First published in Housing Technology.

Although the cyber threats affecting housing providers are no different to most other organisations, the consequences of a successful cyber-attack on a social housing organisation are different. During and after a major incident most organisations worry about protecting their brand’s reputation, trying to continue running services and minimising the damage caused by potential data loss.

Typical cybercriminals are organised crime groups, nation states, hacktivists, and malicious insiders. A social housing organisation is unlikely to be specifically targeted by a nation state or nation-state backed group. At least half of attacks are opportunistic in nature and haven’t been crafted to target specific associations.

Financially motivated cybercriminals, who use tools to automatically scan and attack, are the biggest cyber threat to the housing sector today. Their motives are usually purely financial in nature, so they try to hold any organisation they can to ransom.

Malicious insiders and hacktivists will only target an organisation if they have a very good reason to do so. However, their reasoning may on occasion be misguided. Nevertheless, these groups are generally less capable of creating widespread damage. The best controls for these threats are treating employees with care and respect and taking a least-privilege approach inside the IT estate.

What is a ransomware attack and how do cybercriminals carry them out?

Cybercriminals will attempt to steal funds from an association through social engineering attacks. More digitally skilled criminals will employ attacks to lock and steal company data using ransomware. The attackers then request a ransom to release their control of the resources or for stolen data to be deleted without releasing it on the dark web. The data often includes staff and customer addresses, but sometimes confidential company information too.

You can learn more about this the subject of ransomware in our blog, How to Defend Your Organisation Against Current Ransomware Trends.

It is advisable not to pay the ransom, but rather recover from the incident using disaster recovery processes, and mitigate the damage caused by the data being released. In most cases, criminals get into housing associations’ systems through tricking somebody to give them initial access – called social engineering. This could be via email, i.e. phishing, or via a phone call to an IT helpdesk, or by finding security gaps in externally facing IT infrastructure.

How can housing associations protect their assets and data?

Start with training staff about social engineering and providing them with tools to report suspected incidents and attempts to socially engineer them. It also pays to regularly scan your externally facing infrastructure.

At Quorum Cyber, our cyber security experts have observed that social housing organisations often have the same shortcomings when it comes to data protection. Many are made up of a range of smaller organisations glued together through mergers and acquisitions. Permissions in the IT systems do not reflect what people need access to. It’s best to adhere to the three principles of zero trust:

• Verify explicitly: always authenticate and authorise everything
• Use least-privileged access: limit user access with just-in-time and just-enough-access to tighten data security
• Assume breach: compartmentalise infrastructure to minimise any damage, verify end-to-end encryption and use analytics to detect any threats and strengthen defences.

How to improve your security posture

• Focus on the impact to your tenants and communities.

Housing providers should treat information security in the same way as physical security. Your employees can be the frontline of your defence, so advise them of what they need to do to help safeguard the organisation.

Ask them to feed back their worries and any suspicions of information security weakness they have or any signs of a security incident or breach. Then look at the external security posture, and finally at user permissions. And don’t forget to monitor security logs of the IT infrastructure.

• Ask for expert guidance and advice to build a strong cyber security strategy

Cyber security and the cyber threat landscape move at a fast pace.  It is essential to find trusted advisors, inside or outside your organisation, who can review your cyber security posture against a well-known security framework, such as the US’s National Institute of Standards and Technology (NIST) Cyber Security Framework.

• Actively collaborate with your IT and Security teams

It’s also good practice to ask the teams that conduct IT and security duties to come up with a range of Key Performance Indicators (KPIs) that show whether controls are maintained. These would include awareness statistics (everybody needs to be trained), parameters regarding tests on externally facing infrastructure, tracking of IT vulnerabilities in the organisation and account security such as multi-factor authentication (MFA) take-up statistics.

Take the first step towards stronger cyber security

With our comprehensive portfolio of services, from managed security, data security and Cyber Resilience Assessment (CRA) through to Incident Response Preparedness and Incident Response Retainer, plus a whole range of professional services including Offensive Security, you can be sure that Quorum Cyber can safeguard your data, your tenants, and your business.

Contact us today to find out how to strengthen your cyber security posture and defend your organisation from cyber-attacks.