Recap: SFHA Cyber Security Roundtable

The SFHA Cyber Security Roundtable virtual event on Wednesday 20 November, held in collaboration with SCVO, brought together experts and members to discuss the current cybersecurity landscape and share insights on best practices. The event featured a panel of speakers with diverse backgrounds in cybersecurity, offering a wealth of knowledge and experience. 
 
The event kicked off with a warm welcome to all attendees. The roundtable format was chosen to facilitate a broad discussion on various cybersecurity topics, allowing for a comprehensive exchange of ideas and experiences. 
 
Cybersecurity Challenges for Housing Associations    

1. Phishing Attacks – Staff handling sensitive data are targeted with fake emails to steal credentials. 
      
2. Ransomware – Systems are locked, and data encrypted, disrupting operations.    
    
3. Data Breaches – Loss of tenant or financial data leads to fines and reputational damage.    
    
4. Third-Party Risks – Vendors or contractors with weak security expose the organisation.    
    
5. Low Budgets – Limited resources mean outdated systems and fewer protections.    
    
6. Cloud Security – Misconfigurations in cloud systems create vulnerabilities.    
    
7. Lack of Training – Staff unaware of threats are more likely to make errors.    
    
8. Legacy Systems – Old software lacks modern security updates.    
    
9. IoT Risks – devices can be entry points for attacks.    
    
10. Compliance Issues – Meeting GDPR and other regulations is a constant challenge.    

Panel of Speakers 
The panel included: 

• Jason Baines: Principal Consultant at Altair, who shared his experience of leading a full organizational recovery after a large-scale cyber-attack. 

• Gareth Renaud: Senior Information Security Officer at Link Group, who discussed cybersecurity risk management, policy implementation, and security awareness training. 

• Leigh Pettigrew: IT Officer at Prospect Housing Association, who provided insights from a small community-based housing association. 

• Alison Brogan: SCVO Cyber Resilience Co-ordinator, who highlighted her work in supporting the sector to become more cyber resilient. 

 
Key Discussion Points 

Importance of Cyber Resilience 

• Prevention and Recovery: Jason Baines emphasized the need for robust prevention strategies and effective recovery plans. He highlighted the importance of having immutable backups, which saved his organization during a ransomware attack. 

Incident Response Planning 

• Critical Steps: The panel discussed the importance of disconnecting affected systems, notifying cyber insurers promptly, and maintaining clear communication to prevent misinformation. 

Training and Awareness 

• Staff Education: Gareth Renaud stressed the importance of training staff on cybersecurity threats and response, including real-world phishing examples. He also emphasized the need to avoid a blame culture to encourage timely reporting of incidents. 

Cyber Essentials and Continuous Testing 

• Certification and Assessment: The panel recommended Cyber Essentials certification as a starting framework and highlighted the need for ongoing external testing and audits to maintain security standards. 

Role of Leadership and Governance 

• Board-Level Engagement: Cyber risks should be prominently featured on strategic risk registers, with board oversight on mitigation actions. Documentation and clear records are critical for recovery and compliance. 

Challenges in Smaller Organizations 

• Resource Constraints: Smaller organizations can use templates and frameworks from organizations like Cyber Scotland to draft incident response plans and leverage community support and resources. 

Emerging Threats and Future Preparations 

• AI in Cybersecurity: The panel discussed the dual role of AI in cybersecurity, both as a tool for attackers and defenders. They emphasized the need for vigilance and adaptation to new technologies. 

Practical Tools and Support 

• Community Resources: The Cyber Scotland Partnership provides valuable resources and a helpline for smaller organizations. Shared learning groups like the Cyber Information Sharing network offer opportunities to exchange insights and improve defenses collectively. 

Cost of security 

• Benchmark your cyber spend: Can you calculate the cost you spend per staff member/per tenant/per device on cyber security including patching, systems, and training? Likely it won’t be that high. It allows you to consider a better business case. 

Cyber Security Resources 
For more information and resources, attendees were directed to the following information: 
 
Cyber Scotland 

• Website - https://www.cyberscotland.com/organisations/third-sector/ 

• Quarterly Bulletin - https://www.cyberscotland.com/third-sector-bulletins/ 

• SC3 Threat Reports - https://www.cyberscotland.com/news/sc3-threat-reports/ 

The website links to the resources we covered but sharing some specific ones below: 

• https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available 

• https://www.ncsc.gov.uk/files/Cyber%20Security%20Small%20Charity%20Infographic.pdf 

• https://www.cyberscotland.com/incident-response/ 

 
Other links 

• Cyber Insurance - www.usecure.io/en/ - It’s a human risk management platform that identifies gaps in user security knowledge and tailors their training for them.  We push training every 14 days and the videos can be either formal or informal (cartoon like). Videos are only a few minutes long, our user uptake is very good and our cyber security awareness remains high. The cost includes the ability to do your own simulated phishing exercises, does policy management (lots of IT policy templates) and dark web monitoring 

• Cyber Security Qualification – For anyone interested in the course Leigh spoke about: www.qa.com/apprenticeships/scotland-apprenticeships/cyber-security-scqf-level-8/ 

If you would like to discuss any points from the recap please contact Gary Dickson, Digital and Design Manager: gdickson@sfha.co.uk