research
  • Update Your Subscription
  • Privacy Policy

Welcome to the housing Technology – Trusted Information For Business Professionals in HOusing

Housing Technology is the leading technology information service for the UK housing sector and local governments. We have always believed in the fundamental importance of how the UK’s social housing providers use technology to improve their tenants’ lives.

Subscribe to Housing Technology to gain market-leading research, unsurpassed peer networking opportunities and a greater understanding of your role to transform your business.

Copyright © The Intelligent Business Company 2025 | Terms and Conditions | Privacy Policy
Housing Technology is published by the The Intelligent Business Company. A company with limited liability. Registered in England No. 4958057 | Vat Registion No. 833 0069 55.

Registered Business Address: Hoppingwood Farm, Robin Hood Way, London, SW20 0AB | Telephone: +44 (0) 20 8336 2293