The social housing market continues to be under huge pressure from all sides to provide more for tenants with very little in the way of incremental resources. Set against the backdrop of a digital revolution and an intimidating rise in cybercrime, few social housing organisations have sufficient security skills in-house to keep tenant data and services safe.
While every organisation has their own particular challenges at different times, conversations with our customers in this sector tend to fall into the following areas;
- Digital inclusion – online services for tenants
- Remote access for housing association staff
- Mergers and acquisitions
- Business continuity and disaster recovery
Each of these comes with their own impact on security. Although experience shows us that the social housing sector is good at identifying risks and ensuring that cyber security is detailed in the organisations risk register, acknowledging the risk is different to doing something about it. Security is not always at the forefront of people’s minds due to limited resources, time and budgets. As a result, a solution that not only answers the requirements of the business but also addresses security is unlikely to be delivered.
The risks in the housing sector are much the same as other organisations engaging with their customers online. Any one of the following could lead to reputational damage and irreversible loss of customer trust, which is much harder to quantify and put a value to than any monetary loss:
- Data loss – the data gathered by the social housing sector is extremely sensitive (health and other personal information as well as bank details) and therefore requires protection against deliberate theft and accidental loss.
- Malicious attacks – whether attacks are designed to take out a service or to steal information, services need to be properly protected.
- Regulatory standards – often about practices and processes rather than technology, but equally important to overall security.
Other risks could come in many forms - tenants accessing illegal material, for example, is a risk if you’re providing devices or internet access. Acceptable Use Policies (AUPs) should be signed to protect the provider.
Security in application roll-outs
A particular risk for the housing sector comes from application releases. In the rush to meet demand for online services quickly, security is often not given proper and full consideration before new apps are rolled out. Projects are rushed through to deployment without the proper consultation with IT security and therefore the needs of customers are put before the needs of the organisation.
It's true that you can't test a half-finished app or website site for security vulnerabilities; an application in constant flux invalidates any preceding testing activity. Unfortunately, by the time development is complete the project manager usually just wants to get the website live because, in their eyes, the job's done. The simple truth is that security cannot be added as an afterthought.
In our experience, where security needs are considered properly throughout the design and rollout of a new digital service, the result is more effective and costs less.
What should Housing Associations do?
“100% Security” is a goal that is unlikely to be achieved due to the rapidly evolving threat landscape. However, attitude to risk can make an important difference. If we embrace the concept that breaches will almost certainly happen, rather than if, we can begin to place measures and plans to limit and mitigate the threats that breaches pose to organisations.
Housing Associations can take the following 5 steps, or work with security specialist service providers like Novosco, to understand the risks and balance them against the cost of mitigation:
- Take stock of your assets – work out what you’ve got first
- Assess you security risks – work out how you’re going to manage them
- Assess your future needs – is the current situation scalable
- Test your security for compliance
- Plan for disaster recovery and business continuity