Build your resilience to the threat of cybercrime

As the prevalence of cybercrime continues to grow across all sectors, the risk to housing associations is real and it must be addressed if they are to remain resilient. Sadly, it is a well-known fact that it’s not if you will experience a cyber-attack, but when. Social housing providers hold large amounts of sensitive, personal and financial information about tenants, making them attractive targets for cybercriminals to breach and extort, particularly through ransomware attacks.

Recent examples, such as the attack against Clarion in June 2022, have shown the significant operational, financial, legal and reputational impacts a cyber incident can have. For example, the cost of responding to a data breach, such as the investigation, notifying affected individuals, and repairing damaged systems, can be substantial. In addition, a cyber-attack can lead to serious reputational damage and loss of trust from tenants and other stakeholders. According to a 2019 report by the UK National Cyber Security Centre, social housing providers are the fourth-most targeted sector for cyberattacks, after the financial, professional services, and public sectors.

What are the key methods that cybercriminals use to target social housing providers:

• Phishing attacks: these are predominantly email-based attacks that socially engineer and trick users into revealing sensitive information, such as login credentials, financial information, or personal data.
• Ransomware attacks: ransomware is a type of malware that encrypts a victim's files and demands payment in exchange for the decryption key. Social housing providers are particularly vulnerable to this type of attack, as they often store large amounts of sensitive tenant data.
• Data breaches: social housing providers hold a large amount of personal information about tenants, including names, addresses, financial information, and sensitive data such as criminal records. A data breach can result in this information being stolen or used for malicious purposes.
• Malware infections: malware is a type of software designed to cause harm to a computer system or network. Social housing providers are at risk of malware infections if their systems are not properly protected or if they fall victim to phishing attacks.
• Network intrusions: social housing providers may also be vulnerable to network intrusions, where attackers gain unauthorized access to a network and steal or manipulate data.

Positively, the significance of the threat posed by cybercrime is now being understood. The Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2022 measured that 82% of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. In comparison, 72% of charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. As awareness around the risk of cyber increases, knowledge follows and resilience can be built.

It's important for social housing providers to take cybercrime seriously and to take steps to protect themselves against these threats. Cyber should be viewed as a governance issue and not just siloed off to those in IT roles to deal with. However, putting in place a robust set of technical controls and policies to effectively manage security, mitigate the risk and effectively navigate an incident if it occurs need not be overly daunting and unachievable tasks when broken down.

Cyber security cannot be seen as a solely technical issue and be left to a company’s IT function to manage. Leadership must fully understand their governance responsibilities if they are to effectively manage the entirety of this significant risk.

Below there are a number of relatively cost-effective measures that organisations can, and should, do to increase their resilience (short but by no means exhaustive list), of key areas to address.