Cyber-attacks are a persistent and very real threat to all business sectors across the UK. Social landlords are particularly at risk because of the large amount of personal data and financial details they hold. In addition, technical advances such as making services digitally available and undertaking integration work with other organisations have created opportunities for cyber-attackers.
The Scottish Housing Regulator (SHR) recently wrote to social landlords informing them of a number of cyber-attacks which were deliberately targeted at social landlords. In at least one case, the cyber-attacker managed to access tenants' personal data. Whilst such attacks are unlawful in the UK, this does not prevent them from occurring.
What is a cyber-attack?
A cyber-attack is the unauthorised access to information either remotely via an unsecured network or the internet or through a physical device such as a USB.
There are a variety of different methods used to undertake cyber-attacks, including hacking, malware, ransomware and denial of service attacks. Although the nature of cyber-attacks varies considerably, the goals of cyber-attackers are usually to:
- access the organisation's data;
- access customers' personal data;
- disturb the service provided by the organisation; or
- damage the reputation of the organisation.
Social landlords as targets for cyber-attackers
Social landlords are attractive targets to cyber-attackers because of the range of personal data they collect. Social landlords hold service users' personal data ranging from email addresses and phone numbers to bank details. These can all be traded as a form of digital currency online and people are willing to pay for this information.
Also, the increased use of online transfers of money between social landlords and tenants intensifies the risk of cyber-crime. For example, cyber-criminals could pose as social landlords and trick tenants into paying rent into a different account.
Cyber-criminals are not the only source of cyber-attacks on social landlords. There have been reports of social landlords being targeted by "hacktivists". These are people or organisations that break into computer systems for politically or socially motivated purposes.
By way of example, a large social housing group in England was bombarded with more than 700 emails and social media posts which were intended to crash their computer system. This was done by a far right group that accused the social landlord of discrimination. They intended to damage the reputation of the social landlord and disturb its services.
Cyber-attackers can be prosecuted for carrying out the above attacks. Nonetheless, social landlords also have their part to play in preventing cyber-attacks by maintaining adequate security of their network systems.
In particular, the SHR's Regulatory Framework provides that all social landlords must have effective risk management arrangements. The SHR has recently advised social landlords to review the adequacy of their cyber-security arrangements in light of the recent deliberate attacks on the sector.
The General Data Protection Regulation (EU) 2016/679 (the "GDPR") is also relevant here as Article 5(1)(f) provides that personal data should be processed in a "manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing". There are also requirements on controllers and processers to implement "appropriate technical and organisation measures to ensure a level of security appropriate to the risk". Accordingly, social landlords are required to protect the personal data they hold against cyber-attacks and manage the security risks they are facing.
Top tips for increased cyber-security
Cyber-attacks are now an inevitable part of business life, and while the majority of social landlords are successfully preventing them, the attackers themselves will become more sophisticated. Our top tips for preventing cyber-attacks are as follows:
1. Undertake a risk assessment
Following on from the SHR's advice, it is good practice to undertake a risk-assessment covering all areas, including foreseeable internal and external threats, the likelihood of these threats becoming real and the sufficiency of technical measures, policies and procedures in place to mitigate these threats.
2. Ensure software is up to date
The temptation to skip software updates is strong, especially as they tend to pop up at the most inconvenient moments. However, this is a mistake which gives cyber-attackers a chance to strike as out-dated software is much easier to hack compared to the latest version. Instead of procrastinating, ensure software updates are installed as soon as possible to decrease the risk of a cyber-attack.
3. Staff and customer training and awareness
Prevention is always better than cure, and social landlords must work with staff and customers to educate them on the types of cyber-attacks that exist, how to spot them and how to report them with the overall aim of preventing cyber-attacks.
4. Prepare for a cyber-attack response
Despite the best efforts of a social landlord to prevent a cyber-attack, it is still possible for one to occur. Accordingly, social landlords should prepare for a cyber-attack. This should include the procedure for identifying and responding to attacks, containment and recovery, external reporting obligations and incident evaluation.
Overall, social landlords must stay vigilant to the threat of a cyber-attack and accept responsibility for their own cyber-security measures to ensure they have the appropriate controls and systems in place to deter and deal with breaches if they do occur.
Get in touch
If you would like to discuss this issue, or have particular concerns in relation to your own organisation's obligation, please get in touch with a member of our team.