Tuesday, 23 April 2024

Insecurity

If you do the Twitter thing, follow me at @HousingITguy or LinkedIn here https://uk.linkedin.com/in/tonysmiththathousingitguy

It was a low-key announcement last week from the UK ICO (Information Commissioner Office) that caught my eye, but an important one for the socialhousing sector

They issued a reprimand to the Clyde Valley Housing Association in Lanarkshire, Scotland after personal information was accessible to other residents on an online customer portal. In fairness CVH are not the only provider in the news recently. Lets not forget that digital self-service for residents is essential.

It was stated that it was a resident user on the first day of use, that discovered they could easily access other tenant data, including documents and personal information.

Other residents reported the same issue and due to lack of escalation, the situation continued for five days. The danger of criminals (or just optimists) obtaining personal information for nefarious purposes is real and can easily lead to identity theft.

This situation was most likely caused by a number of factors, all of which could have easily been detected and mitigated quite easily.

More attention to secure design would have been a start. By the looks of the login it uses a relatively standard turnkey resident portal with a design layer from a third party web partner over the top. This is a very popular strategy and can be executed very securely in most cases. It does however need good design considerations.

User Acceptance Testing (UAT) is an essential stage, one that often has scant attention for many implementations. It often needs to be lengthy and detailed which puts many organisations off. Also, it should not be ignored that most staff have never had to thoroughly test software before. Some coaching is needed with inexperienced staff, where skilled testing staff (or staff that have tested before) are not involved.

I have worked with many organisations to build UAT plans for them and produce some training materials to help them understand the process and execute it well, creating audit for each test.

Lastly, engaging a third party security organisation to look at access, do some penetration testing and other probing of the solution, to determine any flaws and means of accessing inappropriate data, is recommended. Browser based solutions open many more vulnerabilities than many older legacy applications and are best checked over more frequently, at least annually.

The above precautions should also be repeated at each upgrade or application of patches. While this all sounds like hard work, its all about keeping secure. Applying upgrades is also part of that. Leaving too long between upgrades potentially introduces new vulnerabilities and may also violate your contract with suppliers. As for the latter, make best use of their help desk services if you are paying annual maintenance for them. Often working as a Critical Friend, not enough is made of this and relationships with suppliers can be poor (& get poorer!).

Where you may have built portals internally and they are home-grown by your ICT team, remember they then need to take on these responsibilities, as essentially what they have built will be one of a kind.

I hope my notes here provide some takeaways and help you avoid anything similar happening in your organisation.

Full ICO article text here.

Acutance Consulting can help you with Self-Service, UAT & staying secure, 
please just get in touch , for a chat over a brew 😋

       Related Post: After Covid, are we embracing the New Normal ?

 

_/_/_/_/_/_/_/_/

*** Join the discussion with Claire & Aiden ***

_/_/_/_/_/_/_/_/

 




I would be pleased to connect with you on LinkedIn - http://uk.linkedin.com/in/tonysmiththathousingitguy Message me with any issues or queries, you would like to be explored in this blog. We generally receive a couple of suggestions each month.

Metronomy – InsecurityMetronomy – Insecurity.
(c) Tony Smith, Acutance Consulting www.acutanceconsulting.co.uk 07854-655009


Access a quick list of our Social Housing ICT blog posts here

Could we help you or your organisation? Our contact details are here , get in touch we will be pleased to chat about your problems and help with your organisation issues.


