Cyber crime continues to be a pervasive problem for all businesses in the UK, including housing providers whose push to adopt digital services accounts for an increasingly large digital footprint. The estimated cost of cyber crime across the UK is £27bn each year.
Housing providers face unique cyber-security challenges in 2022, owing to several factors. First, the pandemic dramatically shifted the way we work and how cyber criminals operate, and we’re still feeling the effects of this shift even as we return to pre-pandemic working practices. Second, digital adoption has also rapidly accelerated over recent years, expanding the threat surface and providing attackers with more avenues for exploitation.
One of the best ways to build greater resiliency against cyber attacks and protect your organisation from reputational damage is by familiarising yourself with the latest security challenges affecting housing providers.
1. Hybrid working is now the norm
Employees are increasingly encouraged to take advantage of cloud-based tools which allow them to work from anywhere and only come into the office when necessary. While this shift was already taking place in many UK organisations pre-pandemic, it was accelerated massively by the 2020 lockdowns.
Two years on, both companies and workers are keen to retain a hybrid-working approach. Tellingly, more than half of UK workers who currently have the choice between remote or office-based working said they would consider leaving their workplace if the company removed the hybrid option.
While hybrid working has many benefits, including increased employee productivity and happiness, it comes with specific risks.
Employees using personal devices in workplaces, known as ‘bring your own device’ (BYOD), has become commonplace. BYOD offers greater flexibility to workers, increases workforce mobility and allows organisations to cut software licensing costs and hardware spending.
However, it also opens the doors to significant threats. For example, employees might have poorly configured or vulnerable applications installed on their personal devices, which could expose sensitive business data if exploited. Workers might also download various applications and files that could contain malware.
Home and public wi-fi networks also pose significant risks to people working away from the office. Corporate virtual private networks (VPNs) remain one of the most attractive targets to threat actors and a channel through which to launch wider attacks. To avoid falling victim to this type of attack, companies should focus on making their VPN more secure by leveraging a robust authentication mechanism, enhanced encryption and security protocols.
2. Supply-chain attacks could peak in 2022
Supply-chain attacks, where a hacker infiltrates your IT environment via an external provider, is becoming more common. As organisations have adopted more rigorous approaches to protect their systems from the inside, threat actors have shifted their focus towards softer targets within the supply chain. For example, attackers may choose to target a software, hardware or managed service provider if their security posture is perceived as less robust than their client base. In other words, this type of attack targets the weakest link in a chain of trust. Sadly, supply-chain attacks can cause widespread and irreparable damage to both vendor and customer organisations.
Some security experts predict that supply-chain attacks will peak in 2022, leaving many businesses wondering what they can do to protect themselves. Luckily, there are several ways to increase your resilience towards supply-chain attacks, including establishing a cyber supply-chain risk management (C-SCRM) programme, collaborating closely with suppliers and extensively vetting vendors before signing contracts.
3. Ransomware attacks on the rise
Ransomware attacks have been making the headlines for the past few years, and the number of incidents continues to rise. As well as the costs of responding to any incidents, there are also legal liabilities to consider, and rebuilding systems or implementing new ones after an attack can also be very expensive. For example, the attack suffered by Redcar & Cleveland Council in 2020 was reported to have cost £10.4m for the system rebuild.
Ransomware attacks most commonly start with a phishing email containing malicious attachments. However, some aggressive forms of ransomware exploit security vulnerabilities to infiltrate computers without manipulating the behaviour of employees.
In 2022, housing providers will need to be vigilant towards ransomware attacks and implement best practices to protect against them. Remember, you should never pay the ransom; there’s no guarantee you will regain access to your data and you’re more likely to be targeted again in the future.
4. SaaS is a top target for phishing attacks
Phishing attacks are increasingly targeting software-as-a-service (SaaS) suppliers. SaaS tools are undoubtedly helpful to many housing providers, especially in today’s hybrid working environment, because they offer solutions to anyone with internet access.
However, SaaS solutions can pose a significant security threat. For example, if a hacker successfully steals SaaS login credentials during a phishing attack, they have immediate access to the account. Moreover, impersonation becomes more viable when users can authenticate from remote locations. Additionally, obtaining SaaS login credentials is often easier for hackers than other accounts. Why? Because these applications often ask end-users to reauthenticate themselves, a rogue request for login credentials often doesn’t raise suspicions.
5. The cyber-security skills shortage
While companies have been aware of the cyber-security skills shortage for several years, the situation continues to worsen in 2022. A recent report found that the UK’s cyber-skills shortage has grown by over a third in just the past 12 months. Moreover, the skills shortage is even more profound in the world of operational technology (OT) security.
Housing providers will find it even more challenging to hire highly-skilled information security staff in 2022. However, that doesn’t mean businesses are left powerless and have to fend for themselves. The industry continues to respond to this problem with solutions that help bridge the skills gap. For example, companies are increasingly opting for robust automation tools that perform many of the tasks of IT workers. Additionally, IT managed service providers offering virtual CISO services are becoming increasingly popular for companies struggling to fill their cyber-security vacancies.
Rowan Troy is a senior cyber-security consultant at Littlefish.