Cyber Security – Why the CEO should be worried

Posted: 22nd May 2023 Ian Lever , Director of Digital & Technology Consultancy

I am sure we all remember when public sector organisations like housing providers shared the opinion that they would never be subject to a cyber security attack – assuming those risks were reserved for financial and private sector organisations that made billion-pound turnovers.  After all, what value was the information that public sector bodies held – it is not as if you could resell it like you could with company secrets, designs or bank account details.

Fast forward to the 21st Century, and notice how the rhetoric has changed; we now live in a world where cyber security attacks are prevalent, and no industry or sector is safe –

A simple Google search gives headlines such as –

  • A London-based housing association, which owns and manages 125,000 homes, was hit by a cyber-attack. Secretary Suzanne Muner said it was “implausible” that a company of its size was unable to answer its phones, 10 weeks after the incident.
  • A housing association in East Anglia took several weeks to recover from a cyber-attack – warned that despite its “quick action”, “some personal customer and staff data had been compromised”.
  • A North-West-based housing group were a victim of a ransomware attack and a ‘small amount’ of data was compromised, which resulted in systems being taken offline for several weeks.
  • A Midlands housing association was forced to shut down its systems after a “malicious attempt”.
  • A Yorkshire housing association recently experienced a cyber-incident that affected a number of their systems.
  • Some London housing association residents were sent phishing emails by scammers after a cyber-attack that attempted to defraud them of money by posing as their repair’s contractor.
  • A Northeast Council faced a ‘catastrophic’ attack with a ransom demand of several million pounds with a cost of resolution reaching almost £10m.
  • A London-based Council was forced to spend over £12m in a single financial year to help it recover from a devastating ransomware attack, according to a local report.

What has changed 

The short answer is – the world has changed!

Businesses and technology are changing at the fastest rates ever, demanding effective technology solutions, including cloud, agile working and IoT. Many organisations have their key services and systems provisioned in the cloud, including telephone and contact centres, email and calendar, document storage, housing management and finance.

Housing providers rely on these critical applications to conduct everyday business, communicate with customers and partners, and provide self-service digital transactions for their customers. – But when was a review conducted regarding the security of these applications and how they are accessed?

Many organisations are good at protecting applications and data, which sit in on-premises data centres behind robust corporate firewalls – But have we adapted our security strategy and policies to reflect the demise of these service delivery techniques and the move to cloud services most often delivered over the Internet?

Several simple precautions that can be actioned to significantly reduce the risk of misuse or malicious access, ranging from technical controls to user education. For instance, one public sector organisation put a cloud-based self-service application live with tens of thousands of illegal access attempts; fortunately, none were successful, making it crucial that any vulnerabilities in cloud applications and data storage must be reviewed, as part of any “go live” acceptance testing and then regularly reviewed. Moving to the cloud does not enable organisations to abdicate responsibility for data security!

The exposure to threats in cloud services is palpable, and the ‘log4j’ vulnerability in December 2021 meant that many organisations were without key solutions for several weeks, and in many cases, these organisations had to resort to paper-based systems.

What happens if the cloud provider ceases trading? You should be aware that applications and data are in the cloud, which is not a mitigation for a Business Continuity Plan, but rather something that needs a BCP built around it.

The Covid pandemic has accelerated the growth of home working, and now many organisations are adopting hybrid working. Employees no longer sit protected by the corporate firewall in offices but access systems from home using standard telecom provider routers. If business devices are shared for family use, this poses yet more issues. Hybrid working is with us for the long term, and we need to adapt security systems to accommodate this with a programme of end-user education.

Also, Artificial Intelligence (AI) and the Internet of Things (IoT) present a series of risks. IoT can include complex technologies such as Amazon Alexa, Google Home and Apple Siri, but also simple devices which monitor various aspects of the condition of a property (damp, boilers, etc.).These technologies are providing massive benefits to Housing Providers and customers. They save money through the early identification of problems and can create safer homes improving the life of tenants.  However, it is vital to acknowledge that each device becomes an entry point onto your computer network, and the threats presented must be mitigated.

 

First Steps 

Cyber-attacks on public sector bodies are now much more prevalent, and there are no signs that the trend is slowing down. Developed and operated by the National Cyber Security Centre (NCSC) and with UK Government backing, Cyber Essentials is considered the first step to a more secure environment, protecting you from 80% of basic cyber security breaches and is a self-assessment process.

Cyber Essentials Plus is the highest level of certification offered under the scheme, which is a more rigorous test of your organisation’s cyber security systems, ensuring your organisation is protected, and an external audit is required.

We advise that every organisation handling customer data should have cyber essentials accreditation at a minimum and should further strive to achieve the Plus accreditation requiring an external audit of their cyber arrangements. Many insurance companies refuse to insure against cyber-attacks if this accreditation has not been achieved.

Recognising the risks and impacts that cyber-attacks can have on social housing providers, Altair has formed a partnership with a leading cyber-security business; between us, we can help you through these early first steps to get your accreditation quickly.

 

Approach 

Once organisations have the basics in place, they need to establish their approach to safeguard the organisation and its customers. The simple three-step approach is Protection, Detection and Response.

It may seem obvious, but research shows that organisations invest more money in detection and response than protection. In many private sector organisations, this is reversed, with the budget for protection exceeding the budget for detection and response combined.  The reason for this appears to be that the payback on the investment in detection and response is more visible to the business than that in protection. Organisations should seek an average of 15% caveated with ‘depending on the size of organisation’ of their overall IT budget in IT security.

In a recent Altair-hosted roundtable, we asked several social housing CEOs how confident they were in their security.  Overwhelmingly, the response was that the IT Manager had assured them they had the right tools in place to deal with an attack.

The problem is that the CEOs were asking the wrong question of the IT Managers. Asking the question – of what our top three outstanding security vulnerabilities are, will require a much different response.

 

What can organisations do 

There is growing evidence that in ransomware attacks, the perpetrators gain access to systems months in advance of their attack. In this way, they can corrupt backups, gaining assurance that any restore will simply re-introduce them back into the system.

We believe that cyber-attacks and hackers do not break into systems. They simply stroll through an open door that an employee has inadvertently left open – most attacks happen due to open-door vulnerabilities hence the need to invest primarily in protection and education.

Many organisations have introduced multi-factor authentication (MFA) before you can access your trusted systems. Banks and other financial institutions have mandated this, and it is a recommended and secure method of locking criminals out.  We believe that MFA be adopted universally across organisations managing personal and/or financial data – protection! Many more aspects of security need to be considered and invested in. Here is a quick checklist that you may find helpful.

  • Do we have strong IT security policies that are publicised and understood by all employees of the organisation?
  • Do we have an identified Data Protection Officer?
  • Do we have an IT security training programme, which is mandatory for all employees?
  • Have we undertaken a recent penetration test and acted upon the recommendations provided?
  • Have we identified and documented all locations of Personally Identifiable Information (PII) within our IT systems?
  • Do we have a contract for regular external and independent cyber reviews?
  • Do we have a cyber security incident response retainer in place?

 

Working in partnership with a leading cyber security organisation, Altair can help take you beyond the Cyber Security Plus accreditations to help clients understand their vulnerabilities and required actions.  Our Technology experts’ extensive knowledge of housing systems and infrastructures across the housing sector provides our clients with a one-stop shop for all data and information security requirements. If you would like to discuss this opportunity further, contact Director of Digital & Technology, Ian Lever.

Latest News

See all news