• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Housing Technology Main Logo

Housing Technology

Housing | IT | Telecoms | Business | Ecology

  • Free Subscription
  • Contact
  • Home
  • Research
  • Magazine
  • Events
  • Awards
  • Recruitment
  • On Demand
Home / Free Subscriber Access / Cybersecurity – What’s the problem?

Cybersecurity – What’s the problem?

The problem is that cybersecurity is everybody’s problem and unless every department is involved in discussions on the solution then no solution will be truly effective.

The USA’s National Association of Corporate Directors (NACD) puts it very well in its Cyber-Risk Oversight Handbook: “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue”.

It’s more than just keeping the bad guys out, more than firewalls and intrusion detection, and more than just spyware and malware. It’s about protecting your corporate integrity, such as making sure that the data your published reports are based on is accurate and unaltered. It’s also about availability, ensuring you, your staff and your tenants can access applications and information as and when needed. It’s about people, their behaviour, sometimes careless and sometimes malicious. And it’s also about prioritisation – what matters most and which information needs the most protection?

In this article, we’ll take a look at the current state of cybersecurity and what organisations should be doing to keep the information they hold secure and private.

What does ‘cyber’ mean?

The word cyber could, depending on the context, be replaced by computer, network, virtual or simply ‘very modern’, but keeping information secure and private is not new. What is new is the multiplicity of ways (‘threat vectors’ in techno-speak) that can be used to access your information.

In the following paragraphs we will look at the threats and the vulnerabilities that together create the risks that threaten the achievement of your objectives with regard to your valuable information. (corporate strategies and plans, tenant information, financial information, employee information and so on). We will also look at what can be done to minimise those risks and keep information confidential, accurate and available.

Where are the threats coming from?

Depending on your context and the nature of the information you hold, the chief threats could be one or more of the following:

  • Aggressive competitors;
  • Hostile nation states;
  • Criminal organisations;
  • Hackers and ‘hacktivists’;
  • Disgruntled employees.

What are your vulnerabilities?

To access your information, they will exploit your vulnerabilities so it’s imperative that you’re aware of and address these. For a typical organisation, the vulnerabilities include:

  • Unpatched flaws in operating systems and applications;
  • Unwitting employees who are unaware of the methods employed by those who would steal and/or corrupt your data;
  • IT system misconfiguration (akin to leaving the back door open);
  • Mobile devices – whether under your control or not, they provide an access point to your information;
  • Supply chains and service providers with poor cyber defences can offer an easy route to your information;
  • Storing data in the cloud – do you know how secure it is?

Risk categories

The risks are what threatens the confidentiality, integrity and availability of your information. They include, but aren’t limited to the following:

  • Denial of service attack – attacking your systems in a way that prevents legitimate users from accessing your information and systems;
  • Extortion and ransomware – encrypting your data and demanding payment for the decryption key;
  • Data breaches (external or internal);
  • Data changed or manipulated maliciously;
  • Spyware – stealing information and routing it to external parties;
  • Identity theft – criminals masquerading as clients.

Managing your risks

The wide range of threats, vulnerabilities and resulting risks mean that the right solution requires a combination of preventative and mitigation measures. As you would expect, many of these have an IT component, but many are dependent on human behaviour and a sound corporate culture.

Preventing undesirable consequences can be achieved by a combination of the following controls:

  • Policies and procedures – set the tone from the top and enforce good practice;
  • Training and awareness – make sure people know your policies and procedures;
  • Verify – train people to recognise attempts at identity theft and to follow strict rules on identify verification;
  • Responsible person – have one person who ‘owns’ information security;
  • Access control – only provide access to as much information as is required;
  • Limited access between systems – only allow as much access as is necessary;
  • Intrusion prevention – do you have secure and robust firewalls?
  • Intrusion detection – do you know if you’re being attacked?
  • Integrity monitoring – do you know if information has been altered?
  • Monitor the traffic – do you know what information is leaving your organisation?
  • Backup your data regularly – know how much you can afford to ‘lose’;
  • Manage all mobile devices that can be used to access your information;
  • Train all employees on good practice when using mobile devices;
  • Get a third party to verify your defences, such as a penetration test;
  • Monitor adherence to your own rules;
  • Incident response plans – have a plan for when it does go wrong.

