We recently held the 10th meeting of HouseMark’s Information Security Forum via WebEx. We had to think long and hard about running this session online because the core principle of the Information Security Forum is to establish trust between participants so they can share their security incidents and issues openly. That trust has been built through several face to face meetings. One of the things this virus has taught us is to adapt quickly, so we spoke with our members and our contributors and agreed to run it via WebEx. We tried to keep the same format we have used in the past but introduced more frequent breaks trying to avoid any session going longer than an hour. We kept the cameras on and muted the microphones and even introduced virtual clapping to recognise a great contribution. So, what did we learn about information security during these challenging times?
Data quality, protection and compliance remains a top priority
We kicked off with Mark Hobart who presented the Infoboss suite, a product which can be described as a Swiss army knife for data professionals. Mark covered how Infoboss can help resolve some of the needs of organisations dealing with complex data requirements and trying to achieve control and visibility across an ever-growing dataset.
Our resident ethical hacker Bruce Thomson followed with a demo session of Internet of things (IoT) devices using LoRaWAN. He covered his home setup and demonstrated how to configure and secure these networks. Bruce shared several sources of additional information including a set of IoT security requirements to be included in any tender to ensure the security of these devices and networks is not an afterthought.
We then had our lunch break where instead of sharing some sandwiches and networking we all left the WebEx temporarily and grabbed whatever food was available - probably dealing with hungry kids bored of exercising with Joe Wicks.
There’s more threat to cyber security but organisations remain resilient
The afternoon was kicked off by Cub L from the National Cyber Security Centre (NCSC) who joined to brief the group on the main threats affecting the sector and to provide advice on safe homeworking. As expected, Cub confirmed that COVID-19 phishing attacks are on the rise, particularly those exploiting conspiracy theories. There is also an increase in well-crafted targeted attacks via email, impersonating other members of staff. Cub highlighted an interesting approach taken by some organisations that schedule the daily update to all staff at a specific time from the same address (generally the CEO). This way staff know what to expect and reduces confusion and the risk of clicking on a phishing attack. This has been so successful that some staff are blocking 30 minutes in their calendar around the scheduled time of the email update to ensure they have enough time to read it and react to anything urgent coming from the communication.
Cub also highlighted the NCSC guidance for home working and asked HouseMark to coordinate feedback from the housing sector on how to improve and update the guidance based on the experience of dealing with the COVID-19 lockdown. We will be coordinating this feedback via the Information Security Forum, but we are interested in feedback from everyone in the sector. If you want to be involved, please contact me at email@example.com.
The final piece of advice from the NCSC for information security professionals is around governance and change control. During these difficult times, organisations may decide to change their policies with relation to home working and things like ‘bring your own device’ BYOD strategies. It is extremely important that any changes to organisational security policies are signed off by the exec team and communicated to the Board. Even though these may seem like specific technical changes, in most cases they significantly alter the risk profile for the organisation which needs to have top-level sign-off and support.
Following a confidential information sharing session dominated by the measures taken to provide home working capabilities at scale and pace, we finished the meeting with a lot more information, feeling connected and sharing some of our challenges. Our next session is on 6 May, but we agreed to meet virtually a few times before then to continue to update the group on new developments. I will continue sharing these updates so others in housing can share the insight from the group.
Using Zoom? – Make sure you stay secure!
Since we had our meeting, one of the key discussion points in our Slack group has been around the use of Zoom. This newcomer in the world of videoconferencing tools has quickly become a leader thanks to its ease of use and its free version. Unfortunately, there have been several security issues which have raised concerns including a new type of heckler attack called ‘zoombombing’. Experts in the public sector cybersecurity community have defined a set of ‘safe settings’ for Zoom which we list below. This is a fast-moving issue so we will update this guidance as new fixes emerge:
Follow these settings if you are hosting a Zoom meeting and ask for confirmation of these settings if you have been invited to one. If in doubt, always ask for the help of an expert and be sensible about what is discussed and shared in virtual meetings, particularly if you see someone connecting via a voice call as communications are not encrypted and recording is easier.
If you’d like to know more about our Information Security Forum, please get in touch at firstname.lastname@example.org.
No Related Items
The latest meeting of the Information Security Forum took place over two mornings via WebEx instead of a full day...
Friday 29 May 2020
HouseMark has today shared the results from month two of their sector-wide COVID-19 impact analysis