Rebuffing A Cyber Attack audio version  |  12 mins  |  Listen now

As a ‘Microsoft house’, as former digital and brand lead Jarrod Williams* puts it, this meant that, once an employee had switched off their work devices, they lost access to every system, such as Outlook and Teams. They also had to delete any Microsoft apps from their personal phones.

Bromford’s ability to communicate with colleagues, customers and partners instantly disappeared, along with the housing association’s access to calendars and customer contact details.

‘We disconnected the organisation from every method of doing work and communicating in a matter of moments,’ he explains. ‘And that extends beyond a CRM system and our HR data; we had to disconnect all the buildings from each other, so key fobs no longer worked. Our colleagues’ fuel cards didn’t work, so we had to support them.’

But it was not all doom and gloom. ‘We were very lucky that some channels sit beyond the network, and a lot of those belong to comms,’ adds Williams. ‘That included our social media management platform, our direct mailing platform, and our website, which sits on an external network. We did lose our customer portal, and some elements of the site, but ultimately the base remained.

‘We took the decision because, at the start, we didn’t know what the attackers were trying to do. We didn’t know their intentions. Were they trying to steal data? Were they trying to send things through the company? The safest thing to do, to protect ourselves, was to disconnect from the world.’

The communications team were notified after the initial red flag, and Williams was invited to the first major incident meeting, where he requested the mobile phone numbers for all his colleagues before the plug was finally pulled.

‘It meant that we were able to quickly go to a third-party text messaging service, and get out our messages,’ he says. Ironically, Bromford had only recently decommissioned this service, which it had previously retained as a contingency measure.

‘In these situations, you need to have some fail-safes, with your channels. The website was a matter of setting up web pages that were not visible to customers, as well as pages specifically for customers and for our stakeholders, where they could get updates. We also used our social media channels, which is where a lot of our partner and customer communications went through.’

Three tweets were sent on the first day, highlighting that only emergency services were available, while a 50-second video featuring chief information officer Dan Goodall explaining the situation was uploaded on 25 July on Twitter, Facebook and LinkedIn.

Bromford also relied on WhatsApp, quickly setting up specific groups, such as one for senior leaders, and individual ones for different teams, which allowed information to cascade through the organisation. Every WhatsApp message to colleagues was swiftly followed by a text message, to ensure it had been received.

Regulatory bodies, such as the Housing Association Ombudsman and the Regulator of Social Housing, were kept informed, but as Bromford’s data was not breached, it was not required to notify the Information Commissioner’s Office, although it did so as a matter of courtesy. ‘They wanted to know that we were handling it, and that we were able to deliver a level of service to our customers.’

The National Cyber Security Centre, which has a division for not-for-profit organisations, also offered support, and Bromford had its own forensics team working alongside Microsoft’s instant response team. ‘Our most difficult conversation was with our insurance company,’ he says. ‘They wanted to make sure that everything was being done above board, because of the insurance claim that will be made.’

Bromford prides itself on its open and transparent approach. ‘We were able to have conversations with our insurers on what they were willing to accept, from a legal point of view, that we could say,’ explains Williams. ‘It’s why, in a lot of our communications, we use the line There is no evidence of a data breach. It was a legally approved line.’

Williams admits that when, after a week of investigations, the IT team confirmed that Bromford’s data was intact, there was a ‘collective sigh of relief’ across the organisation. ‘The big concern that everybody always has is Has my data been stolen? and that was one we could now answer,’ he adds. A service update video featuring chief executive Robert Nettleton, released on 28 July, announced the news.

Over 30 days, Bromford reached more than 70,000 people via social media, and released 20 separate video updates, for its three main audiences: colleagues, customers, and partners. The comms team also responded to every message and query posted on social media.

Bromford has always been alert to the threat of cyber-attacks, and had recently rolled out a new cyber awareness initiative across the organisation. It is mandatory training for every employee. ‘It was one of the reasons we knew about the red flags early, because colleagues were saying I’ve done my cyber awareness training and I’ve seen suspicious behaviour,’ he says.

Within days of the first major incident meeting, Bromford had established a tactical response group, comprising senior leaders with operational impact, such as communications and customer services, which met every morning.

An executive response team, comprising the C-suite, met immediately afterwards, to receive briefings from tactical response, and consult on any major decisions that needed to be made. The chief information officer sat on both groups, as did a representative from communications.

