Housing providers have long been enthusiastic adopters of digital transformation strategies. As the pandemic unfolded, third-party property management platforms became essential in ensuring service continuity and maintaining tenant engagement. However, interconnectedness with third parties increases cybersecurity risk; we may have an effective cybersecurity strategy within our own housing organisations, but do we know about the security of our suppliers with whom we interact daily?
Cybercriminals are always trying to identify a weakness in an organisation’s security. Exploiting third-party suppliers’ trusted access to your network or data can be an appealing way for attackers to infiltrate your organisation because their behaviour can often be mistaken for legitimate activity.
Third-party due diligence
Unfortunately, your organisation may be held responsible if you’re breached via a third party. The government’s Sector Risk Profile 2021 states that ‘Boards must also understand the risks of processing personal data with third parties, including the need to undertake due diligence on third parties’ security measures…’. Increasingly, legal firms are ready to act on behalf of tenants when their data is compromised.
The types of supply-chain attacks vary from the more common, such as suppliers being targeted with phishing emails, to the more sophisticated, such as compromised software updates where attackers insert malicious code into legitimate third-party programs that are distributed to clients.
One of the most well-publicised supply-chain attacks in recent times was that of SolarWinds, a US-based IT management company that provides network and infrastructure monitoring services to customers worldwide. In December 2020, one of its cybersecurity clients revealed that it had been compromised via malicious code entered by hackers into a SolarWinds software update. The breach began many months before, giving the hackers the luxury of time to spread across many networks. Thought to have been downloaded by over 18,000 users, US government agencies were among the high-profile targets affected. This was an advanced attack, and the threat actors’ ability to hijack legitimate software and remain undetected for months demonstrates how successful supply-chain attacks can be.
Closer to home, in the housing sector, two supply-chain cyberattacks gained third-party providers unwelcome publicity last year.
In July 2021, Liberty Group, which delivers property services to housing providers, was breached in a ransomware attack, resulting in the compromise of a “small amount” of data and systems being taken offline. Those affected were informed and it was reported to the Information Commissioner’s Office. However, a threat analyst from a cybersecurity company claimed to have found exfiltrated data from parent company ForViva on the dark web.
Around a similar time, the property technology company Plentific, which runs a dynamic purchasing platform linking housing providers with repairs and maintenance contractors, was also breached in a supply-chain attack. In the UK, Plentific supplied services to four large housing providers – L&Q, Notting Hill Genesis, Peabody and PCHA, all of whom had to inform their residents that they may have received phishing emails asking them to pay for repairs in cryptocurrency.
Protection vs. access
So how can you protect your organisation and tenants from supply-chain attacks while maintaining suppliers’ access to your data and network?
First, assess the security posture of your existing suppliers and business partners by checking their certifications and how they are audited. If they have access to highly sensitive data, you should carry out a deeper examination of their security measures rather than relying on self-declaration through questionnaires. Second, weed out those weak links in the chain who continually fail to meet your standards but give others clear guidance and support on the measures they will need to implement to satisfy your requirements (proportionate to their level of access).
When thinking about future suppliers, ensure that you build security requirements into your contracts, such as Cyber Essentials Plus certification. The NCSC also recommends that you include the ‘right to audit’ and that this should apply to contracts that your suppliers have with others that impact your organisation too.
Good cyber hygiene
Finally, ensure that your organisation has good cyber hygiene by reviewing your own IT security. Review access and application privileges and enable multi-factor authentication where possible. Aim to build trust with your suppliers and continually work together to improve the security of your supply chain – for example, by proactively monitoring their security bulletins.
You cannot entirely insulate your organisation from supply-chain attacks even if you have implemented these measures, but by moving to a more proactive rather than reactive approach to cybersecurity, you can minimise the risk and impact caused.
You should now look to proactively hunt for suspicious activity and potential threats in your network via tools such as Extended Detection and Response (XDR). XDR enables IT teams to identify that activity, prioritise threat indicators and quickly search for potential threats across your network.
Access to cybersecurity skills
However, the most damaging cyber-attacks, such as the SolarWinds hack, tend to be human-led. While XDR has a vital part to play, you still need the right people with the right skills in your organisation to respond to new and emerging threats around the clock. Unfortunately, most organisations don’t have these skills available every minute of the day so they are increasingly turning to services such as Sophos’s Managed Threat Response (MTR) which supplements your in-house team with expert threat hunters who monitor your environment 24/7/365. The service goes beyond simply notifying you of suspicious behaviour because the MTR team can take targeted actions on your behalf.
The NCSC has made it clear that supply-chain security weaknesses make organisations highly vulnerable to attack. Mitigate this risk by reviewing your existing suppliers’ cybersecurity measures immediately and for future contracts, build in security requirements from the start. If your organisation lacks the time or expertise to carry out threat hunting, then consider using services such as Sophos’s MTR to bolster your defences.
Jonathan Lee is the director of public sector relations at Sophos.