How can housing providers test their digital infrastructure for vulnerabilities?
In our digital era, everything revolves around data. And, whether you are a local authority, housing association or a private landlord, the volume of highly sensitive information processed by your systems only increases. Strengthening your defences against cyber risks is imperative to defend your organisation and more importantly, your customers.
The introduction of the General Data Protection Regulation (GDPR) in 2018 placed several obligations on all organisations, housing providers included. The main goal was to ensure the careful handling of personal data. A GDPR fine for an unreported data breach can cost you a weighty £17.5 million, or 4% of your annual global turnover – whichever can be even greater. Did you also know that the average time breaches are left undetected is 206 days?
According to a survey by Ponemon Institute, 60% of breaches in 2019 involved unpatched vulnerabilities. One way to mitigate this risk is by performing routine network vulnerability assessments. And you can conduct a successful vulnerability assessment by following these six steps:
Planning
Identify your assessment goals. Consider which assets you want to evaluate. How important is the device(s) on your network? Who has access to the device(s)? Any staff members, or solely administrators and authorised users?
Think about the following in your planning:
-
Risk level
-
Risk tolerance level
-
Risk mitigation practices and policies for each device
-
Residual risk treatment
-
Countermeasures for each device or service (if the service is linked with the device)
-
Business impact analysis
Scanning
Actively scan the system or network using threat intelligence, automated tools and vulnerability databases. A vulnerability scanner can help you identify any systems that are subject to known security risks. The scanner should be able to locate and identify devices, software and open ports, and gather other system information. This will be then correlated with known vulnerability information from one or more databases.
The list of vulnerabilities produced by the scanners can be exhaustive and even overwhelming to many IT security professionals. Therefore, an evaluation stage is extremely important to decide how critical the vulnerability is, how would it impact the organisation and whether any existing security controls could reduce the risk of that impact.
There is plenty of vulnerability management software tools out there, including automated tools. The National Cyber Security Centre has recently published advice on the choice, implementation and use of automated vulnerability scanning tools for organisations of all sizes.
Analysis
In this step, take a closer look at the reasons behind the detected vulnerabilities, their possible impact and how they can be alleviated. This all needs to go in the all-important Vulnerability Assessment Report, which should include recommendations and risk mitigation techniques.
Keep the following details in mind and remember that high and medium vulnerabilities should have a detailed report that may include the name of vulnerability, the date of discovery, affected systems and process to correct the vulnerability.
Alleviation
Also known as the remediation, this step takes actions on the recommendations put forth in the report. As vulnerabilities are detected and reported, the next step is to rectify, monitor, or eliminate those vulnerabilities. This can be achieved through the necessary updates and patches, or workarounds to avoid the threat.
Repeat
Vulnerability management is a process. It is essential to schedule regular assessments to ensure ongoing security of your organisation’s digital infrastructure.
Verify
The final step is to verify that threats have been eliminated through follow-up audits.
Investing in cybersecurity is essential for any company these days and particularly for housing providers given the large amounts of sensitive data they are responsible for protecting. Find out how can our housing specific software help you to manage your data securely.