The latest meeting of the Information Security Forum took place over two mornings via WebEx instead of a full day. We keep trying to manage virtual conferencing fatigue and splitting a whole day meeting into two mornings seems to work really well.
Over the two days we shared common challenges and best practice, heard from expert speakers and were able to benefit from a safe and confidential space to learn from real life examples.
Cybersecurity risks have increased in the wake of coronavirus. So, what were the key takeaways that social landlords can do now?
1. Get the basics right!
The first morning started with Cub L from NCSC giving us his briefing for the sector. He highlighted the joint advisory from the cyber intelligence forces from the UK and the US on the targeted attacks on pharmaceutical and research organisations related to COVID-19. Interestingly, the attacks are quite rudimentary (exploiting weak passwords and known vulnerabilities of IT equipment). Cub advised that this type of targeted attack is likely to expand to the public sector in general and it is possible that housing organisations will be affected.
Strong passwords should always be a requirement. Run regular password audits using tools like the NCSC PowerShell script to ensure your users' passwords are not in the top 1000 list of commonly targeted ones.
2. Remind your staff to be vigilant
The increased threat from cyber security during the coronavirus pandemic has been well documented, including that the proportion of malicious email traffic has increased from 12% to 60% since lockdown began. Rik Ferguson, Vice-President Security Research, from Trend Micro presented a great session which asked whether we are seeing a COVID-19 crimewave. Rik believes that now the UK has become the second country in the world with most coronavirus-related deaths it is expected that attacks will increase. The sophistication of the attacks is growing, but email remains by far the most common and effective and phishing continues to increase. Rik’s conclusion is that we are not seeing a COVID-19 crimewave online but criminals are adapting their techniques quickly and ultimately focusing on the two main crimes committed online: theft and extorsion.
Reminding all staff to be vigilant and sharing key guidance to avoid phishing is a simple way to help protect your organisation.
Figure 1: Crimewave or just opportunism?
3. Check your backups regularly
One of the other areas of concern for NCSC is around organisational resilience to ransomware attacks. These are the type of incidents where data is encrypted and then a ransom is demanded to gain back access to it. Hacking groups who break into organisations’ systems are frequently disabling the backups before launching the ransomware attack for maximum impact. The importance of checking backups regularly and the ability to have offline provision was emphasised particularly when cloud services are becoming the norm. At a previous meeting we discussed this issue, particularly as many people are unclear about backups for Office 365.
Figure 2: Office 365 retention policies and backups. Source: Veeam presentation to the forum.
4. Remember that information security is about more than just digital
We share intelligence between organisations and this is confidential to members… but one interesting insight which I can share is that despite all the fantastic technology deployed during the pandemic, the simple things are always the most challenging. A few members discussed the problems that printing was creating when working from home. From the need to print batches of letters to printing at home for easier reading this is a challenge from a security and data protection standpoint. It was interesting to hear other views about this and share learning.
5. Keep up to date with the latest technology and think about the potential effects for your organisation
Day two started with a great presentation from our resident ethical hacker Bruce Thomson on his latest security research experiment. He demonstrated the possibility of using QR codes to insert malicious code into CCTV systems. This may sound far-fetched, but as usual with Bruce, he demonstrated the process step by step so others in the group could experiment and test. There was an interesting discussion about the potential vulnerabilities some of the CCTV equipment may have and how widely used they are across the sector. As always, these often-overlooked technologies can be targeted for attacks and by highlighting this possibility we are ensuring our organisations are better protected.
Figure 3: A virus inside a QR code on a t-shirt? Must be the latest experiment from Bruce Thomson
6. Do your bit to help bring down malicious websites
A new suspicious email reporting service (SERS) has been launched by the NCSC in response to the increase in coronavirus phishing scams. This service allows anyone to easily forward phishing emails to an address which is then used to bring down fake websites. Since its launch, the service has helped bring down over 1000 malicious websites.
Our Information Security Forum is a place for key people from housing organisations to come together to discuss issues around cyber security and governance. If you’d like to get involved or find out more, please get in touch at email@example.com.
No Related Items
As we pass one hundred days of lockdown and the halfway point of 2020, we’re reflecting on some of the changes we have seen as we adapt to the so called ‘new normal’ and what they could mean for housing.
HouseMark has shared the month three findings from our sector-wide COVID-19 impact analysis.
Friday 26 June 2020