ao link

How to build up your cyber security defences

Comment18 Jan 2023Richard Holland

Richard Holland from Notting Hill Genesis talks through the cyber security challenges facing the housing sector, and how associations can protect themselves and their residents

Linked InXFacebookeCard
Richard Holland
Richard Holland

Richard Holland is head of IT and cyber security at Notting Hill Genesis

Picture: Getty
Picture: Getty
Sharelines
Richard Holland from Notting Hill Genesis talks through the cyber security challenges facing the housing sector, and how associations can protect themselves and their residents #UKhousing #SocialHousingFinance

At the end of 2022, credit ratings agency Standard & Poor’s issued a report warning that UK housing providers will suffer more frequent cyberattacks, and that these attacks are becoming more sophisticated.

 

The report said that increased financial pressures could mean housing providers are unable to invest in strengthening their IT defences as needed. The net effect of this could be a loss of customer and investor trust, potentially dissuading future investment.

 

There have been several high-profile ransomware incidents within the housing sector in recent years, including Clarion, Flagship, Bromford and Hackney Council.

 

As a result, cyber security has shot up housing providers’ risk registers. In my view this is not a moment too soon: the question is no longer if a social housing provider will experience a cyberattack but, rather, when.

 

So, what are the cyber security challenges facing the housing sector and how can they be addressed so that residents and investors are reassured?

 

Cyber security threats

 

Undoubtedly the favoured tactic of cyber attackers today is the use of ransomware – software designed to corrupt systems and encrypt data until a sum of money is paid.

 

The biggest concern around cyber security relates to the security practices and capabilities of suppliers to housing providers.

 

We have seen companies outside the housing sector forced to shell out millions of pounds to cyber criminals, just so they can access their systems once more, and relying on genuine de-encryption keys.

Read more

Bromford shuts down systems following cyber attack but finds no evidence of data being stolenBromford shuts down systems following cyber attack but finds no evidence of data being stolen
Cyber attack warning for RPs: ‘This isn’t a case of if you’re going to get attacked, it’s when’Cyber attack warning for RPs: ‘This isn’t a case of if you’re going to get attacked, it’s when’

As we have seen over the past couple of years, the impact of such attacks on social landlords has varied, but in all cases significant disruption has ensued.

 

This has variously led to systems being taken offline for prolonged periods and affected residents’ ability to pay their rent. In some instances, this has hit the bottom line as housing providers have made provisions for a loss of rental revenue.

 

A related impact has been on cyber security insurance, where costs and policy exclusions have both increased, making it difficult to obtain adequate cover.

 

Notting Hill Genesis (NHG) is a member of Housemark’s Information Security Forum, and several members mentioned that these factors had called into question the value of having the insurance at all.

 

As mentioned, these threats have led many organisations – including my own – to adopt the mindset of when rather than if they will experience a cyberattack.

 

“Cyber security should be viewed as a priority alongside more traditional issues facing social housing providers, such as repairs and maintenance, damp and mould and tenant engagement”

 

The intelligence shared by the National Cyber Security Centre (NCSC) through the Information Security Forum on emerging threats – alongside peer collaboration – is incredibly valuable in preparing our defences.

 

This, aligned to board support on investment, means NHG has been able to build our cyber resilience.

 

A key lesson here is the need for a shift in attitudes around cyberattacks. Increased use of digital platforms must be accompanied by planning to improve your cyber security defences.

 

In days gone by, you may have expected your IT systems to be down for a day or two following an attack, but experience has shown that housing organisations must now plan to be without their systems for two months or more.

 

Cyber security should be viewed as a priority alongside more traditional issues facing social housing providers, such as repairs and maintenance, damp and mould and tenant engagement.

Raise staff awareness

 

As part of this, raising staff awareness of cyber security threats is crucial. Information Security Forum members have developed great training programmes to bring cyber security to life.

 

One of the key learnings is that linking security campaigns with the everyday experience of staff in their personal lives really helps.

 

For example, quite a few organisations have used big shopping events like Black Friday to highlight the potential for scams and raise awareness of the type of approaches criminals will use.

 

The most effective method of delivering training in cyber security is through short videos with bite-sized learning.

 

The NCSC has a free toolkit that provides effective resilience against basic attacks, and it is a great starting point for those at the start of their cyber security planning.

 

But as the attacks become more sophisticated, the implementation of security monitoring tools is an important next step, as they can monitor suspicious activity and highlight weaknesses in your defences.

 

Stress-testing

 

Ensure your system is backed up securely and perform a stress test with various scenarios on your IT systems at least once a year.

 

The cloud – although it is more secure and provides an added layer of protection – is extremely complex and so there is a risk people don’t configure the cloud correctly.

 

It would be fair to say there is a skills shortage in IT within the housing sector and so investment in the right people to implement these tools is crucial to an organisation’s cyber health.

 

Finally, be aware of the software you are buying and vulnerabilities that it may have. This will be a growing threat as organisations rely more on digitisation.

 

Each third party we do business with as housing providers must also be secure, as it is common for hackers to gain access through supply chain software.

 

Cyber security is an evolving beast and no organisation is ever in the clear, as the next iteration of an attack could be right around the corner.

 

Residents and investors know this, but they want to know we are prepared. What we must do as a community is share information and tools to combat these threats, so when an attack does come, the impact is minimised.

 

Richard Holland, head of IT systems and cyber security, Notting Hill Genesis, and member, Housemark Information Security Forum

Asset managementCyberHousing Association/RPIT/Technology
Linked InXFacebookeCard
Add New Comment
You must be logged in to comment.

RELATED