At a recent cyber-awareness event, experts from the National Cyber Crime Unit (part of GCHQ) said that the UK was seen as a low risk, high reward environment for cyber attackers, that the majority of crimes are now cyber dependent or had a cyber angle, and that there needs to be a seismic shift in awareness of cyber-crime to combat the growing threats.
All very alarming, but absolutely true. With our growing dependence on technology and digital communications, every one of the 5.7 million businesses in the UK, including housing providers, their partners and suppliers, is a target for cyber criminals.
With housing providers holding significant amounts of personal and sensitive data as well as being connected to a range of public sector bodies, they are a growing target for cyber criminals. Whether it’s phishing emails, malware attacks, DDoS or old-fashioned scams to find out personal passwords, cyber attacks are increasing all the time. While investment in cyber-security technologies and skills is increasing, staff awareness is still the main area that experts say needs to be addressed because the vast majority of incidents are the result of human error.
Cyber-awareness training is often seen as something that only IT professionals need to have or has been sandwiched into other IT training courses. It is rarely mandatory or an area that all employees are made to focus on. But as the attacks become more proficient and targeted, and as staff become more digital in and out of the office, cyber training can no longer be seen as an IT adjunct or ’nice to have’.
And it’s not just about one-off courses and subsequent ‘tick box’ learning; ensuring that all levels of your staff understand the threats and implications, and repeating the training regularly, are all key components in the fight against cyber-crime. However while there are generic cyber-awareness courses, we found that there was nothing that really met the housing sector’s needs and spoke in housing’s ‘language’.
As a result, four housing providers decided to get together to co-design some sector-specific cyber-security and GDPR training. Gentoo, Guinness Partnership, Network Homes and Plymouth Community Homes, working with Matobo (the film-makers behind the BBC’s cyber and GDPR awareness training), co-funded and co-designed ‘Dojo Housing’.
Critical to the collaboration and the final product was the co-design process which saw each housing provider feed into the scripts with housing-related policies and protocols. The scripts went through a number of iterations and were then signed off by each housing association. This ensured that the training was comprehensive, spoken in terms that housing staff understood, using housing-related language.
Matobo then began work on creating engaging visuals, recording a voice-over, underpinned by iterative and clear learning techniques, sound design and so on. The result is ‘Dojo Housing’, the first housing-specific cyber training package.
Paul Sandersfield, head of data governance, Gentoo, said, “Collaborating with other similar-minded housing providers resulted in a great cyber-awareness training package tailored to our needs. It covers everything we need to provide our staff, including modules related to data protection.”
Dojo Housing comprises 12 bite-sized, animated modules, covering areas such as passwords, scams, social media, online services, file sharing, portable devices, offline security and GDPR. It has now been rolled out across all staff at Network Homes, Gentoo, Guinness Partnership and Plymouth Community Homes, and has subsequently been commissioned by Wythenshawe Community Housing and Greenfields Community Housing.
As part of a separate council-led collaboration, a local authority version of the training was co-designed and produced, Dojo Local Government, which is now being used by over 70 UK councils. In total, over 300,000 housing, council and NHS staff now have access to Dojo awareness training.
It is interesting to note that absolutely every time a new housing provider or council commissions Dojo, they cite the co-design element as the key reason for going ahead because the training package speaks to their staff in terms that they hear every day, that are relevant to their job and the wider business.
In a wider context, the National Cyber Security Centre has a range of guidance and tools for any UK organisation to use, plus weekly threat reports and a team in place to help in a significant cyber emergency. Alongside this, there are 15 regional WARPS (warning, advice and reporting points) helping public sector organisations and their partners defend critical business systems against attacks. There’s even a live DDoS map showing attacks in real time (map.norsecorp.com) which provides a global context to the situation.
For the housing sector, individual awareness of the threats and how to mitigate them needs to be a priority. And as the daily news coverage of cyber-attacks just keeps on coming, it can no longer be seen as someone else’s problem.
Jane Hancer is director of innovation at CC2i.