Cyber Security For

Housing Associations

The housing sector has not been exempted from the rise in cyber-attacks. The rapid digitalisation of services, accelerated during and since the pandemic, has significantly expanded the sector’s attack surface, with attacks on the sector rising by 93% in 2021.

Remote working and online service delivery have also intensified risks via phishing, malware, ransomware, and other cyber threats.

THE UK HOUSING SECTOR IS A CYBER TARGET.

+ Clarion Housing Association

In June 2022, the UK’s largest housing association, Clarion Housing was hit by an attack that caused IT systems, phone lines and online services to be disrupted. Clarion manage over 125,000 homes across the UK, and the 2022 cyber incident left their operations disrupted for several months - with the firm losing an estimated £17million in operating surplus following the attack.

+ Connexus

Shropshire & Herefordshire based housing association Connexus, was subject to a significant cyber attack in December 2023.

The incident involved “unauthorised access to it’s systems”, leading to several IT systems and phones lines going down. The association were unable to confirm that customer data had not been breached, and issued a warning to customers and stakeholders to be vigilant for scam calls and phishing emails.

+ Hackney Council

The risk to the housing sector is not solely contained to the housing associations however - with local councils across the UK also becoming targets for cyber criminals looking to steal tenant data.

In October 2020, Hackney Council in London fell victim to “a serious cyber attack”, which saw the publication of a “limited” amount of customer/tenant data that was available across various dark-web forums. Following the attack, Hackney Council introduced a new housing management system to help their housing department address the damage from the breach.

Download Our Retail Cyber Threat Intelligence Report:

HOUSING SECTOR THREAT TRENDS

¼

of Housing Associations

£17M

¾

Have experienced an attack or breach since 2020

Around a quarter of housing associations in the UK have experienced an attack or breach - with the volume of threats continuing to increase year-on-year as well as the severity of successful breaches.

Only 4%

The cost of a breach on the UK’s largest Housing Association

In 2022, the UK’s largest housing association, Clarion Housing was hit by an attack that caused IT systems, phone lines and online services to be disrupted. System & operational downtime meant that Clarion lost £17 million in operating surplus as a result of the breach.

Of housing associations don’t currently have confidence in their incident response planning and processes

In the event of a breach, preparedness and incident response planning is crucial to minimising organisational downtime & system/operational disruption. Organisations that have an effective and up-to-date incident response plan are far more prepared for the potential fallout of a breach.

Of housing associations feel the sector is fully prepared for ransomware attacks

With various forms of ransomware and RaaS (Ransomware-as-a-Service) attacks becoming increasingly frequent and sophisticated in nature - organisations across many of the UK’s most critical sectors are evaluating their ability to defend against these types of attack.

WHAT SYSTEMS ARE BEING TARGETED BY ATTACKERS?

+ Service Delivery Platforms

Housing management systems, case/repair portals and payment processing systems are prime targets for cyber criminals looking to cause maximum operational disruption as downtime in these systems creates immediate leverage and significant reputational harm, forcing a rapid response - thus creating the perfect conditions for a ransomware attack.

+ Legacy OT & IoT in Buildings

Poorly segmented or unpatched systems, such as CCTV, access control systems, and Building Management Systems (BMS), in "smart buildings" provide a vulnerable entry point to the corporate network. 

+ Tenant & Applicant PII (Personally Identifiable Information)

The primary target. Includes tenant and applicant names, DoBs, contact details, government IDs, financial hardship data, and support-needs information. Used for fraud, identity theft, and to apply pressure in extortion schemes. 

+ Third-Party Suppliers & Integrations

Attackers target CRM providers, document management systems, and payment gateways. Compromising one supplier can provide access to multiple housing associations, maximising the impact of a single attack and causing long-term operational disruption that ripples well beyond the initial breach.

HOW WILL PURECYBER SECURE YOUR ORGANISATION?

Comprehensive, 24/7 Active Threat Protection - Our combined cyber security solutions offer you a complete package of 24/7 protection, proactive threat intelligence, expert consultancy & real-world attack simulations to ensure you are prepared, compliant and secure.

Only need a particular service? Our team of expert cyber security and governance specialists will work alongside your organisation to offer support across a range of services:

Managed SOC Services:

From 24/7 Security Operations Centre (SOC) monitoring, to Threat Exposure Management (TEM), Vulnerability Scanning, Managed Detection & Response/Endpoint Protection, Phishing Simulations, Breach Monitoring and Incident Response, we have all the managed cyber security solutions you need to keep your network secure - safe in the knowledge that your systems are being monitored and protected by an expert team of cyber professionals.

Penetration Testing:

Identify potential vulnerabilities and weaknesses in your network/systems with Application Testing, Infrastructure Testing, Red Teaming & IT Health Checks. Our CREST certified team of penetration testers will push your network security to it’s limits, remediating vulnerabilities and offering insight into the health our your IT environment.

Governance Support:

Ensuring your organisation is compliant with regulatory requirements and expectations is the backbone of your organisational cyber security. As an NCSC Certified Assurance Provider, our consultancy services offer guidance and support in improving organisations cyber policies, achieving accreditations, auditing cyber posture and approach and reaching compliance standards.

Our certified team of Lead Auditors, Lead Implementors, and CISSP consultants are here to guide and support you on all aspect of your cyber security compliance needs including consultancy on CE, CEP & IASME, ISO27001, Incident Response Simulation, Cyber Security Audits, vCISO & Awareness Training.

Learn more about Cyber Security