Simple and achievable ways to strengthen your cyber resilience
Tenants may begin to notice that something is up when they try to access their housing provider’s website to check on their housing application, look for a new property, contact their landlord or access any of the other social housing services, only to discover the message, ‘This site is currently unavailable’.
Meanwhile, housing provider’s staff begin their working day but can’t log in to their emails, open their caseloads, update maintenance schedules or respond to enquiries.
A cyber-attack on a housing provider has the potential to cause mass disruption to essential services. It also carries the risk of financial losses or the loss of residents’ extremely sensitive data.
Forthcoming legislation in the shape of the Cyber Security and Resilience Bill has been designed to strengthen and modernise UK cyber defences to protect essential services, critical infrastructure and digital services. It focuses on improving incident response and reporting, expanding resilience standards to include the supply chain, cloud services and managed service providers, and give regulators clear powers of enforcement.
While housing providers may not be directly included in the scope, the regulations will prompt stricter requirements from regulators, insurers and funders and tighter controls on the supply chain that social housing depends on. And, in any case, strengthening cyber resilience shouldn’t be dependent on legislation.
Here I’ve picked five easy wins that will make an immediate difference to improving your security posture and protecting your organisation from attacks.
1. Employ a third-party continuous monitoring tool
We are all co-dependent in the cyber world. If there’s a breach in one place, the chances are that many parties elsewhere in the chain will be affected.
In social housing, this encompasses outsourced services ranging from IT and HR platforms to building maintenance and community engagements. It’s a complex ecosystem of suppliers, contractors and cloud providers that landlords need to be able to trust.
In the past, having visibility over the security posture of the entire supplier network has been challenging, often relying only on an annual questionnaire. However, technology now enables the move to continuous monitoring and far greater visibility.
Through continuous monitoring tools, organisations in the supply chain can share up-to-date security compliance details and credentials in one place. Continuous monitoring should complement (but not replace) due diligence, helping users focus their assurance efforts where the risk is greatest.
Automated risk ratings, attack-surface scanning and vendor-risk dashboards help map the landscape while real-time updates on emerging threats, expired certificates, exposed services and data breaches provide full risk oversight. This even extends to ‘fourth’ parties (the suppliers to your suppliers) so that any weak links, risks or breaches further down the chain can be identified early.
2. Subscribe to threat intelligence feeds
Knowledge sharing is one of the greatest tools in cyber security. There is a community of experts who monitor the dark web and look out for any movements that could spell danger for particular sectors, including housing and local authorities.
Subscribing to threat intelligence feeds is a way to keep abreast of their findings and gain early warnings of emerging tactics, ransomware campaigns, credential leaks or sector-specific malware that could pose a threat. Even without a dedicated cyber team, nominating someone to review these alerts weekly can make a real difference.
There are many feeds and newsletters available, such as the National Cyber Security Centre’s (NCSC) Early Warning Service or via the Cyber Security Information Sharing Partnership. Some of them are free but the most comprehensive feeds are usually paid-for services.
Of course, the real value comes from acting on the intelligence. Indicators of compromise should be fed into intrusion detection systems, while intelligence should shape patching priorities and risk assessments. For resource-constrained housing providers, sharing analysis with partners can help stretch scarce expertise.
3. Engage with your regional ‘cyber cluster’
Throughout the UK, there are regional cyber clusters supported by the Department for Digital, Culture, Media and Sport (DCMS) and the UK Cyber Cluster Collaboration, known as UKC3.
They provide spaces where organisations can share incident indicators, collaborate on training and even coordinate mutual aid during crises. There are lots of free events and services available, so get involved. They can also open access to local university talent pipelines and cyber start-ups.
Engaging in these communities can directly help address the skills and resource gaps that are otherwise a major barrier to resilience. Collaboration like this is one of the strongest force-multipliers available, so it’s important to remember that you are never facing cyber resilience alone.
4. Establish best practice for incident reporting
Reporting can be complicated, especially when there are several different bodies to contact depending on the type of breach, from the NCSC to the Information Commissioner’s Office. Creating a more streamlined approach with a single reporting channel would be beneficial to smaller organisations and those with limited budgets, but that is perhaps something for the future.
Still, the new resilience bill is likely to impose stricter rules on incident reporting, with tighter timeframes and clearer requirements for follow-up actions. Right now, many housing providers have patchy or manual incident reporting processes that make it hard to see patterns or demonstrate compliance.
It’s time to try to standardise and automate reporting, such as defining what counts as an incident, setting SLAs for escalation and embedding reporting templates into service desk workflows. Aligning with the NCSC’s Cyber Incident Response framework is a great starting point because it has lots of free tools that can help you manage your incident reporting successfully.
5. Assume breach
Finally, it’s important to remember that cyber security is a continuous learning process. We will never be perfect or achieve an end-target. As such, the best mindset is to always assume that you have either been breached already or that it will happen imminently.
This will help you to focus on being vigilant in continually testing all possible entry points. It will also mean that you won’t be surprised or unprepared when something does happen.
Even well-defended organisations are compromised. It can come in the form of a seemingly-innocuous email attachment that catches someone off-guard and leads to malicious software entering your network and shutting down essential systems.
Unfortunately, anywhere holding lots of citizen data will be a prime target for ransomware and fraud, so it’s inevitable that there will be attempts to break through. Set up the above practices and work with your staff to embed the behaviours that will improve your cyber resilience.
In social housing, where services underpin community wellbeing, a rapid recovery mindset is just as important as prevention.
Cyber resilience isn’t a single project or policy, it’s a culture of preparedness. Every small step taken today reduces the impact of tomorrow’s inevitable attack.
Renata Vincoletto is the CISO at Civica.
