Preparing for cyber security threats
Ransom attacks are on the increase, causing massive disruption to businesses and, in the worst cases, insolvency. Putting cyber security at the top of your governance agenda is the first step towards protecting your organisation
Partner, Campbell Tickell
For many boards and executives, cyber security is a matter for the IT crowd. It is mildly interesting, and we read with mixed horror and fascination about ransom attacks on large companies in the news. It is probably there somewhere on the risk map, and gets occasional attention from the risk and audit committee.
But recent events, not least threats from Russia, have surely pushed cyber security right up the governance agenda. Housing associations, charities and local government have all been hit by ransom attacks. Others have experienced serious data breaches, sometimes without any malign external agency – unforced errors, as it were.
As it turns out, the first ransom attack was as far back as 1989, using floppy disks. The risk has risen ever since, and sky-rocketed in the past decade, not least because of various authoritarian states which sponsor, or at least tolerate cyber crime. A few months back, the entire health system in the Republic of Ireland was affected by an attack. For some companies, cyber crime has proved an existential risk, with insolvency the eventual consequence.
On the international stage, cyber attacks have effectively become a weapon of war – remember the Israeli sabotage of the Iranian nuclear programme? It is conceivable that an attack could paralyse or even bring down a major financial institution, or in an extreme case, the entire financial system. Or the power network for a country, an oil pipeline, pretty much any major infrastructure enterprise. To make it more personal, how much would you pay to be released from imprisonment in your smart car or even home?
“Personal data can be lost, or abused, with business processes disrupted for weeks, or even months. Litigation can often follow. The costs and disruption can be huge. And the risk is not just to organisations, but to tenants and service users as well.”
The consequences of an attack can therefore be serious. Lives could be lost. Paying the ransom might turn out to be the lesser of various evils, and some UK and other firms have already paid vast sums in Bitcoin ransoms. Personal data can be lost, or abused, with business processes disrupted for weeks, or even months. Litigation can often follow. The costs and disruption can be huge. And the risk is not just to organisations, but to tenants and service users as well.
Cyber crime has become a global dark industry, alongside illegal drugs, people smuggling, and extortion. It is a monster – parasitical, remorseless, and powerful. Annual turnover may be as much as $20 billion, although that is hard to quantify for obvious reasons. The Covid-19 pandemic, with the dramatic increase in remote working, has opened up new vulnerabilities, which have been eagerly exploited.
A cautionary tale from over the sea
Paris Habitat is a large housing organisation, which was subject to ransomware attack in 2020, using a programme freely available on the Dark Web (‘Sodinokibi’, or ‘Revil’). Its defences against attack had been inadequate to non-existent. All communication with tenants and employees was blocked, and the organisation reverted to pen and paper for some weeks or months.
There was however a disaster recovery plan, which swung into action. In the first three weeks, some 2,000 workstations and laptops were ‘cleaned’, updated and back with employees. 1000+ smartphones were given to key employees to maintain basic communication. Data was restored to a point some weeks before the attack, and new hardware and software with extensive security precautions were introduced. Five months later, 90% of systems were back in operation.
Similar attacks on other large landlords a few months later (1001 Vies Habitat, Deux Sevres Habitat and Troyes Habitat) have continued to affect the organisations nearly a year later. Criminals were clearly targeting the social housing sector. The full costs of these events are not yet known, but run into the millions of Euros. No ransoms were paid.
Paris Habitat provides homes for 285,000 people in France's capital city.
The key point here is that there can be no fully effective protection from attack. Precautions are important of course. But there are many points of vulnerability, some of them inherent in the software systems we use. Human error and corner-cutting add to the risk and can never be eliminated completely. So it is necessary to assume that every organisation may at some stage in the future be affected, and perhaps held to ransom for its data. Several of Campbell Tickell’s clients, in housing and other sectors, have already been affected in various ways.
What then is to be done? First of all, every board, and the relevant committees, need to give this their full priority attention. Leadership level skills are also important – more and more organisations are creating executive level posts for the chief information officer. Relentless curiosity, scrutiny and questioning need to become the order of the day.
Plan for the worst
Strong defences should help, but the hackers are smart and well-resourced. Now is the time to start thinking about back-ups, and contingency plans.
It would be a good idea to war-game some scenarios at governance and operational levels. So, for instance, if all of your data were held to ransom, and you had to start again from a back-up that was (say) two months old, how would you set about achieving that?
Ideally, if your data were held to ransom, you would be able to resist the extortionate Bitcoin demand, and get back in business relatively quickly, with expenditure and disruption contained at reasonable levels.
All about governance
For boards and risk committees, there are some important questions to consider. The obvious one – are your cyber defences as good as they can be? It may be worth getting some external agency to test them, trying to simulate a hacker attack. Or maybe do some stress-testing on how your organisation would cope without access to its bank accounts or financial systems?
A strong and compliant organisational culture is another important line of defence. However, it goes beyond your own defences, and you also need to consider those of your suppliers and third parties, for instance your maintenance contractors with access to some of your systems. Third-party software systems can also be a problem, such as those used for mass mailing.
Another area for attention is that of insurance. After a ransom attack, dealings with insurance companies often becomes contentious, as they inevitably look for reasons not to make good the losses. It is well worth looking at the detail of the relevant policies, and also at the track record of your provider in dealing with other clients. As an aside, a recent high-profile victim of a successful ransom attack was in fact a major insurer covering cyber risk. And they had to pay up!
The overriding message here is that this important subject now deserves serious governance bandwidth, based on the necessary expertise and advice, so that scrutiny and challenge can be for real.
The enemy is powerful, well-resourced and busy scanning advanced economies for easy targets. Housing associations have not yet been the main focus, but could easily become so. Now is the time to prepare, test and scrutinise. Yes, it may never happen, but if and when it does, you must be as ready as you can. The danger is clear and present.
This article is adapted from one which first appeared in the October 2021 edition of Housing Technology Magazine.