Without the rapid adoption of digital strategies, it’s difficult to imagine how housing providers would have coped during the pandemic. In a matter of weeks, committed and passionate IT teams rose to the challenge of accelerating the pace of digital transformation across estates, enabling remote working and expanding online service delivery. Unfortunately though, as I have written about before, increasingly sophisticated cyber criminals have capitalised on the fresh opportunities these changes in working practices have created.
There is no evidence that cyber criminals target the housing sector more than any other. All companies and organisations are considered fair game, from the largest corporations to the smallest charities. Sophos’s report, ‘The IT Security Team: 2021 and beyond’, revealed that half the UK respondents thought that attacks are now too advanced for their organisation’s IT team to deal with on their own, and in a 2021 IPSOS Mori report for the Department for Digital, Culture, Media and Sport (DCMS), 33 per cent of UK businesses said that they are ‘not confident’ in their ability to deal with a breach.
There are reasons why housing providers are increasingly vulnerable. To start with, they hold a large amount of sensitive data about their tenants, such as their birth dates, bank and other financial details, benefits, caring responsibilities, NI numbers and information about their lifestyle and social circumstances.
Also, in the past two years, cyber criminals’ tactics have shifted. Not only do they threaten to encrypt data and demand payment in return for decryption keys (ransomware), but increasingly they exfiltrate valuable personal data and threaten to publish or sell it on the dark web. Loss of data can lead to litigation and housing providers risk further financial losses as law firms take an increasing interest in supporting people who have suffered from a cyber breach.
In addition, due to budgetary constraints, housing providers often don’t have large IT departments or in-house specialist resources to manage the constant stream of cyber threats. IT staff are often generalists tasked with implementing digital change, dealing with legacy systems, providing technical support, liaising with third-party providers and much more. However, cyber-security responsibility also lies with them. Therefore, it’s no surprise that they might struggle to implement a robust cyber defence around the clock.
Yet, a lack of advanced cyber-security skills and resources within organisations doesn’t mean that housing providers can’t be kept safe from threats. While being a target of cyber criminals is a fact of life, being a victim isn’t. So, what practical steps can your organisation take to keep itself secure?
Increase ‘whole organisation’ cyber awareness
Phishing attacks are often the entry point for cyber criminals: in 2019, Sophos reported that 41 per cent of IT professionals encounter them daily. And the DCMS ‘Cyber Security Breaches Survey 2021’ revealed that only 20 per cent of businesses and 14 per cent of charities had tested staff through mock phishing exercises. So, turn your employees into your first line of defence by reinforcing good cyber-hygiene practices and training them to recognise malicious behaviour through phishing simulations. Sophos’s PhishThreat solution can help here.
Reduce your IT security workload
Too often, organisations buy security solutions, only for them to be too complex to use and configure, with these products frequently becoming ‘shelfware’.
When purchasing cyber-security products, usability should be at the forefront in your mind. Is the solution easy to deploy and maintain and is it intuitive? Better-designed products reduce workloads, saving time and money and ultimately keep your organisation more secure.
Combine in-house and outsourced expertise
Even large and well-resourced businesses can struggle to understand the complexities of today’s threat landscape. For example, in the 2021 DCMS report ‘Cyber security skills in the UK labour market’, a third of all organisations surveyed acknowledged that they had an advanced technical skills gap in areas such as penetration testing, forensic analysis and security architecture. Therefore, it is appealing for housing providers’ stretched IT teams to combine in-house and outsourced expertise by turning to services such as Sophos’s Managed Threat Response (MTR).
MTR is a fully managed, 24/7 threat hunting, detection and remediation service which works alongside your IT staff as an extension of the team.
The security dream team
Our security professionals include analysts, engineers and ethical hackers from a variety of backgrounds, such as the armed forces, law enforcement, the intelligence community, and the public and private sectors. More than just a notification service, Sophos’s MTR team can take targeted actions on your behalf, and because they are so familiar with malicious behaviours, breaches are often resolved within an hour.
As housing providers continue to reap the benefits of digital transformation, they must take stock and assess whether they have the right people, processes and products to stay resilient against today’s advanced cyber threats.
Jonathan Lee is the director of public sector relations at Sophos.