File Under: #HomesForBritain,#HousingDAY,#InternetOfTenants,#Shout,#UKHousing, 07854655009, 1st Touch,1stTouch,360,365Agile,3squared,4Js, ACL,ALMO,AMS,AX,Aareon,Abritas,Academy,Accuserv,Accuserve,Active Housing,ActiveH,ActiveHousing,Acutence,Advanced,Affinity,Agile,Agile365,AirWatch,Alfresco,Alignment,Allpay,Amazon Web Services,Anite,Apex,App,ArchHouse,Archouse,Asprey e-state pro,Asset Management,Associates,Aurora,Average IT Costs,AWI SX Integration Toolkit,AWS, BI,BO,BPR,BancTec,BigChange,Blockwise,BluTek,Bluebox,Blueprint,Browser Applications,Business Objects,Business Planning,Business Process Review,Business social networking, CACI,Capita One Housing,CBL,CCS IT Keystone CCSIT,CEDRM,CHICS,CHR,CIH,CMS,COA,CORE,CPL,CRM,CRM2013,CRS,CTI,CTX,Cadcorp,Capita,CapitaOne,Capita One,Capital Management,Cashflow,Castle,Castleton,Castleton Technology,Cedar Open Accounts,Cerrus,Change,Charges,Chartered Institute Of Housing,Cheaper Housing IT,Chics, Citrix,Civica,Civica CTX,Civica Cx,Civica Genero,Civica Saffron,Clearview,Clik,Cx Assets, Cloud Dialogs,CloudDialogs,Coactiva,Codeman,Comino,Commontime,Community Reward Services,Company,Competitive Dialogue process,Component Accounting,Consilium,Consolidation, Consultancy,Consultant,Consultants,Contact Manager,Context,Contractor Systems,CorVu,Cost Reductions,Covalent,Crystal Reports,Customer Relationship Management,Cx,CxFeedback, DRS,Deeplake,Designer Software,Development Systems,Director,Document,Documotive,Docuware,Dynamic AI,DynamicAI,Dynamics 365,D365,Dynamics365,Dynaway ECMK,EDM,EDRMS,ERP,ESRI,Elmhurst,Enghouse Interactive,England,English,EnterpriseBI,Estatecraft,Esuasive,Etive,Exhibition,Exponential-e, Facebook,Factorwise,Field Service management,Finance,Financial Systems,Financials,FLS,Footprint,Forms,Freezes,Fusion,Fuzzlab Gas Tag,G-Cloud,GCloud,GDPR,GGP,GIS,GasTag,Genero,GeoSolveIT,Getting best from,GoTonySmith,Grasp,Grip,Group Apex, HFI (Housing Financials interface),HG,HRA,Hardware,Hitachi Systems,Hitex,HomeMaster,Hometeam,HouSys,House,Housemark,Housemark survey,Housing,Housing Contact,Housing Group,Housing Insight,Housing Management,Housing Management Consultant,Housing Partners,Housing Portfolio Management System,Hub Asset Management,Homeswapper,Housing jigsaw, Housing Support Pro,HousingIT,HousingSupportPro,HyperOptic, IMS,IT,IT Budget,IT Training,ITIL,Impact Response,In,In4,In4Systems Promaster,InfoBoss,InHouse,InMotion,InMotion2015,InMotion2016,InfoBoss,Infoflow,Information,Information Technology,Information@Work components,Informix,Innovation, Informetis,Inphase,Inside Housing,Insight,Internet Portal,Internetalia,Invu,Ireland,Irish,itLab, Keyfax,Keylogic,Keypera,Keystone,Kirona,Kypera,Keynamics, Landlord,Ledgers,Linkedin,Liquid,Locality,Localz, M3,MAVIS,MD,MDM,MI,MIS,MIS-AMS,MISCS,MRI,MS Dynamics,MRI,MS Dynamics CRM2011,Microsoft365,microsoft 365,MWL,Management,Management Server,Manifest,Measuring,Mebus,More IQ,MoreIQ,Microsoft Dynamics 365,Microsoft dynamics GP 2013,Miracle,MobileIron,Mobysoft,Monopoly board images and pictures,Montal,Mr Void,MriEngage,MrVoid,MoreIQ NDL,NINTEX,NINTEX workflow,NPS,NPS ASSIST,NPS Housing,NPS Job Manager Mobile,NROSH,Natural,Neighbourhoods and Communities,Nintexworkflow,Northgate,Northgate Codeman,Northgate Public Services,Notice, OA,OGC Buying Solutions,OJEU Limits,ORS,Ohms,OmFax,Omniledger,One,OneAdvanced,OneServe,Open source,OpenContractor,OpenHousing,Opti-time,Options,Optitime,Oracle,Orchard,Outsource and outsourcing,OutSystems, PIMMS,PIMSS Data,PM,PRINCE2,Paloma,Pamwin,PanConnect,People Value,Peoplevalue,PfH,Pick,PlanForm,Planned maintenance,Plenfific,Plus,Portfolio Management System,PowerObjects,Pro,Pro-Points,Prodo,Progress,Promaster,Propoints,Proval,Providers,Pyramid, QL,QLX, QLF, QL Yuneo,QuantSpark,Qube,QLX,Qlikview,QueryView,Queryview reporting,Quiss, RM865,ROCC,RPs,RSL,Rave,ReAct,Reality,RedkiteCRM,Red Olive,Registered,Registered Social,Rent Increase,RentSense,RentSenseLite,Repairfinder,Reporting,Reports,RobotAutomation,Rocket,Rubixx, Salesforce,Salesforce.Org,SAP,SASSHA,SDM,SHBVN,SM,SOTI,SP,SQL,SQL Open Housing,SQL Reporting,SQL Server,Saffron,Safron,Saturn,Scenario,Scotland,Scots,Scottish,Scout,Sequoa,Serengeti,Serros,Server,Service,Services,Servitor,Sharepoint,Sim,SimPro, Simdel,Simdell,Slash and Burn,Social Housing ICT,Social Housing Software Applications,Social Media,Software,Software solutions,Spotlight Service,Spotlightservice,Star rating,Stores and Stock,Strategic,SunAccounts,Sunguard,Surveys,Streetwise, Swordfish,Sx3,Symatrix Human,System alignment,Systems,Systemwise, T-Files,TEAMS,TED,TFiles,TP Tracker,TSG,Tagish Casework,Tagra,Task,TAIM,Technologies (India) PVT Limited,Telecetera,Template,Terminal Services,That,Three Star,Tilt,TiltAffinity,Today,Tony Smith,Tony Smith That Housing IT Guy,TonySmith that housing IT,TonySmithHou,TonySmithHousing, ,TonySmithHousingITguy,Total,Total Mobile,Totalmobile,Trace,Tribal,Twitter, U2,UC,UK,UK Housing,Ukhousing,UniClass Enterprise,Unidata,United Kingdom,Universal,Universalcredit,Universe,Unrest, Valueworks,Van Stock,Vantage,Vantage Sentinel,Version,Virtualisation,Visitour,Visualmetrics,Voice,Voice and data,Voluntas, Wales,Welsh,Wheatley,Windows Server,Workflow and,Work Hub,Works Connect, XML,Xen App,XenApp,Xmbrace, Yuneo,TS Acutance Consulting, ...
. . . . . . . . . . . . ES | FR | DE | IT | UK |

No comments:

Post a Comment