Link embarked on a transformative cyber-security journey in 2019 by implementing mandatory multi-factor authentication (MFA). This initiative empowered all colleagues to combine their password with a one-time code provided by SMS, voice call or authenticator app. This article delves into the strategic approach taken by Link to fortify its cyber-security posture and reduce the threat of business email compromise.
Phishing threat
Phishing is an incredibly common initial step in cyber attacks. It is estimated that around 90 per cent of all cyber attacks begin with a phishing email. A recent ICO report noted that “56 per cent of businesses and 62 per cent of charities that reported having had breaches or attacks in the past 12 months felt phishing attacks were the most disruptive type of attack.”
The ICO’s report also noted that over 90 per cent of the UK companies responding to its survey had experienced at least one successful email-based phishing attack during 2022, with around a quarter having also reported direct financial losses as a result.
Link’s cyber-security strategy
We continually improve our cyber-security posture across all layers of our defence-in-depth strategy, and at the core of our approach is security awareness to reduce the effectiveness of social engineering attacks. Link maintains a culture that encourages a cyber-conscious workforce which has proven to directly improve our security posture.
Implementing mandatory MFA
The introduction of mandatory MFA had the potential to be disruptive, so careful planning and support was essential to the success of this change. Creating the ‘rails’ to support colleagues required cohesion between our group leadership team, digital services, communications and learning and development.
Recognising the diverse roles and working patterns within Link, a comprehensive roll-out plan was developed, accounting for office- and field-based roles. The digital services team drafted instructions, facilitated in-person support sessions and had support from across the business which ensured universal adoption of MFA. The chief executive of Link Group, Jon Turner, showed his support by communicating the importance of MFA to the entire workforce. This multifaceted approach kept the change to MFA high on people’s agendas.
Fostering cyber-security awareness
Link prioritises cyber-security awareness training. This is achieved through e-learning paired with instructor-led and web-based annual training which conveys the rationale behind security controls and empowers employees to identify and report potential cyber threats.
Thanks to our tailored approach to security awareness training, we secured a finalist spot at the Chartered Institute of Housing Excellence Awards in 2019 and at the Housing Technology Awards in 2024. The University of Abertay has also previously shared our security-awareness training materials with the NHS Cyber Fraud Unit.
Phishing reduction efforts
Link is subject to continuous phishing attacks. We have noticed that many ‘credential harvesting’ phishing emails now also try to harvest MFA tokens. Thanks to our colleagues across Link consistently and diligently reporting phishing emails, the reports have informed threat analysis techniques which serve to inspect all emails for suspicious markers.
This iterative and continuously-improving technical process means that most phishing emails never reach an inbox; suspicious emails are quarantined where they are reviewed multiple times per day by our digital services team. The purpose of the control is to shift the phishing assessment effort toward digital services and reduce the impact of phishing on the wider business.
For example, over a 30-day period we tracked 2,009 suspicious emails sent to Link. 914 were quarantined, 981 were sent to ‘junk’ and only 112 were delivered to mailboxes. Critically, in every case where malware was sent to colleagues (37 times over the past month), every infected email was directed to quarantine.
Phishing playbook
If we widen our view to six months, 430 phishing reports were made using an integrated phishing ‘reporting button’. In cases where a phishing email is confirmed, we search all mailboxes for the email to remotely remove them. This action meant that another 492 phishing emails were remediated and due to these reports, we identified and neutralised around 30 phishing campaigns where multiple colleagues were targeted. Following our ‘phishing response playbook’, phishing email threats are mitigated, removed and blocked.
Continual improvement
In October 2023, Link enhanced the security and convenience of MFA by eliminating support for insecure methods such as one-time codes provided by voice or text. Drawing on recommendations from Microsoft and industry best practices, we decided to move to support app-based MFA only.
With app-based MFA:
- The threat of SIM-swapping attacks and SMS interception is avoided.
- The ‘replay attack’ window is reduced due to the lifespan of one-time MFA codes being reduced from 300 seconds to just 30 seconds.
- ‘Number matching’ displays a two-digit number during login, which is then entered into the authenticator app.
- Authenticator apps enhance usability by generating one-time codes without needing a connection, making them functional in poor signal areas.
Link Group remains committed to strengthening its security controls around identity management and continually refining our defence-in-depth approach to cyber security. By adhering to industry best practices and fostering an inclusive culture of cyber awareness, Link strives to uphold the trust placed in us by our customers and stakeholders, safeguarding data integrity and confidentiality.
Gareth Renaud is the senior information security officer at Link Group.
