The housing sector is now much more aware of the threats posed by cyber-criminals than it used to be. But as attacks increase in frequency and sophistication, and with more staff working either remotely or in a hybrid model, it’s essential that housing providers and their employees remain vigilant and have the ability to adapt to these changes.
In what’s now an unpredictable and sometimes hostile digital environment, it’s important to ensure that end-users’ devices such as laptops and smartphones are secure at all times and that employees don’t succumb to cyber-security fatigue.
It’s often said that it’s not ‘if’ but ‘when’ any organisation will experience a cyber-attack. They might find out because they receive a ransom note or a cyber-criminal might have stolen data quietly without notifying them. Thankfully, more executive teams are taking action to strengthen their cyber-security and also improve their cyber-resilience, improving their ability to survive whatever is thrown at them and bounce back in better shape from any setbacks.
Awareness, education and training
Employees can be the frontline of defence for any housing provider. Regular cyber-security training for remote employees is essential; it’s good practice to show them how to identify the latest social engineering tactics and phishing attacks, and test their ability to spot malicious messages. It’s estimated that phishing attempts comprised around 25 per cent of all cyber-attacks in 2022 and 2023.
While the old approach to cyber-security was to build a wall around the organisation’s assets and assume nothing breaks through, this method is now well and truly redundant. IT estates are complex and often huge, so the optimum approach now is to monitor all assets regularly and assume that adversaries do get through anyway. No business is failsafe all of the time, so it’s best to work on the basis of ‘not if, but when’.
Many organisations have adopted the zero-trust model; this has three principles:
- Verify explicitly – always authenticate and authorise everything;
- Use least-privileged access – limit user access with just-in-time and just-enough-access to tighten data security;
- Assume breach – compartmentalise your infrastructure to minimise any damage, verify end-to-end encryption and use analytics to detect any threats and strengthen defences.
The vast majority of threats will be minimised by following these principles.
Adopt a cyber-security culture
By creating a culture of cyber-security in the boardroom and cascading it down through every department and team, every employee should gain the right mindset to protect the housing provider’s assets, data, tenants’ data and, ultimately its own reputation with its stakeholders and with the wider housing sector.
As 2024 unfolds, we can expect more organisations to adopt a cyber-security culture and embed zero-trust principles. Many are also planning compulsory cyber-security training for all staff.
For housing providers, the ability to thrive in an era of hybrid and remote working is achieved by optimising their security culture, prioritising security training and fostering security collaboration with others in the sector. There are many benefits to be gained from combining efforts with others in the sector to act on threat intelligence and bolster security through these partnerships.
Scott Burman is head of advisory at Quorum Cyber.
