All organisations, including housing providers and their partners, have had to rush into greatly expanded remote working arrangements because of the Covid-19 lockdown. For some, this has meant expanding existing well-controlled processes. For others, it has meant a panic trajectory where they have had difficulty acquiring equipment and have faced staff resistance. Some staff have struggled to cope with their new circumstances at home and still seek the comfort blanket of familiarity such as access to key systems and printing facilities. This is on top of the non-IT issues such as the health and mental wellbeing of staff and what staff can claim for when working at home.
For most organisations, the focus has been on getting new infrastructures set up, with the emphasis on system performance rather than security concerns and staff training. Tools and processes such as video conferencing that would normally be tested and developed over time so they can be implemented as stable solutions have been rushed into service, sometimes without a proper assessment of the risks and security requirements.
Cyber criminals are very good at reacting to events; the pandemic has become another platform for them to use in scamming people and organisations out of their money, data and privacy. Specific phishing and whaling emails (emails that appear to come from an official source but are in fact not legitimate) have been surfacing, maliciously leveraging the increased global panic as a way to trick people.
Specific examples are as follows:
- Cyber criminals have been masquerading as the World Health Organisation and sending emails designed to acquire personal data.
- The European Central Bank recently issued a formal warning to financial institutions about increases in phishing and other related cyber crimes on the back of Covid-19.
- Researchers at Israeli security firm Check Point reported that the number of registered domains related to Covid-19 had increased since January 2020 with over 4,000 coronavirus-related domains registered globally. Check Point found that over three per cent were malicious, with an additional five per cent being classed as suspicious.
Attention has also been drawn to the massive increase in the use of video calls and collaboration software. The risks associated with these include eavesdropping, hijacking where outsiders ‘invade’ meetings and illegal recordings of calls. Some larger companies and governments have started banning the use of some of the more popular tools, citing concerns about encryption, data harvesting and the national origin of the software.
For most organisations, other IT projects have gone on hold as IT departments struggle with their new workloads. This might include projects to enhance network security or introduce security tools. Their cyber-risk exposure is increased as a result.
Impact on the housing sector
For the social housing sector, Covid-19 has highlighted good practice as well as raising some specific problems. The main challenge is dealing with tenants that may not have IT facilities at home when offices are shut to face-to-face meetings. In theory, existing digital engagement with those tenants that have access to IT should be able to continue but only if the performance of systems isn’t degraded.
Another issue is maintaining the accuracy and security of tenants’ data. If staff are dealing with tenants while at home, care needs to be taken to ensure that their personal data isn’t compromised. An example would be holding tenant data on a potentially unsecure personal laptop. Another very specific issue is the requirement to keep tenant records up to date when they die; bad publicity will surely arise if this is not handled in a timely and sensitive manner.
In terms of cyber risk, it would be catastrophic if housing benefit sent from local authorities to housing providers (notwithstanding universal credit), which could be around 65 per cent of monthly income for some, was intercepted and diverted. Similar concerns have been raised about the interception of links between registered providers and their emergency repairers.
On the plus side, the sector already makes a lot of use of meeting and document collaboration software solutions. This means that registered providers are in a better position to manage their operations than many other sectors.
What are the cyber risks that housing providers might experience in lockdown? These are typically a mix of technology- and people-related risks:
- Unsecured remote working practices have been established because of the speed of their introduction. The rapid addition of remote connections to company’s endpoints means that there is a potential risk that the IT team doesn’t spot untrusted connections. Authentication is a particular concern; how easy is it to confirm who is actually logging in?
- New video tools have been introduced without a full understanding of their risks. For example, it is good to remember that people might record video calls.
- Staff are working in a new environment where they may get complacent about cyber risk. They could easily forget that confidential information is still confidential at home and it should be treated as it would in the office. For example, they might use uncontrolled data sticks or personal cloud storage to store and then access their work. Alternatively, they could print documents which are then left lying around or disposed of incorrectly.
- Because of the difficulty in sourcing company equipment, staff might be using their own devices. Home PCs are rarely as well protected as corporate devices; they are sometimes months out of date in terms of security patches and might not even have AV software on them. They may also fail to back it up.
- The risk of GDPR breaches increases drastically as personal data spreads out and away from the main network.
- Where third parties provide IT services to a registered provider, the provider needs to continue to get assurances about the controls they operate on their behalf. The provider might use the lockdown as an excuse to stop sending assurance reports or cease active monitoring of IT activity.
