Jason Wickens is a senior technology and change leader. Here he takes a look at the current state of play with cyber security in the housing sector and shares his insights on the key areas boards need to be prioritising.
If I was asked this question a few years ago I would have said no. My initial assessment when joining the sector was that social housing providers were behind other sectors when it came to cyber protection. This was (and still is in some cases) due to aging technology and insufficient focus from all levels.
However, the landscape is changing and so are the mindsets of executive teams and Boards. Over the last couple of years there has been a shift which has seen increased investment in technology and an appreciation that cyber security is something that an entire organisation is responsible for and not just IT. I’m involved in more regular conversations with exec colleagues and clients looking for support and advice on how best to protect their organisations.
With the frequency and sophistication of threats increasing, we also cannot ignore the rise in successful attacks which have impacted social landlords of all sizes. From ransomware to phishing, the impacts are far-reaching and can include small intrusions to full-scale technology shut-down.
These attacks have also been noted by the regulator who will undoubtably expect more from social landlords and require evidence on how they are protecting their residents and staff from potential breaches.
The sector and marketplace are flooded with tools, tips and advice. In my view, the following are the key areas that any exec team or Chief Information Officer should follow:
1. Define your target and strategy
Rather than attempting to cover all bases without a clear plan I believe adopting a framework provides the required structure and measurement of progress. Obtaining the certification can also be a useful benchmark of protection. Knowing which framework to adopt, however, can be difficult as there are a many (E.g. Cyber Essentials (CE), Center for Internet Security (CIS), ISO27001). Striking the balance between control and operational requirements is important. There is no point improving capability to the point where your business cannot function.
2. Cover all aspects
This includes people, process and technology. Cyber protection is not just about software and needs to be embedded into business as usual. Employee awareness and regular testing are equally as important. A business can adopt the most intelligent and advanced tools, however, a simple click of a malicious link in an email can expose the entire organisation to threats. It’s also important to gain buy-in from all levels including Board to team member.
3. Never become complacent
Protecting an organisation from cyber risk is never “done”. New threats and risks are constantly emerging and ensuring ongoing investment and focus is critical. As businesses become more reliant on technology it’s becoming more of a “when” an attack takes place than an “if”. Having policies and procedures in place to manage an attack when it happens will also help the executive team and Board demonstrate the control and response to such a strategic risk.
I believe that collaboration between social landlords is critical and cyber protection should be high on the agenda. Getting an external viewpoint can not only affirm and validate an organisations security posture, it can also highlight any areas requiring attention. In my experience, the only way to ensure success is to use clear “non-tech” speak and lead the required behaviours at the executive level.