As the prevalence of cybercrime continues to grow across all sectors, the risk to housing associations is real and it must be addressed if they are to remain resilient. Sadly, it is a well-known fact that it’s not if you will experience a cyber-attack, but when. Social housing providers hold large amounts of sensitive, personal and financial information about tenants, making them attractive targets for cybercriminals to breach and extort, particularly through ransomware attacks.
Recent examples, such as the attack against Clarion in June 2022, have shown the significant operational, financial, legal and reputational impacts a cyber incident can have. For example, the cost of responding to a data breach, such as the investigation, notifying affected individuals, and repairing damaged systems, can be substantial. In addition, a cyber-attack can lead to serious reputational damage and loss of trust from tenants and other stakeholders. According to a 2019 report by the UK National Cyber Security Centre, social housing providers are the fourth-most targeted sector for cyberattacks, after the financial, professional services, and public sectors.
What are the key methods that cybercriminals use to target social housing providers:
Positively, the significance of the threat posed by cybercrime is now being understood. The Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2022 measured that 82% of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. In comparison, 72% of charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. As awareness around the risk of cyber increases, knowledge follows and resilience can be built.
It's important for social housing providers to take cybercrime seriously and to take steps to protect themselves against these threats. Cyber should be viewed as a governance issue and not just siloed off to those in IT roles to deal with. However, putting in place a robust set of technical controls and policies to effectively manage security, mitigate the risk and effectively navigate an incident if it occurs need not be overly daunting and unachievable tasks when broken down.
Cyber security cannot be seen as a solely technical issue and be left to a company’s IT function to manage. Leadership must fully understand their governance responsibilities if they are to effectively manage the entirety of this significant risk.
Below there are a number of relatively cost-effective measures that organisations can, and should, do to increase their resilience (short but by no means exhaustive list), of key areas to address.
Please contact Tim Robinson if you would like more information on the threats from cybercrime and how Crowe’s cyber specialists can support your housing association to build resilience and respond to an attack.