ao link
Twitter
Linked In
Bluesky
Threads
Twitter
Linked In
Bluesky
Threads

Board Member Briefing: preparing for a cyberattack

Insight18.09.247.15 AM by Peter Apps

Cyber security is one of the sector’s biggest strategic risks but is often overlooked by boards focused on service delivery and financial stability. Peter Apps explores what boards need to know and how mitigating the risk of attack can improve performance more generally. Illustration by Gary Neill

Linked InTwitterFacebookeCard
Sharelines
Cyber security is one of the sector’s biggest strategic risks but is often overlooked by boards focused on service delivery and financial stability. @PeteApps explores what boards need to know and how mitigating the risk of attack can improve performance more generally #UKhousing

Cyber security was the most frequently flagged risk in housing association risk registers in 2024 and the second biggest (after health and safety) in 2023.

With this in mind, you might expect it to be a talking point in board rooms, but anecdotal evidence suggests it is not. Instead, it is delegated to information security teams and largely overlooked by boards focused on service delivery and financial stability.

No one should be complacent about cyber risks, but after several major incidents, there is even less excuse in the social housing sector. Hackney Council suffered an attack in 2020 which left it without the systems and data to perform its housing functions, causing a crisis that rumbled on for years. Clarion, the UK’s largest housing association, was hit by cyber criminals in summer 2022, in an attack that caused major disruption for its customers and ultimately cost £17m.

So how can boards get better at cyber security? Dr Kate Jones is chief information officer at Cadent Gas, the UK’s biggest gas distribution network, and a board member at 35,000-home Onward.

“The first thing a board member needs to remember is that you’re there to provide assurance that the organisation is doing the right thing, but you’re not operational. Your job is to check that the right things are in place,” she says.

“If you’re asking basic questions and not getting good answers, that should be a red flag. If the operating system is really out of date, that would be as well, [or] if there isn’t a response plan in place – all of these things should ring alarm bells for a board,” she adds.

She says there are good external standards against which organisations can be measured. Cyber Essentials is a government-backed certification scheme that covers basic cyber threats. This is the lowest standard a housing association should achieve, Dr Jones says.

READ MORE

Hackney to procure new IT system after three years of struggle following ‘devastating’ cyberattackHackney to procure new IT system after three years of struggle following ‘devastating’ cyberattack
Risk Register Survey 2024Risk Register Survey 2024
Social landlords should work together to address the growing threat of cyberattacksSocial landlords should work together to address the growing threat of cyberattacks
West Midlands association hit by cyberattackWest Midlands association hit by cyberattack

IS0 27001 is a more complex standard, but provides good guidelines on what the most sophisticated businesses are doing. “You don’t have to go for the full certification, but it is useful to use that to see what ‘good’ looks like,” she says.

Providers should also subscribe to National Cyber Security Centre (NCSC) briefings, which outline the main current threats and new trends. The NCSC also publishes a board toolkit, which should be required reading for all housing association board members.

Among these are paper-based scenarios which board members use to rehearse their actions in a cyberattack.

Government research, published in April, on the state of cyber security in the UK showed a worrying lack of this basic level of governance: just 31% of businesses and 26% of charities had undertaken cyber security risk assessments in the previous year.

Just 58% of medium-sized businesses, 66% of large businesses and 47% of high-income charities had a formal cyber security strategy in place, according to the survey, which identified “a lack of knowledge, training and time” as the key reasons board members were not engaged with this topic.

“I speak to a lot of board members and there can be a bit of fear around the term ‘cyber security’. People think it will be very technical and that further protections will be very expensive,” says Charlotte Clayson, partner at law firm Trowers & Hamlins.

“So the first thing I say to them is, ‘Don’t think of it in that way, think of it as business protection and understand what you are doing already’. This can’t be siloed within the information security team. They need someone to translate that information for them so they can get a proper understanding around risk.”

She adds that boards should also see it as their role to ensure that cyber security is given a ‘whole-organisation’ approach, and build an understanding that cyber security is everyone’s responsibility.

Risk mitigation

The annual government survey mentioned above showed that phishing (scam emails or texts that contain links to malicious websites) was by far the most common form of attack. A key means of defence is educating staff to recognise phishing attempts.

Boards should also have some oversight of what the key risks are: what is the oldest software, which are the most out-of-date servers?

“It all comes down to risk mitigation,” Dr Jones adds. “You can never say a cyberattack is not going to happen, so you have to be as prepared as you can be, and the board has some visibility around how big that risk is.”

The data quality within an organisation should also be up to scratch. Lots of sensitive data held across many servers and different spreadsheets is more vulnerable and harder to protect than high-quality, consolidated and protected data that is backed up securely. Getting control of the data each organisation holds is crucial.

