Although the cyber threats affecting housing providers are no different to most other organisations, the consequences of a successful cyberattack on a social housing organisation are different. During and after a major incident, most organisations worry about protecting their brand’s reputation, trying to continue running services and minimising the damage caused by any data losses. But many organisations don’t hold any sensitive personal data and the services they deliver are a commodity for consumers.
Typical cybercriminals are organised crime groups, nation states, malicious insiders and hacktivists. A housing provider is unlikely to be specifically targeted by a nation state or an organised crime group; at least half of attacks are opportunistic and haven’t been crafted to target specific housing providers.
Organised crime gangs and individuals, who use tools to automatically scan and attack, are the biggest cyberthreat to most organisations today. Their motives are usually purely financial, so they try to hold any organisation they can to ransom.
Malicious insiders and hacktivists will only target an organisation if they have a good reason to do so (although their reasoning may be misguided). Nevertheless, these groups are generally less capable of creating widespread damage. The best controls for this risk are treating employees with care and respect and making sure that nobody has too many privileges within your IT estate.
What is a ransomware attack and how is it done?
Cybercriminals will attempt to steal funds from a housing provider through social-engineering attacks. More digitally-skilled criminals will employ attacks to lock and steal company data using software programmes called ransomware. The attackers then ask for a ransom to be paid to release their control of the resources or for stolen data to be deleted without releasing it to the public. The data often includes staff and customer addresses, but often also private and confidential communications between senior leaders of the organisation.
It is advisable to not pay the ransom, but rather recover from the incident using disaster recovery processes and mitigate any damage caused by the data being released. In most cases, criminals get into housing providers’ systems through tricking somebody to give them initial access. This could be via email (i.e. phishing), a phone call to an IT helpdesk or by finding security gaps in externally-facing IT infrastructure.
How can you protect your assets and data?
Start with training your staff about social engineering, and giving them tools to report suspected incidents and attempts to socially engineer them. It also pays to regularly scan your externally-facing infrastructure.
At Quorum Cyber, we’ve observed that housing providers often have the same shortcomings when it comes to data protection. Many comprise a number of smaller organisations glued together through mergers and acquisitions. Permissions in the IT systems don’t reflect what people need access to. It’s best to adhere to the three principles of zero trust: verify explicitly; use least-privileged access; and assume breach.
How to improve your security posture
Focus on the impact to your tenants and communities. Housing providers should treat information security in the same way as physical security. Your employees can be the frontline of your defence, so advise them of what they need to do to safeguard your organisation. Ask them to feed back their worries and any suspicions of information security weaknesses they have or any signs of a security incident or breach. Then look at your external security posture, and finally at user permissions. And don’t forget to monitor security logs of the IT infrastructure.
Cybersecurity and the threat landscape both move fast. Few organisations can keep on top of everything as IT infrastructure becomes ever-more complex. It’s therefore advised to find trusted advisors internally or externally who can review your cyber security posture against a well-known security framework, such as the US’s National Institute of Standards and Technology (NIST) cybersecurity framework.
It’s also good practice to ask the teams who conduct IT and security duties to produce a range of KPIs that show whether controls are maintained. These would include awareness statistics (everybody needs to be trained), parameters regarding tests on externally-facing infrastructure, the tracking of IT vulnerabilities in the organisation, and account security (such as take-up statistics for multi-factor authentication).
Zibby Kwecka is the vCISO lead at Quorum Cyber.