Are you comfortable that your IT policies are protecting your data? I would have started “you only have to pick-up a newspaper”, but that seems rather dated today. No matter how you get your news, whether via social media, online, television or radio, every day seems to bring a new data breach scandal.
Here are some of the better known recent incidents: on New Year’s Eve 2015 the BBC website was hacked, Talk Talk’s breach last October was the third in a single year, everyone has a view on the Ashley Madison data breach and, of course, the recent ‘Panama Papers’ offshore revelations.
Cyber-crime is rife and takes many forms, but closer to home, are housing providers taking this issue seriously?
Most housing providers will be in receipt of benefits information, many will be holding details of very personal family issues, and all maintain details of the most vulnerable in our society.
All new house-building developments and refurbishments are governed by strict standards, whether they are planning applications, fire regulations, gas safety or building regulations, and the security of any building forms part of those standards, yet similar standards don’t take centre stage when it comes to data protection.
Individuals and organisations are under constant attack, yet the most likely breach is from within, whether malicious or, in most cases, ignorance of best practice. It is recognised that 80 per cent of all cyber-attacks are the result of phishing (emails opened from an unknown or disguised source and then clicking on links or opening attachments).
SOCITM’s recent survey of IT professionals showed that IT security policies are not reviewed as often as they should be, and in fact many organisations lack the basic skills and budgets to protect their data. At the same time, millions of pounds are being spent on shifting tenants online, partly to improve services and support digital inclusion, but ultimately to reduce costs.
Our survey found that 96 per cent of respondents thought that IT policies were essential, while 85 per cent said that maintaining policies was time-consuming and laborious, and 58 per cent said that policies were expensive to maintain. International standards exist for IT security, yet few organisations certify, and although best practice suggests that policies should be reviewed regularly, our survey showed that most IT security policies were only reviewed every five years.
In the housing sector, IT departments typically have 9-12 polices whereas best practice suggests 20-28 policies are needed. And while it’s not surprising that recent technologies such as BYOD and cloud are often not covered by IT security policies, the lack of knowledge and application around firewalls and network protection is surprising.
At board level, data protection should be number one on the agenda. The cost of data breach isn’t just a substantial fine by the Information Commissioner’s Office, it’s the breach of trust with your tenants which will ultimately diminish the upside of any digital transformation programmes.
Ed Lucas from The Economist made this point, “We need to treat computer security like another complicated mix of technology and human behaviour. In the 1970s, 6,000 people were killed on the roads every year. Since then, we have cut that number by three quarters. We designed cars to be safer, we rebuilt accident black spots, we changed the law, notably on drink driving, we also created public messages: ‘Don’t drink and drive’, ‘Speed kills’, ‘Clunk-click every trip’. We can do the same with computers.”
Most IT professionals understand the risks involved and provide protection as best they can, but senior housing executives need to make sure they are setting the correct policies in line with recognised standards and giving the appropriate training to all staff, together with the tools to protect the organisation and its customers.
Only 10 per cent of all organisations in the UK insure against data breach, despite the cost of data breaches to British industry being estimated at £34 billion (source: Lloyd’s of London). The cost of protection is high, but is the cost of non-protection higher?
Russell Francis is a consultant to SOCITM (Society of IT Management).
