• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Housing Technology Main Logo

Housing Technology

Housing | IT | Telecoms | Business | Ecology

  • Free Subscription
  • Contact
  • Home
  • Magazine
  • Conference
  • Events
  • Research
  • Awards
  • Recruitment
  • On Demand
Home / Free Subscriber Access / An anti-phishing recipe – MFA & security awareness

An anti-phishing recipe – MFA & security awareness

Link embarked on a transformative cyber-security journey in 2019 by implementing mandatory multi-factor authentication (MFA). This initiative empowered all colleagues to combine their password with a one-time code provided by SMS, voice call or authenticator app. This article delves into the strategic approach taken by Link to fortify its cyber-security posture and reduce the threat of business email compromise.

Phishing threat

Phishing is an incredibly common initial step in cyber attacks. It is estimated that around 90 per cent of all cyber attacks begin with a phishing email. A recent ICO report noted that “56 per cent of businesses and 62 per cent of charities that reported having had breaches or attacks in the past 12 months felt phishing attacks were the most disruptive type of attack.”

The ICO’s report also noted that over 90 per cent of the UK companies responding to its survey had experienced at least one successful email-based phishing attack during 2022, with around a quarter having also reported direct financial losses as a result.

Link’s cyber-security strategy

We continually improve our cyber-security posture across all layers of our defence-in-depth strategy, and at the core of our approach is security awareness to reduce the effectiveness of social engineering attacks. Link maintains a culture that encourages a cyber-conscious workforce which has proven to directly improve our security posture.

Implementing mandatory MFA

The introduction of mandatory MFA had the potential to be disruptive, so careful planning and support was essential to the success of this change. Creating the ‘rails’ to support colleagues required cohesion between our group leadership team, digital services, communications and learning and development.

Recognising the diverse roles and working patterns within Link, a comprehensive roll-out plan was developed, accounting for office- and field-based roles. The digital services team drafted instructions, facilitated in-person support sessions and had support from across the business which ensured universal adoption of MFA. The chief executive of Link Group, Jon Turner, showed his support by communicating the importance of MFA to the entire workforce. This multifaceted approach kept the change to MFA high on people’s agendas.

Fostering cyber-security awareness

Link prioritises cyber-security awareness training. This is achieved through e-learning paired with instructor-led and web-based annual training which conveys the rationale behind security controls and empowers employees to identify and report potential cyber threats.

Thanks to our tailored approach to security awareness training, we secured a finalist spot at the Chartered Institute of Housing Excellence Awards in 2019 and at the Housing Technology Awards in 2024. The University of Abertay has also previously shared our security-awareness training materials with the NHS Cyber Fraud Unit.

Phishing reduction efforts

Link is subject to continuous phishing attacks. We have noticed that many ‘credential harvesting’ phishing emails now also try to harvest MFA tokens. Thanks to our colleagues across Link consistently and diligently reporting phishing emails, the reports have informed threat analysis techniques which serve to inspect all emails for suspicious markers.

This iterative and continuously-improving technical process means that most phishing emails never reach an inbox; suspicious emails are quarantined where they are reviewed multiple times per day by our digital services team. The purpose of the control is to shift the phishing assessment effort toward digital services and reduce the impact of phishing on the wider business.

For example, over a 30-day period we tracked 2,009 suspicious emails sent to Link. 914 were quarantined, 981 were sent to ‘junk’ and only 112 were delivered to mailboxes. Critically, in every case where malware was sent to colleagues (37 times over the past month), every infected email was directed to quarantine.

Phishing playbook

If we widen our view to six months, 430 phishing reports were made using an integrated phishing ‘reporting button’. In cases where a phishing email is confirmed, we search all mailboxes for the email to remotely remove them. This action meant that another 492 phishing emails were remediated and due to these reports, we identified and neutralised around 30 phishing campaigns where multiple colleagues were targeted. Following our ‘phishing response playbook’, phishing email threats are mitigated, removed and blocked.

Continual improvement

In October 2023, Link enhanced the security and convenience of MFA by eliminating support for insecure methods such as one-time codes provided by voice or text. Drawing on recommendations from Microsoft and industry best practices, we decided to move to support app-based MFA only.

With app-based MFA:

  • The threat of SIM-swapping attacks and SMS interception is avoided.
  • The ‘replay attack’ window is reduced due to the lifespan of one-time MFA codes being reduced from 300 seconds to just 30 seconds.
  • ‘Number matching’ displays a two-digit number during login, which is then entered into the authenticator app.
  • Authenticator apps enhance usability by generating one-time codes without needing a connection, making them functional in poor signal areas.

Link Group remains committed to strengthening its security controls around identity management and continually refining our defence-in-depth approach to cyber security. By adhering to industry best practices and fostering an inclusive culture of cyber awareness, Link strives to uphold the trust placed in us by our customers and stakeholders, safeguarding data integrity and confidentiality.

Gareth Renaud is the senior information security officer at Link Group.

See More On:

  • Housing Association: Link Group
  • Topic: Infrastructure
  • Publication Date: 100 - July 2024
  • Type: Contributed Articles

Primary Sidebar

Most Recent Articles

  • Rough sleeping & The Bank of BillyChip
  • Weaver Vale Housing goes live with Asprey Assets
  • Turning data into assurance
  • Gamification and data quality
  • Clarion’s IoT-powered retrofit performance
  • Data management in housing
  • SettleParadigm takes Totalmobile for post-merger operations
  • From vulnerable to vanguard
  • Housing migrations – Removing the risk, cost & disruption
  • Voicescape acquires Enterprise RPA
  • OptusApp launches all-in-one AI-native housing system
  • Link moves beyond compliance
  • Prioritising asset-management decisions
  • Data quality and data migrations
  • Cosie Homes for veterans at Agamemnon Housing
  • Mosscare St Vincent’s data partnership with Connexica
  • whg’s agile approach to CX & digital transformation
  • Data management is a leadership discipline
  • VIVID’s award-winning predictive AI for customer experience
  • AI, cyber threats & the road to 2032
  • Reimagining legacy IT with AI
  • St Basils signs with Asprey
  • Beyond net zero
  • Active Housing doubles its portal adoption
  • Editor’s Notes – Strong data foundations
  • Solvares Group buys More-IQ for dynamic scheduling
  • Friction-free data governance
  • Karbon Homes’ in-house service-charge platform
  • An insider’s guide to environmental monitoring
  • IoTSG and Totalmobile’s combined property insights

Footer

Housing Technology Main Logo
  • Instagram
  • LinkedIn
  • YouTube
  • Contact
  • Free Subscription
  • Book an event
  • Research
  • Update Your Subscription
  • Privacy Policy

Welcome to the housing Technology – Trusted Information For Business Professionals in HOusing

Housing Technology is the leading technology information service for the UK housing sector and local governments. We have always believed in the fundamental importance of how the UK’s social housing providers use technology to improve their tenants’ lives.

Subscribe to Housing Technology to gain market-leading research, unsurpassed peer networking opportunities and a greater understanding of your role to transform your business.

Copyright © The Intelligent Business Company 2026 | Terms and Conditions | Privacy Policy
Housing Technology is published by the The Intelligent Business Company. A company with limited liability. Registered in England No. 4958057 | Vat Registion No. 833 0069 55.

Registered Business Address: Hoppingwood Farm, Robin Hood Way, London, SW20 0AB | Telephone: +44 (0) 20 8336 2293