There are some sensible steps that any housing provider can take to reduce the risk of cyber attacks during the lockdown. As ever, the trick is achieving the right balance of restrictions on users’ behaviour through security hygiene while not crushing their ability to work productively.
Housing staff need to take responsibility for safeguarding data and systems and should therefore do the following:
- Always use company laptops and devices where these are provided; personal devices could be unprotected.
- If they have no choice, they should check that home PCs have up-to-date virus protection installed; a cut-down, free package is better than none at all.
- Whoever owns the equipment, all security updates should be accepted immediately; they are sent for valid reasons, normally in response to specific threats.
- Staff should check their wifi security; a strong password should be in place and this should be changed every now and then.
- Care should be taken to ensure that data is not stored on sites beyond UK GDPR jurisdiction.
- Staff should be careful with emails. Just as in the office environment, they should not follow directions or links from unsolicited emails and should report any suspicious emails to the IT department.
- If printing at home is unavoidable, print-outs should be shredded or otherwise destroyed.
Housing providers need to ensure that they have implemented appropriate technical and process-based controls that are commensurate with the level of perceived risk. Key among these will be staff training and education.
Technical issues for consideration include:
- A good mobile device management (MDM) system is vital in protecting company equipment against compromise and loss. Devices can be monitored, locked and wiped remotely if there is an issue. Similarly, some organisations will allow staff to use personal devices as long as they are registered and subject to a similar set of rules.
- The current situation highlights the advantages of using multi-factor authentication (MFA) to identify and approve connections by staff. Any organisation that doesn’t already use this in some form should surely be looking at it now.
- Email protection features should be enabled if they haven’t already been turned on. Products such as Exchange online protection and Office365 Advanced Threat Protection can provide an extra level of security against potentially malicious emails.
- It is a good idea to review the established arrangements on a regular basis. Housing providers need to ensure that their IT security infrastructure is updated to respond to the latest threats. An example might be known risks and developments in relation to the video tools that are being used. Another example would be firewall settings.
- The performance of the IT infrastructure should be continuously monitored and assessed to ensure it can continue to support the increase in staff numbers working from home. As part of this, data back-up policies and arrangements should be checked to ensure that work is not lost.
The messages given to staff will be absolutely key in helping reduce the cyber-security risk to the organisation. The following are sensible and proven actions that can be taken to engage and protect staff:
- Staff must be reminded of the need to maintain data-quality standards for tenant data, particularly for any more sensitive or time-critical updates.
- Staff must be given the latest home-working policy and demonstrate that they have accepted it, even if a policy has to be written! These should be constantly reviewed to ensure that they remain fit for purpose.
- Staff must be told from whom they should expect advice on Covid-19 and the lockdown – they should be reminded that no message from senior management will require them to enter any personal or company information into previously unknown third-party sites.
- Cyber-security training should be refreshed to make sure that staff know what to do if a problem arises. A ‘hotline’ for staff and clients to escalate concerns and IT issues arising from working at home should be established, and staff need an emergency contact to call if they fall foul of things such as malware and ransomware.
- On the back of this, a robust, tested breach reporting and incident management process is required in order to contain any attacks quickly to minimise operational disruption and reputation damage.
- Communication with staff about new security concerns and good practice on a regular basis is vital.
- C-suite and senior leadership should be specifically trained to look out for phishing and whaling attempts; these threats are often targeted at senior people.
The lockdown has created a unique set of circumstance that cyber attackers will seek to exploit. Organisations have had to react quickly and security may still be playing catch-up as a result.
Just as it would be in a more normal working environment, the human firewall remains both a critical line of defence but also the weakest point of security. Staff-awareness training now assumes an even more important place in the control environment. It is important to keep in touch with staff and make sure they are up to date on the latest threats.
One very important consideration – when things go back to normal, the ‘remote working genie’ isn’t going back into the bottle. One legacy of this lockdown will be that staff will expect to enjoy the flexibility and convenience of remote working when offices reopen. Given this, the sooner the remote-working environment is reviewed and secured, the sooner it can be established as part of the normal working environment. While the overall IT control environment might have been over-ridden in the short term, it’s very important that this isn’t the case in the longer term.
If approached properly, the short-term pain experienced in setting up new processes and technologies can become long-term gain as they are embedded and refined. However, the risk of cyber attacks will always remain and will always need to be addressed.
David Morris is the technology assurance director at RSM Risk Assurance Services.