Housing providers have suffered a spate of cyber-attacks in recent years, some of which have been high-profile, headline-making cases. Cyber criminals target our sector attempting to pillage the vast amounts of personal data held by housing providers and, in some cases, have held the housing provider to ransom.
The most common cyber attacks
Since June 2022, when the UK’s largest housing provider was hit by a cyber-attack, security has been a huge concern for housing providers. Sadly, the public sector has taken constant beatings of late; years of austerity and the pandemic have drained scarce resources and made building cyber-resilience and cyber-defences an uphill battle for many housing providers.
Compared with organisations with larger security budgets, less-stretched IT teams and modern, well-constructed cyber-security systems, some housing providers may be considered easy targets by cyber-criminals. With that in mind, the common threats to housing providers include:
1. Viruses & malware from third-party devices
Unfortunately, housing providers’ networks are notoriously complex and often outdated (esp. lack of collaboration and/or integration) so the prevalence of mobile storage devices used to share data across platforms continues to be a problem for IT security teams to keep track of. As a result, housing providers must consider endpoint security as one of their biggest threats.
Every device connected to the network creates another potential entry point or point of origin for security threats. Sadly, it doesn’t matter how well-secured email and web channels are against malware; if there is an open back door in the form of a third-party device, the entire organisation could be compromised.
2. Employees sharing information
Although most likely due to human error rather than malicious intent, many security breaches within the public sector arise from employees sharing sensitive data with unauthorised recipients, such as third-party suppliers.
This illustrates how easy it is to risk organisational compliance and break GDPR directives. Under GDPR, sending client data to a person without proper authorisation can put the organisation at risk of receiving a fine of up to €20m (or four per cent of turnover, whichever is larger).
Remember, user awareness training sits at the very core of data protection and information security; it is crucial that all employees are educated about and understand how to handle data securely.
3. The need to remotely access data
Especially since the pandemic, it is likely that many people needing to access information will often be working remotely and from a variety of devices.
However, remote connections to a network can be risky because not all devices will be secure and up-to-date when it comes to security and software. Remember, it only takes a single hacked or infected device to compromise an entire network, infecting hundreds of machines and potentially enabling access to sensitive tenant records.
Furthermore, once criminals breach a system, they can encrypt data to prevent the organisation from accessing it, usually unless a ransom fee is paid. This is why software asset management (SAM) is so important because it helps to ensure patches are installed and that unwanted, potentially risky, applications such as browser plug-ins or extensions are removed.
4. Outdated technology
Limited budgets, legacy software and a hesitancy to install and learn new systems often mean that ‘everyday IT’ at housing providers is outdated, overly complex, and non-collaborative. The housing sector can also suffer from ‘supplier sprawl’, when organisations attempt to juggle too many IT solutions, vendors and services at once. Not only does this compromise security but it also means that a lot of IT staff resources are needed just to keep things ticking over.
To this end, housing providers might benefit from a service integration and management (SIAM) solution, designed to free individuals from the responsibility of managing resources and suppliers and offering single-contact accountability to ensure all suppliers work together seamlessly. Where it’s not feasible to upgrade to more secure software or where staff don’t want the hassle, it’s possible to minimise the risk of cyber-attacks by adding extra layers of security. If one system is compromised, then a managed detection and response (MDR) service can help contain and remove the threat.
It’s vital for housing providers that confidential tenant data is easily accessible by staff, both onsite and remotely. Combine this with the urgent help that housing providers sometimes need to give (incl. information sharing), often without time to pause to consider the cyber-security implications, and the risk of a breach increases.
The worry for security professionals is that the devices used to share information aren’t always protected. In a time-critical environment, it doesn’t make sense to have IT teams or information security officers checking or granting access rights. Bear in mind that users accessing data remotely will only need access privileges for the tasks they need to perform. So, if they’re checking their emails, they won’t need to have full admin account privileges; precautions like this limit the chance of admin accounts becoming compromised. Additionally, multi-factor authentication (MFA) solutions can also help prevent attacks from compromised credentials or unauthorised users.
In order to enhance housing providers’ cyber-maturity quickly as well as offering expert risk mitigation tactics and reporting capabilities, many will benefit from the insights of a vCISO (a virtual chief information security officer). Always on hand to share strategic insights, meet compliance requirements and manage cyber policies, employing a vCISO is a cost-effective way for housing providers to access invaluable cyber resources and expertise right off the bat.
Rowan Troy is a senior cyber security consultant at Littlefish.