The finance boss of a registered provider (RP) that was the victim of a cyber attack has told other landlords to expect to be targeted amid a sharp increase in incidents during the pandemic.
Flagship Group on cyber attacks: “You have to think you are being targeted by a gang somewhere” (picture: Getty)
David Armstrong, chief financial officer at Flagship Group, told the virtual Housing Finance Conference: “This isn’t a case of if you’re going to get attacked, it’s a case of when.
“The reality is your organisation is constantly under attack, your security systems are repelling thousands of attacks every single day. Some will get through; it’s only a matter of time.”
The 32,000-home landlord was hit by a major cyber attack last November, which led to severe disruption of its services.
Mr Armstrong told the event last week, hosted by the National Housing Federation, that COVID-19 had led to a 400 per cent increase in cyber attacks in the UK. “Working from home has introduced new vulnerabilities and they have been very much exploited by the criminal gangs,” he said.
He added: “Today’s cyber crime is highly sophisticated, highly industrial and professional. They are mirror images of the legitimate businesses they target.”
Matt Brazier, IT director at Flagship, said there a lot of decisions to be made in the first 24 hours after an attack. “You’ve got comms plans, technology decisions, recovery priorities and of course decisions around funding, because recovery does cost a pretty penny.”
But he said that becoming a victim can be an opportunity for a business to address old IT systems. “If you get these decisions right, your IT system can be exponentially better than it was before,” he said.
“We replaced telephony systems, rebuilt systems in the cloud, replaced legacy finance systems. We saw it as a real opportunity to really look at the software we use and accelerate some of our IT plans.”
His warning to others was: “You have to think you are being targeted by a gang somewhere.”
Mr Brazier explained that Flaship has a ‘security council’, which is a central team of staff that retains oversight of its cyber security. The staff are from departments including learning and development, HR, data protection and governance.
To help avoid an attack, Mr Armstrong said the most important thing was to keep staff up to date. “Keep training and educating your staff – they are without a doubt the single weakest link in the whole chain.”
Mr Brazier echoed this. “Staff are your biggest asset as a business but when it comes to cyber security, they’re probably your biggest weakness,” he said.
He added: “Staff have to be able to recognise that dodgy email so they don’t click on it.”
And Mr Armstrong concluded: “Staying safe is all about knowing your IT estate, your hardware, your software, and most importantly your data.”