Cybercrime and social housing – the risk is real

2023 was the year that cemented cybercrime as a significant, and very real, risk for housing associations. Organisations in the sector often control large volumes of sensitive personal and financial information about tenants, and process significant volumes of financial transactions. This can make them attractive targets for cybercriminals to breach and extort, particularly through ransomware attacks.

The cyber-attack against Clarion in June 2022 was the first major incident which highlighted the catastrophic operational, financial, legal and reputational impact a cyber incident can have on a housing association. This was followed swiftly by news of an attack affecting more than 90,000 customers of Bromford Housing Association and more recently, in December 2023, this was compounded by a successful attack on Connexus. The cost of responding to an incident like this is far-reaching and can include the delivery of a forensic investigation, PR and communication costs, repairing damaged systems, legal fees and possible fines. In addition, a cyber-attack can lead to serious reputational damage and loss of trust from tenants and other stakeholders.

According to a 2019 report by the National Cyber Security Centre, social housing providers are the fourth-most targeted sector for cyberattacks, after the financial, professional services, and public sectors. Capita was successfully attacked, causing over 90 of their pension scheme clients to report a data breach to the ICO. CTS who provide payment services to many solicitors, was also attacked, causing disruption to many people’s house sales and purchases while the issue was contained and remediated. The risks are the same across sectors when organisations hold a significant amount of customer information, opening them up to disruption and extortion. Capita has since estimated that recovery of the incident will cost them in the region of £25 million. IBM’s Cost of Data Breach Report 2023 suggests the global average cost of a data breach is $4.45 million per organisation. We must therefore be aware of the risks to help maintain resilience and be able to respond effectively in the event of an incident.

What are the key methods that cybercriminals use to target social housing providers:

• Phishing attacks: These are predominantly email-based attacks that socially engineer and trick users into revealing sensitive information, such as login credentials, financial information, or personal data.
• Ransomware attacks: Ransomware is a type of malware that encrypts a victim's files and demands payment in exchange for the decryption key. Social housing providers are particularly vulnerable to this type of attack, as they often store and process large amounts of sensitive tenant data.
• Data breaches: Social housing providers hold a large amount of personal information about tenants, including names, addresses, financial information, and further sensitive data. The cybercriminal’s modus operandi is no longer to just shut down systems, the current preferred method includes crippling systems, breaching data and also exfiltrating it, generating more pressure to pay a ransom.
• Malware infections: Malware is a type of software designed to cause harm to a computer system or network. Social housing providers are at risk of malware infections if their systems are not properly protected or if they fall victim to phishing attacks.
• Network intrusions: Social housing providers may also be vulnerable to network intrusions, where attackers gain unauthorised access to a network and steal or manipulate data.

It's important for social housing providers to take cybercrime seriously and to take steps to protect themselves against these threats. Cyber should be viewed as a governance issue and not just siloed off to IT roles. However, putting in place a robust set of technical controls and policies to effectively manage security, mitigate the risk and navigate an incident if it occurs need not cost the world.

Below is a short, and by no means exhaustive list, of key areas to address:

• Conduct regular cyber resilience assessments – not just of the organisation itself, but across your suppliers as well, to make sure security measures are implemented.
• Develop a cyber resilience policy – the risk from cyber is ever-changing, so make sure your policy and strategy is robust enough to counter it.
• Develop a ‘go-to’ cyber incident response policy – know your actions to take in the event of an incident and who from a governance position has the responsibility to manage that response.
• Train your people – they are your first line of defence so make sure they know how to recognise and respond to cyber threats, particularly from phishing attempts.
• Use multi-factor authentication (MFA) on user accounts – limit the impact of a serious breach if a user’s credentials are compromised.
• Regularly update software and systems – security patches should be tested and deployed as soon as possible.
• Test your systems – use tools to find weaknesses and then rectify those issues. Internal and External Vulnerability Assessments can be cost-effective ways to get an external view of weaknesses that a cybercriminal could also easily see and exploit.
• Limit access to sensitive data and important systems – reduce access to only those who have a requirement to help limit the impact if user credentials are compromised. Back up your data regularly and in a secure location in the event of a major incident - this will be essential.

Please contact Tim Robinson or your usual Crowe contact if you would like more information on the threats from cybercrime and how Crowe can support your housing association to build resilience and respond to an attack.