Solution discussions

On an on-going basis, it’s recommended that a cross-departmental group is formed to discuss how to address the many aspects of information security. You can’t necessarily assume that your IT department understands your business operations, so you therefore can’t assume that they will have addressed all of your information security concerns. By involving people from across the organisation, you can be more confident that the solution(s) will be comprehensive and effective. If people are actively involved in designing a solution to a problem, they are then more likely to own it and implement it.

Some questions that this cross-departmental group should consider and which will help stimulate discussion:

  • What information is sensitive, and how is it identified?
  • Are there rules governing how sensitive information is to be treated?
  • Who decides who has access to what information?
  • How often do managers confirm that the access rights of those reporting to them are correct and appropriate?
  • Have all legal, regulatory and contractual obligations regarding the information you hold been identified, and are there appropriate processes to ensure compliance?
  • Have you outsourced any critical functions or activities? If so, is somebody responsible for ensuring that your service provider has security controls that comply with your policies?
  • Do any of the products or services you sell include access to information systems? If so, are discussions on information security held at an early stage in the development of the products or services so that security can be built in rather than bolted on later?
  • Do you actively restrict what can be downloaded and/or installed on computers?
  • Does your HR department address information security concerns when recruiting or promoting people?
  • Do you have robust processes around the sourcing and retention of information on which key business decisions are made?
  • Do you have robust processes governing the transfer of sensitive data from your organisation to third-party organisations?
  • Is somebody staying abreast of current threats and vulnerabilities and ensuring that your organisation’s defences remain up-to-date?

Reasonable best efforts

And if you do buy cybersecurity risk insurance, remember that the insurance company will still expect you to have employed ‘reasonable best efforts’ to protect and keep secure the information that you hold. Have you?

Gerard Joyce is the CTO of CalQRisk.

See More On:

  • Vendor: CalQRisk
  • Topic: Infrastructure
  • Publication Date: 084 – November 2021
  • Type: Contributed Articles

Primary Sidebar

Most Recent Articles

  • Artificial intelligence in housing
  • Mobysoft – Data problems affecting complaints’ handling
  • Data, AI and private-sector strategies
  • Smart repairs & smarter homes
  • From firewalls to fortresses
  • Achieving three quick wins in AI
  • Rebuilding Selwood Housing’s IT infrastructure
  • Are you ready for organisational AI?
  • PIMSS releases AI Document Reader for compliance
  • Calico Homes cuts arrears with RentSense
  • FourNet launches digital transformation index
  • New income recovery software from Voicescape
  • Asprey Assets at YMCA
  • I love spreadsheets…
  • All watched over by machines of loving grace – AI assistants and adult social care
  • The rent revolution – The case for AI-powered payments
  • Unlocking safer living through data
  • Aareon acquires MIS ActiveH
  • Vericon launches MouldSense
  • Back to the future at Housing Technology 2025
  • FireAngel wins Which? Award
  • Maximising income and preventing homelessness
  • Anchoring digital innovation with Plentific
  • Cynon Taf Community Housing gets Housing Insight’s Arrears Manager
  • Tenants, AI & your biggest compliance risk
  • EDITOR’S NOTES – Data, standards & straight-through processing
  • AI as a social housing expert
  • South Yorkshire Housing halves arrears with Mobysoft
  • Bromford Flagship wins Aico’s smart-home competition
  • Putting VIVID’s customers in control of their tenancies

Footer

Housing Technology Main Logo
  • Instagram
  • LinkedIn
  • YouTube
  • Contact
  • Free Subscription
  • Book an event
  • Research
  • Update Your Subscription
  • Privacy Policy

Welcome to the housing Technology – Trusted Information For Business Professionals in HOusing

Housing Technology is the leading technology information service for the UK housing sector and local governments. We have always believed in the fundamental importance of how the UK’s social housing providers use technology to improve their tenants’ lives.

Subscribe to Housing Technology to gain market-leading research, unsurpassed peer networking opportunities and a greater understanding of your role to transform your business.

Copyright © The Intelligent Business Company 2025 | Terms and Conditions | Privacy Policy
Housing Technology is published by the The Intelligent Business Company. A company with limited liability. Registered in England No. 4958057 | Vat Registion No. 833 0069 55.

Registered Business Address: Hoppingwood Farm, Robin Hood Way, London, SW20 0AB | Telephone: +44 (0) 20 8336 2293