The housing sector is a tempting target for cyber criminals. With an estimated 2.4 million homes under management in the UK, we know that housing providers hold a wealth of confidential and sensitive data of the sort that is stolen in droves every year, such as phone numbers, bank details, addresses and other personally-identifiable information (PII).
Successful data breaches which leak these kinds of records can be a very profitable business for cyber criminals because PII is a hot commodity on the ‘dark’ web and can be sold on for all kinds of malicious uses, from identity theft and account takeovers to spear-phishing and extortion.
Our cyber team has recently been considering the benefits of a Microsoft environment security assessment for public-sector organisations. Acting as a security health-check for housing providers, the majority of which run Microsoft 365 at their core, this assessment would allow housing providers to understand their cyber vulnerabilities and overall security stance, as well as take positive action to improve the maturity of their long-term security.
The benefits of this, including cost savings, documenting compliance and steering cultural change by increasing cyber-security awareness, are all worthwhile reasons for housing providers to consider a Microsoft environment security assessment. The assessments can also inform where technology investments should be made for the maximum return in terms of security.
Still, there’s more to be said about the housing sector’s particular cyber-security concerns in 2023, especially because the public sector continues to face an uphill battle against years of austerity, lingering pandemic ramifications, inflation and other geopolitical events impeding its resources.
Indeed, compared to other organisations with larger budgets for security, less-stretched IT teams, and more modern, strategic cyber-security systems, the housing sector’s key security risks call for closer inspection. Below, we consider four ways a Microsoft environment security assessment targets housing providers’ key cyber-security concerns.
Viruses & malware from third-party devices
Many housing providers’ networks are complex and outdated (i.e. they don’t collaborate seamlessly) so the prevalence of mobile storage devices (such as USB/flash drives) used to share data across different platforms continues to be a problem when it comes to endpoint security.
This makes sense because, unfortunately, it doesn’t matter how well-secured email and web channels are against malware, if there is an open back-door in the form of a third-party device, the entire organisation is at risk.
A Microsoft security assessment can help housing providers better manage their endpoints by highlighting their vulnerabilities across the entire attack surface and helping IT teams keep track of what endpoint security measures are in place and, indeed, whether these require improvements or upgrades.
Sharing information
Although they are likely to be due to human error rather than malicious intent, many security breaches in the public sector happen because of employees sharing sensitive data with unauthorised recipients such colleagues or suppliers.
As well as putting the organisation at risk of a data breach, this practice also illustrates how easy it is to risk organisational compliance and break GDPR and data protection directives. A Microsoft environment security assessment can help housing providers balance their security needs against ease of collaboration by offering a detailed analysis of the organisation’s internal and external collaboration settings and also its Microsoft SharePoint admin centre (including communication sites, channel sites and sites that belong to Microsoft 365 groups) so that site admins and group owners can be added or removed to maintain data integrity.
The need to remotely access data
Enabling remote working is a ‘must’ for housing providers because many housing staff work remotely. Many office-based staff have also moved to permanent hybrid- or remote-working, meaning that controls for remote workers are that much more important to consider these days.
Unfortunately, connecting to a network remotely can be risky because not all devices will be secure and up-to-date when it comes to security settings and software; it only takes one hacked or infected device to compromise the entire network, infecting hundreds of machines and potentially accessing sensitive tenant records. Additionally, once criminals breach a system, they can encrypt data to prevent the organisation from accessing it (ransomware).
A Microsoft environment security assessment examines all security and access points including:
MFA settings;
Identity protection;
Conditional access;
Defender for Office 365;
Email security.
This affords housing providers visibility into their networks and systems and offers a better understanding of any additional security measures that could be taken to protect remotely-accessed data.
Outdated or under-used technology
Limited budgets, legacy software and a hesitancy to install and learn new systems can mean that ‘everyday IT’ at housing providers is outdated or overly-complex/non-collaborative. The sector can also suffer from ‘supplier sprawl’ (when organisations try to juggle too many IT solutions, vendors and services at once) and, due to this plethora of systems, tends to overlook or under-use features already included in their current Microsoft licensing, and this includes built-in security features.
A comprehensive Microsoft environment security assessment gives housing providers a full grasp on which security features are not being used, identifying those which would help the organisation and could be used instead of other third-party software to save money.
Furthermore, the assessment helps housing providers organise and take stock of their Microsoft security tools (whether supplied by a third-party or not) and measure whether the RoI on these is worthwhile from a security and budget standpoint and assess what could be improved.
Jason Rothwell is a solutions architect at Littlefish.
