How can housing associations boost their cyber security?

A provider’s first line of defence is its technical controls. These should be kept up to date, and maintained and operated by an appropriately resourced and expert information-security function.

This function should be alert and responsive to the ever-changing cyber-threat landscape.

Staff training is also very important, so housing providers should ensure they have accessible policies and procedures, such as incident response plans and communication strategies, that are understood, followed and enforced across the organisation.

Consideration should also be given to where third parties, such as agents, contractors and suppliers, have been given access to data.

Over the past few years, there has been a significant increase in cyber security attacks resulting from vulnerabilities within the supply chain, which can have expensive and long-lasting implications for those affected.

Effective governance structures are a key part of this.

It is essential that boards have access to relevant expertise. This can be on the board itself, as part of the executive, or on a separate IT steering committee, with a clear chain of accountability and oversight in relation to who is managing data security and how they report back to the board.

Cyber security governance – how an organisation controls and directs its approach to cyber security – is an issue that the leaders of all organisations should have grappled with already.

Effective cyber security governance will assist the coordination of the activities of an organisation. At the other end of the spectrum, when implemented poorly, the result will be ineffective and delay cyber-security risk decisions being taken.

From a legal perspective, effective cyber security governance assists an organisation in ensuring it complies with is obligations under data protection legislation to implement adequate technical and organisational measures to keep personal data secure.

It also ensures it complies with contractual and other legal obligations to protect confidential information.

Security decision-making can happen at all levels. To achieve this, an organisation’s senior leadership should use security governance. Guidance from the National Cyber Security Centre offers useful advice on what good cyber security governance looks like. It includes:

• Invest in risk management and trust decision-makers. It is important to have the right risk management resources in place and, once that is done, to trust those who have been appointed to make decisions.
• Delegate decision-making. Senior management within an organisation, such as the board, will always remain ultimately responsible and accountable. But they should delegate risk management decisions to the individuals with the right security, business and technical knowledge and experience to enable them to make effective risk-management decisions in different business contexts.
• Deal with complexity and uncertainty, which are issues that mean there are times when the causes and effects of security risks cannot be identified definitively. To address this, organisations should understand the limitations of the methods they are using to manage security risks and adopt different strategies for security risk management decisions, depending on the context.
• Develop an effective culture and environment. Part of this involves embedding risk management into business-as-usual processes, so that it is seen as continuous activity rather than one-off steps.
• Communicate risk management information effectively. This will include top-down communications which provide overall corporate direction and business strategy to decision-makers. Equally important are bottom-up or lateral communications which share security information that allows for informed risk management decisions to be taken.

Part of any organisation’s compliance plans should be the document which you turn to when things go wrong, often referred to as the incident response plan.

This will ensure that effective and consistent decisions are taken at a time which may be challenging for all involved.

While the nature of a cyber security breach cannot necessarily be predicted, the framework for how an organisation will respond, who will be involved in decision-making and who has authority to take action, can (and should) be thought through in advance.

Playing out hypothetical data-breach scenarios in advance can provide confidence that these plans are workable, or identify areas where governance is unclear and needs to be addressed.

Chris Garrett is a partner at Winckworth Sherwood