‘We’d come out of those meetings, write a precis and then go through the approval process, so that by 4pm we had created all the comms,’ he adds. ‘But we also planned for some events in advance. We knew that at some point we’d come back, so we filmed an update saying We’re nearly there and one saying We’re back.’

Ironically, Bromford did not follow its actual cyber crisis plan, which was first drawn up in 2016. ‘I had driven around with that [original] plan in a red folder in the back of my car, and everybody thought it was funny, but one thing we learned was not to put any business continuity plan onto a system that may get pulled down,’ says Williams.

‘We couldn’t access our newly created crisis plan, and the one I had was quite old, which had lots of instructions like Set up this shift pattern, Bring this person in. That’s all great if the incident follows some sort of formulaic framework but we didn’t know from moment-to-moment what would happen next.

‘We also didn’t have any access to platforms or data, which meant we had to remain agile and adaptable. We didn’t need to instigate a rota system for the comms team, as we weren’t doing comms early in the morning or late at night. But what we had forgotten was that, while we weren’t working really long hours, the expectations on us probably took more of a toll than we anticipated.’

The comms team also worked closely with the customer services team, as they connected with more than 100,000 people who rely on Bromford for their housing. ‘We physically sat with customer services to make sure they stayed on brand and on message, and were kept regularly updated.’

Working with a social media partner, Bromford was able to swiftly set up live chat on its website and provide a new, communications channel for customers. (Live chat had been under discussion, but the crisis provided the necessary impetus: it now handles around 40 per cent of customer queries, and is the preferred mode of communication for some.)

‘Customers did give us some leeway, at least for the first two weeks, because they could see we were communicating with them and being as open and transparent as possible.’ Partners were similarly supportive, recognising this was a situation which could so easily have happened to them.

But after Bromford confirmed that its data was untouched, customers ‘became experts in cyber security’ and could not understand why the systems could not simply be switched back on. ‘It is a long process to make sure systems are turned back on in a safe and secure way and in a certain order, to ensure one doesn’t compromise another,’ he says. ‘We did try to explain this to customers, but it is quite complex in a Facebook post, when really they just want to book a repair.’

One specific group was adversely affected, however: those who were moving, including some people scheduled to move on the day the system was shut down, and were packed up with their removal vans waiting. ‘They weren’t getting the keys to their new home because we couldn’t sign contracts or pay for things. Our lettings team was actively engaging with those who were affected but some customers were really upset even though we were assuring them that they would not be out of pocket,’ he adds. ‘Our priority were those people who were moving due to a domestic violence or safeguarding issue or who were homeless.’

The tactical response team was finally disbanded in early October, and Williams has since reflected on what a new cyber crisis plan should contain. ‘What would you do if you had no communications channel? Our plan didn’t go to that nth degree. We assumed there would always be something. It [reinforced the importance] of fall back channels, and the need for phone directories to be kept updated,’ he says. ‘While we wouldn’t endorse WhatsApp as a channel for our comms, it was probably one of the best ways to pass on routine information to our teams.’

The comms team has also conducted a Rose, Bud, Thorn exercise, where Rose reflects the positives, Bud the opportunities and Thorn the problems. ‘We highlighted the distribution of work within comms as a Thorn. For example, there was a [pre-planned] event for colleagues that took place during the first week, which meant that my team, which is mainly digital and brand, took on the comms response because the internal team were running that,’ explains Williams. ‘When they came back, because they weren’t necessarily in that first response, we probably didn’t do enough initially to bring them up to speed, which meant the pressure was on too few people. We lost a few days there.

‘We also highlighted the need for more clarity around the approvals process, because sometimes that was difficult. We discussed the need for people to be realistic: we were sometimes asked for comms at 12pm, but we only got the briefing at 11.30am. Everyone was busy, so getting hold of people was difficult,’ he adds, suggesting that an ideal solution would be for a senior executive to clear some time in their diary every day to approve communications. ‘It did help having comms people present in the office though.’

There comes a moment in every crisis where the messages need to change from response to recovery. ‘We had a pressure to return to normal communications versus how we bring colleagues on that journey,’ he says. While Bromford was able to announce to customers that normal services had resumed, allowing them to report issues or request repairs, colleagues were now working on live chat, which added several new layers to the process. In retrospect, there should have been more acknowledgement of the stresses caused by this extra workload.