“My first question to board members is, ‘What do you know about data quality in the organisation, and how are you assured of it?’” says Andrew van Doorn, chief executive of HACT.

“I think we should stop looking at data quality as cost and view it as investment. Where we can get to if we have better data is better-quality information, better insight and [we can] better meet the new regulatory and building safety requirements. So view it as a continuous improvement investment opportunity, not just as cost.”

31%
Percentage of businesses that undertook cyber security risk assessments in the past year

66%
Percentage of large businesses that have a formal cyber security strategy in place

£17m
Cost to Clarion of a cyberattack in summer 2022

Preparedness is key. Organisations should have a response plan and the board should know what its role will be within that.

“A board member should understand that there is some process for understanding and isolating critical data with critical systems. Are there back-ups? Is there disaster recovery? Is there a business continuity plan? Are the plans tested regularly?” says Dr Jones.

“Planning for the worst is hugely important,” says Ms Clayson. “When a cyberattack happens, it’s quite a lonely and stressful place to be. You have to make a lot of difficult decisions very quickly. So if you can get your team set up – what they should be doing, who they need to take advice from – that’s really going to help.”

She says experts run training sessions where they simulate a cyberattack, which can help board members test the operational plan and locate weaknesses.

Dr Jones thinks the sector still has some way to go. “Quite often, you’ll see a good understanding of the risk, and the potential consequences of it, but we need to be asking about the control framework.

“Yes it might be number one or two on your risk register, but what is actually being done to protect tenants’ data? If it was lost, how would we restore it? How are we checking to see whether it has been leaked to the dark web?” she says.

“Cyber security is always evolving,” Ms Clayson adds. “It’s never a tick-box thing, saying, ‘We’ve done the training, we’ve asked the questions, we’re done’. You should have your information security team reporting
in about evolving threats.”

Phishing attempts, for example, are becoming increasingly sophisticated.

“Now, with generative AI, if they get into your systems, they can look at the way people communicate, the types of language they use, who they communicate with in the organisation,” says Ms Clayson. “So when you get an email from your chief executive or your finance director, it will very closely mimic the sort of things they say.

“[Fraudsters only need a very short audio file] to create an AI copy of the voice. So people are now getting voicemails from someone within the organisation asking for bank details to be changed, which are being left by fraudsters in the voices of their colleagues.”

She says a culture of questioning everything – particularly requests to share sensitive data in an unusual way or change payment details – must be adopted.

“You just need to always phone and confirm, or walk into their office and double-check,” she adds. “You need to think, ‘What’s worse? My boss is slightly annoyed that I was over-cautious, or I made a six-figure payment out of the organisation to fraudsters?’”

Better-quality data management, clear oversight, good software and functioning systems should improve the performance of the organisation overall.

To quote the NCSC board toolkit: “When it’s done well, cyber security is so much more than a compliance function or the implementation of technical controls. You can use it to exploit the opportunities that technology brings, drive your company’s agenda, and deliver real value throughout your organisation.”

Inside Housing’s Board Member Briefing series

Picture: Alamy
Picture: Alamy

The Inside Housing Board Member Briefing series aims to help board members at housing providers get up to speed with their role in a fast-changing world, but are also for everyone else engaged in the running of social housing businesses who want to stay on top of the key issues of the day. Click below to read other briefings in the series.

Lessons from the Grenfell Tower Inquiry report
The inquiry into the Grenfell Tower fire has concluded. Peter Apps distils what board members at social landlords should take away from it

Preparing for a cyberattack
Cyber security is one of the sector’s biggest strategic risks but is often overlooked by boards focused on service delivery and financial stability. Peter Apps explores what boards need to know and how mitigating the risk of attack can improve performance more generally

Dealing with a financial crisis
More housing associations are likely to get into financial difficulty. How should board members prepare, and how should they respond if their organisation is struggling? Peter Apps reports

High rises and building safety regulation
The next stage in England’s new building safety regime is set to begin, with the Building Safety Regulator able to call in “safety cases” for high rises from April. Peter Apps explains how boards should prepare

Mergers
Peter Apps looks at housing association mergers and the process behind them

Tenant board members
Peter Apps looks at how tenant board members can add value to the governance of an organisation

Development risk
Peter Apps looks at how the boards of housing providers can manage development risk in a difficult operating climate for the housing sector

Consumer regulation
Peter Apps, looks at the forthcoming consumer regulation regime

Board Member BriefingHousing Association/RPLocal AuthorityPolicyTechnology
Linked InTwitterFacebookeCard
Add New Comment
You must be logged in to comment.
RELATED STORIES