man with phone and laptop

Impact of cyber-attacks on the social housing sector

Katie Alkaradi, Assistant Manager, Forensic Services
16/07/2024
man with phone and laptop
The UK social housing sector is increasingly reliant on digital technologies to manage operations and deliver services. From online platforms for rent payments and maintenance requests to sophisticated data analytics for housing management; digital tools enhance efficiency, transparency, and tenant experience. However, this shift in technological advancements also exposes the sector to various cyber threats. Understanding these risks and implementing robust cyber resilience measures is crucial to safeguard sensitive data and ensure the continuity of essential services.

The nature of cyber risks

Cyber risks in the social housing sector manifest in various forms. Some prime examples below.

1. Data breaches

Social housing organisations manage vast amounts of personal and financial data, making them an attractive target to cyber criminals. With many housing associations moving away from their legacy systems to new platforms to manage various services, this has introduced an influx of vulnerabilities regarding data protection. For example, in 2022, Clyde Valley Housing Association launched its new digital platform in which a user found that they could access documents relating to anti-social behaviour. These records contained personal information on other tenants, including names, addresses and dates of birth. The Information Commissioner’s Office (ICO) stated that this issue was not escalated immediately, and data was accessible for five days.

Incidents like the example above should not be taken lightly. For serious data breaches, the ICO can fine the organisation up to £17.5 million or 4% of its annual turnover, whichever is higher.

2. Ransomware attacks

Ransomware can bring organisations to a complete halt by encrypting information assets and demanding a ransom for its release. The latest ‘State of Ransomware’ report published by Sophos revealed that globally, 59% of organisations have experienced a ransomware attack in the last year, yet research has shown that only 4% of the housing sector believe that they are prepared to respond to a ransomware attack. This is an alarmingly low figure, considering ransomware attacks can take up to a week, or even a few months to recover from. Housing associations cannot afford to have their systems, or its third party’s systems inoperable for this amount of time. Housing providers need to be consistently monitoring for potential vulnerabilities and prepared to respond to such an attack.

3. Phishing attacks

Employees, third party providers and residents can be targeted by phishing schemes. This method of attack is forever evolving in sophistication, with the increasing use and development of artificial intelligence (AI) technology, phishing emails are getting difficult to identify in your inbox. Further research shows that 20% of phishing emails now employ technical measures that are able to evade Microsoft 365 and secure email gateway detection, meaning emails with malicious content are making their way into people’s inboxes easier than before.

4. Insider threats

Employees with access to systems and sensitive data can inadvertently or maliciously cause data breaches. Research by InfoSec has found that 74% of data breaches are caused by human element via error, privilege misuse, use of stolen credentials or social engineering. Not encouraging and reinforcing cyber awareness and hygiene can result in a costly incident. Employees need to be trained in cyber awareness and hygiene, as well as being made aware of the repercussions of cyber incidents.

5. Supply chain attacks

Social housing providers frequently engage third-party vendors for numerous services, introducing additional vulnerabilities to confidential and sensitive information. Housing associations need to be aware of how suppliers manage and protect its data, and how they would respond to any incidents. The Government’s Risk Sector profile 2023 states that:

“They [Boards] must also understand the risks of processing personal data with third parties, including the need to undertake due diligence on third parties’ security measures, using standardised contractual clauses where necessary, and documenting where data is located. Boards must ensure that providers have contingency plans in place in the event of unforeseen data incidents and cyber-attacks, considering workarounds to ensure continued critical service delivery.”

What are the impacts of a cyber incident at a housing association?

Operational disruption

Cyber-attacks can halt critical services, affecting everything from rent collection to emergency maintenance. This will not only affect the housing provider, but it will have an impact on tenants by causing distress if they are unable to make payments, or report emergencies if lines of communication are down.

Financial loss

Beyond the immediate costs of remediation and potential ransoms, housing providers may face legal fines and compensation claims.

Reputational damage

Loss of trust can lead to long-term damage, affecting tenant relations and any future funding opportunities. If a housing association has failed to incorporate cyber resiliency measures into the organisation to the best of its ability, it may provide the illusion that they do not care about its cause, or the wellbeing of its tenants.

Data privacy violations

Breaches can expose tenants' sensitive information, leading to identity theft and fraud. Social housing tenants may already be financially vulnerable, if their data were to be breached, it could cause immense distress.

Mitigation Strategies

To mitigate cyber risks, social housing providers must adopt a comprehensive cybersecurity strategy encompassing the measures below.

1. Robust cyber/information security policies: establishing and enforcing strong policies around data protection, access control, and incident response.

2. Investment in cyber resilience: allocate sufficient budget to upgrade IT infrastructure and engage cybers professionals to advise.

3. Employee training and awareness: provide regular training sessions to educate staff about cyber threats and best practice. This will ensure employees remain up to date with evolving cyber threats and can significantly reduce the risk of human error.

4. Incident response planning: develop and regularly test and update an incident response plan to quickly and efficiently address, contain and mitigate the impact of cyber incidents.

5. Third-party risk management: establish stringent cyber and information security requirements for third-party suppliers and regularly review their compliance against industry best standards.

As many continue to rely on housing associations to provide a roof over their heads, providers must strive to implement robust cyber resilience measures, fostering a culture of cyber awareness. Through doing so, social housing providers can protect sensitive data, ensuring the continuity of essential services, and maintain the trust of their tenants.

How can Crowe help?

Our Forensic Services team has the knowledge and tools to ensure our clients have a robust and well-rounded cyber resilience framework in place. Our team can provide ongoing advisory, monitoring, and training to your organisation, while catering to your specific sector.

For more information, contact Tim Robinson, or your usual Crowe contact.

Contact us

Tim Robinson
Tim Robinson
Partner, Forensic Services
London