Arturo Dell: Cyber security now – adapting approaches across the housing sector
HouseMark’s director of data and business intelligence, Arturo Dell, discusses cyber security in the light of the COVID-19 pandemic.
In 2020, cyber security has been a hot topic in the sector and the current COVID-19 pandemic has also led to near daily announcements about being alert to cyber scams and fraud attempts.
The Scottish Housing Regulator wrote to landlords on 7 April following a similar announcement from Waverley Housing, headquartered in Hawick, that it had been the victim of a cyber-attack on Saturday 4 April. Fortunately, it does not appear to have had the same financial consequences for Waverley as it did for Red Kite. However, it does highlight that no matter the type of organisation, weaknesses can be exploited by sophisticated hackers.
In HouseMark, we have been supporting our members since 2019 to proactively think about cyber and information security with our unique HouseMark Information Security Forum which recently held its tenth meeting virtually. Under usual circumstances we’d have a face to face meeting in London, but since social distancing rules were introduced in response to the COVID-19 pandemic, we needed to do things differently. This also means that the Forum is now more accessible to our members across the UK, including in Scotland. Whilst it might have been easier to postpone, we recognise that cyber security threats don’t stop – in fact, with more colleagues working from home, contacting each other through instant message, email or video call, there are more opportunities for security threats than usual.
The virtual meeting was a real success, and we’ll continue to meet this way every six / seven weeks as part of the regular forum. Given we’re all working differently, here are some snippets of information and advice to keep your business safe during lockdown. Our key takeaways:
- Data quality, protection and compliance remains a top priority
Mark Hobart presented the Infoboss suite, a product which can be described as a Swiss army knife for data professionals. Mark covered how Infoboss can help resolve some of the needs of organisations dealing with complex data requirements and trying to achieve control and visibility across an ever-growing dataset.
Our resident ethical hacker Bruce Thomson followed with a demo session of Internet of things (IoT) devices using LoRaWAN. He covered his home setup and demonstrated how to configure and secure these networks. Bruce shared several sources of additional information including a set of IoT security requirements to be included in any tender to ensure the security of these devices and networks is not an afterthought.
- There’s more threat to cyber security but organisations remain resilient
Cub L from the National Cyber Security Centre (NCSC) joined to brief the group on the main threats affecting the sector and to provide advice on safe homeworking. As expected, Cub confirmed that COVID-19 phishing attacks are on the rise, particularly those exploiting conspiracy theories. There is also an increase in well-crafted targeted attacks via email, impersonating other members of staff. Cub highlighted an interesting approach taken by some organisations that schedule the daily update to all staff at a specific time from the same address (generally the CEO). This way staff know what to expect, it reduces confusion and the risk of clicking on a phishing attack. This has been so successful that some staff are blocking 30 minutes in their calendar around the scheduled time of the email update to ensure they have enough time to read it and react to anything urgent coming from the communication.
Cub also highlighted the NCSC guidance for home working and asked HouseMark to coordinate feedback from the housing sector on how to improve and update the guidance based on the experience of dealing with the COVID-19 lockdown. We will be coordinating this feedback via the Information Security Forum, but we are interested in feedback from everyone in the sector. If you want to be involved, please contact me at firstname.lastname@example.org.
The final piece of advice from the NCSC for information security professionals is around governance and change control. During these difficult times, organisations may decide to change their policies with relation to home working and things like BYOD ‘bring your own device’ strategies. It is extremely important that any changes to organisational security policies are signed off by the Executive Team and communicated to the Board. Even though these may seem like specific technical changes, in most cases they significantly alter the risk profile for the organisation which needs to have top-level sign-off and support.
Following a confidential information sharing session dominated by the measures taken to provide home working capabilities at scale and pace, we finished the meeting with a lot more information, feeling connected and sharing some of our challenges. Our next session is on 6 May, but we agreed to meet virtually a few times before then to continue to update the group on new developments. I will continue sharing these updates so others in housing can share the insight from the group. You will find these insights on the HouseMark website.
- Using Zoom? – Make sure you stay secure!
Since we had our meeting, one of the key discussion points in our Slack group has been around the use of Zoom. This newcomer in the world of videoconferencing tools has quickly become a leader thanks to its ease of use and its free version. Unfortunately, there have been several security issues which have raised concerns including a new type of heckler attack called ‘zoombombing’. Experts in the public sector cybersecurity community have defined a set of ‘safe settings’ for Zoom which we list below. This is a fast-moving issue so we will update this guidance as new fixes emerge:
- Meeting Passwords Enabled “On” <- This is now ON by default leave it like that, the password is automatically included in the meeting invite…
- Screen sharing to “host only”
- Disable file transfer
- Disable “Join before host” - or use the waiting room facility for low numbers of folks joining…
- Disable “Allow removed participants to rejoin”.
Follow these settings if you are hosting a Zoom meeting and ask for confirmation of these settings if you have been invited to one. If in doubt, always ask for the help of an expert and be sensible about what is discussed and shared in virtual meetings, particularly if you see someone connecting via a voice call as communications are not encrypted and recording is easier.
If you’d like to know more about our Information Security Forum, please get in touch at email@example.com.
- Read all of our articles relating to COVID-19 here.