Recent Ransomware attacks on Housing Associations1 continue to highlight the threat that cybercrime can have on personal data and with it, confidence in a provider’s online services.
The sector, along with the supply chain upon which relies, has become the victims of specifically tailored attacks that are designed to extract valuable personal data.
With confidentiality, integrity, and security of tenant and employee data being a top priority within the sector, data breaches serve to rapidly erode trust in an association and the digitized services upon which tenants increasingly rely.
Now an established mode of attack, ransomware is used by criminals to gain access to an organization's IT network or deceptively extract information from the recipient of an email. It’s a type of malware or malicious software which is embedded in an email and targeted at specific individuals or organizations. In most instances, the recipient is tricked into opening a contextually relevant attachment or clicking onto a link that automatically injects the software into the organization's IT infrastructure.
Without the correct cyber security controls, ransomware rapidly exploits known vulnerabilities to gain access to personal or sensitive data, before encrypting it and holding the victim to ransom. A request for payment within a certain time window is then made to the victim to ‘unlock’ the encrypted data. Failure to honor the request can lead to the data being published for all to see.
Ransomware is brutely efficient and hugely effective and is arguably the most profitable mode of attack. Carefully crafted phishing emails with highly plausible requests can inflict significant financial and operational pain from a single ill-judged click of a mouse.
Despite the prevalence of this type of attack, there are several simple and effective steps that any association can take to reduce risk, and increase resilience and security.
Firstly, review the technical controls that are in place to ensure that optimal security settings are utilized and configured. This means ensuring that the business is running the correct versions of applications and software and that it has the correct processes and procedures in place to make this happen.
Secondly, establish a regularly updated, association-wide security awareness education program ensuring that from the CEO down, all employees are adequately trained in what to look out for and what to do in the event of a suspected incident. This should include phishing simulation to test that the message is getting through and highlight the fact that employees remain the first line of defense and need to be alert to the threats that exist
Finally, use a risk scoring service to provide a rapid assessment of where your organization might be exposed. Taking a cybercriminals ‘eye view’, provides an insight into the vulnerabilities and weaknesses which are most likely to be exploited in a future attack. This includes ‘indicators of risk’ which increase your likelihood of being a victim of ransomware.
If you’d like to find out more about cyber security in the housing sector please read our white paper here. Or contact our dedicated consultants for a quick chat about our Ransomware Readiness Assessment and other measurers your organization can take to avoid being the next headline.