I am sure we all remember when public-sector organisations like housing providers held the view that they would never be subject to a cybersecurity attack, with us all assuming that those risks were reserved for financial and private-sector organisations with billion-pound turnovers. After all, of what value was the information held by public-sector organisations; it wasn’t as if you could resell it like you could with company secrets, designs or financial details.
Fast forward to the 21st century and notice how the rhetoric has changed; we now live in a world where cybersecurity attacks are prevalent, and no industry or sector is safe. A simple internet search provides headlines such as:
- A London-based housing provider, with 125,000 homes, was hit by a cyber-attack, with reports on the BBC website that it was “implausible” that a company of its size was still unable to answer its phones 10 weeks after the incident.
- A housing provider in East Anglia took several weeks to recover from a cyber-attack and warned that despite its “quick action”, “some personal customer and staff data had been compromised”.
- A NW-based housing group was a victim of a ransomware attack and a “small amount” of data was compromised, resulting in its systems being offline for several weeks.
- A housing provider in the Midlands was forced to shut down its systems after a “malicious attempt”.
- Some social tenants in London were sent phishing emails by scammers posing as their housing provider’s repairs contractor.
- A local council faced a “catastrophic” attack with a ransomware demand of several million pounds, with the cost of resolution reaching almost £10 million.
- A local authority in London was forced to spend over £12 million in a single year to help it recover from a devastating ransomware attack.
What has changed?
The short answer is – the world has changed!
Many organisations have their key services and systems provisioned in the cloud, including telephone and contact centres, email and calendar, document storage, housing management and finance.
Housing providers rely on these critical applications to conduct everyday business, communicate with customers and partners, and provide self-service digital transactions. But when was a review conducted regarding the security of these applications and how they are accessed?
Many organisations are good at protecting their applications and data when they are in on-premise data centres behind robust corporate firewalls, but have we adapted our security strategies and policies to reflect the demise of on-premise services and the consequent move to cloud services?
Several simple precautions can be taken to significantly reduce the risk of misuse or malicious access, ranging from technical controls to user education. For instance, one public-sector organisation put a cloud-based, self-service application live with tens of thousands of illegal access attempts; fortunately, none were successful, making it crucial that any vulnerabilities in cloud applications and data storage must be reviewed as part of any ‘go live’ acceptance testing and then regularly reviewed. Moving to the cloud doesn’t mean housing providers can abdicate responsibility for data security.
The exposure to threats in cloud services is palpable, and the ‘log4j’ vulnerability in December 2021 meant that many organisations were without key solutions for several weeks; in many cases, these organisations had to resort to paper-based systems.
What happens if your cloud provider ceases trading? You should be aware that applications and data are in the cloud, which is not a mitigation for a business continuity plan (BCP) but rather something that needs a BCP built around it.
The pandemic accelerated the growth of home and hybrid working. Employees no longer sit in offices protected by the corporate firewall but access corporate systems from home using standard telco-provided routers. And if business devices are shared for family use, this poses yet more issues. Hybrid working is with us for the long term and we need to adapt our security systems to accommodate this with a programme of end-user education.
Artificial intelligence and the internet of things both also present a series of risks. IoT can include complex technologies such as Amazon Alexa, Google Home and Apple Siri, but also simple devices which monitor various aspects of the condition of a property.
These technologies provide massive benefits to housing providers and tenants, but it’s vital to acknowledge that each device becomes an entry point onto your computer network and the threats presented must be mitigated.
Cyber-attacks on public-sector organisations are now much more common. Developed and operated by the UK’s National Cyber Security Centre (NCSC), ‘Cyber Essentials’ is considered to be the first step towards a more secure environment, protecting you from 80 per cent of basic cybersecurity breaches (a self-assessment process). ‘Cyber Essentials Plus’ is the highest level of certification and is a more rigorous test of your organisation’s cybersecurity (an external audit is required).
We advise that every organisation handling customer data should have the Cyber Essentials accreditation as a minimum but aim to achieve the Cyber Essential Plus accreditation. Many insurers refuse cover against cyber-attacks if this accreditation hasn’t been achieved.
Recognising the risks and impacts that cyber-attacks can have on housing providers, Altair has partnered with a leading cybersecurity business; between us, we can help you through these early first steps to get your accreditation faster.
The right approach
Once organisations have the basics in place, they need to establish their approach to safeguard their organisation and its customers. The simple three-step approach is protection, detection and response.
Research shows that public-sector organisations spend more money on detection and response than on protection, while many private-sector organisations spend more on protection than on detection and response combined. The reason for this appears to be that the payback on any spending for detection and response is more visible to the business than any spending on protection. And as a rough rule of thumb, housing providers should allocate around 15 per cent of their IT budget for IT security.
In a recent Altair-hosted roundtable, we asked several housing CEOs how confident they were about their IT security. Overwhelmingly, their responses were that their respective IT managers had assured them that they had the right tools to deal with a cyber-attack.
The problem is that the CEOs were asking their IT managers the wrong question. Asking instead, “What are our top-three outstanding security vulnerabilities?” would almost certainly result in very different replies.
What can you do?
There is growing evidence that in ransomware attacks, the perpetrators gain access to systems months in advance of their attack. In this way, they can corrupt backups, gaining assurance that any restore will simply re-introduce them back into the system.
We believe that cyber-attacks and hackers don’t actually break into systems. They simply stroll through an open door that an employee has inadvertently left open; most attacks happen due to open-door vulnerabilities hence the need to invest primarily in protection and education.
Many organisations have introduced multi-factor authentication (MFA) before you can access your trusted systems. Banks and other financial institutions have mandated this and it is a recommended and secure method of locking criminals out. We believe that MFA should be adopted universally across organisations managing personal and/or financial data – protection! Many more aspects of security need to be considered and invested in.
Finally, here’s a quick checklist that you may find helpful:
- Do we have strong IT security policies that are publicised and understood by all employees?
- Do we have an identified data protection officer?
- Do we have an IT security training programme which is mandatory for all employees?
- Have we undertaken a recent penetration test and acted on the recommendations provided?
- Have we identified and documented all locations of personally identifiable information (PII) in our IT systems?
- Do we have a contract for regular external and independent cyber reviews?
- Do we have a cyber-security incident response retainer?
Ian Lever is the director of digital and technology at Altair.