Why Housing Associations haven’t been spared from the rise in cyber-attacks

The social housing sector might not be at the front of people’s minds when it comes to cyber security risks in the UK. However, with a total portfolio of approximately 2.4 million homes to manage, the UK’s 1,600 housing associations have an enormous responsibility to shelter a significant number of families and individuals in every region of the country.

As part of the essential services they provide to society, they store a vast amount of personal data digitally, which they must protect under the Data Protection Act 2018. Much of this information is sensitive and confidential to their customers, who trust them to look after it as much as they do to provide safe and affordable homes.

Housing providers vary greatly in size from the largest in Greater London having 600,000 homes under their control to smaller ones in deeply rural regions of the country.

Proportionately, their resources vary widely too. But even the best-resourced providers lack the skills and know-how to safeguard themselves from the ever-evolving digital threat landscape. With relatively lower levels of budget provision for IT security than some other sectors, social housing is perceived as being an easier target to breach and steal from.

Why housing associations are lucrative to cybercriminals

So it’s no wonder that cybercriminals have been targeting the industry for years. Some successful cyber-attacks have been made public, with high-profile cases reaching the press as well as technology and cyber security trade publications. Accounts usually tell of successful break-ins where criminals have stolen the data of thousands of citizens, or, equally maliciously, ransomware attacks where housing providers have been locked out of their systems until they pay up. And while exact figures aren’t always made public, it’s well-publicised that cybercriminals can charge millions of pounds at a time.

Even if victims shell out the exorbitant fees to regain access, there’s no guarantee they’ll be granted it and, if they are, they may have to wait an indefinite period of time. Furthermore, if a housing association has been hit, there’s no magic shield to quickly protect all others from the same devious methods and awful outcome. What techniques work for a criminal in one organisation may well work for them or another criminal in another housing association.

Current cyber risks facing housing associations today

Risks have been evolving for every sector of the economy over the years and the result is that no sector is now off limits for threat actors. According to tax consultancy RSM UK, a shocking 25% of the country’s housing associations have suffered from a cyber-attack in the last 12 months.

Industry chiefs understand all too well the scale and severity of such attacks and they are taking the problem seriously, raising cyber security towards the top of their priority list.

But this knowledge alone won’t deter threat actors who, if anything, have escalated their aggression in recent months. There’s no sign of attacks slowing down and, in contrast, they might become even more frequent in the aftermath of Russia’s invasion of Ukraine. Even before the conflict, the UK was the third most-targeted country in the world after the US and Ukraine, according to Microsoft’s comprehensive Digital Defense Report, which covers cyber incidents worldwide from July 2020 to June 2021.

The challenge of ransomware

Of all the cyber risks facing housing providers today, ransomware attacks are arguably the single biggest challenge.

Once criminals breach a system, they can encrypt data to prevent the company from accessing it. Unless the victim pays the ransom fee, that data, which could include names, addresses, email addresses and more sensitive information, might be sold on the dark web or even be used to phish tenants for bank account details. In responding to such attacks, the providers might need to shut down their IT systems, which in turn can disrupt essential services. This is all potentially very expensive and damaging to an association’s business and reputation with both its customers and the housing regulator.

Professional criminals can launch phishing attacks at anyone, depending on what they are trying to achieve and, quite possibly, on what is easiest to achieve. They might target employees at the housing association, third-party suppliers or the residents themselves. They’ve been known to use a multitude of tricks, often pretending to be someone else. In one case in the UK, in emails sent to tenants, criminals pretended to be representing a maintenance company. Once they have extra information it’s then easier to build a stronger identity to go on to collect yet more personal details with the obvious risk of stealing someone’s identity entirely.

So, can organisations train their employees to avoid fake messages? Do they have a duty to coach their residents to avoid such traps too?

Vulnerabilities in supply chains

As organisations have beefed up their defences, threat actors have increasingly launched their attacks further along the supply chain, trying to infiltrate third-party suppliers as an indirect way into their primary target. So, it’s no longer enough just to consider one’s own defences; due diligence needs to be conducted on third-parties’ security measures.

Although many of these risks have been seen to materialise as serious incidents over the past few years, by the very nature of cyber, there are always ‘unknown unknowns’. That is, while a lot of threats and attacks are well researched, documented and shared among the cyber security industry and community online, there’s the constant concern that some new malicious virus is lying dormant and will one day emerge in a form that security experts have never seen before.

How Quorum Cyber and Microsoft Security technologies can reduce risk

While there’s plenty of free advice about what basic procedures housing associations can follow to protect themselves, like the majority of organisations in other sectors they only have finite resources and IT teams that are already too busy to cope with extra workload. Even the largest business-like companies in the big cities lack the funds, time and capabilities to quickly build in-house cyber security teams. The UK is currently in short supply of such skills, making them highly-sought after and expensive.

Fortunately, there’s another way to protect assets, data and customers from the non-stop series of cyber-attacks being witnessed today.

At Quorum Cyber we’re proud to have teams of certified cyber security professionals mastering the latest Microsoft Security technologies. By combining human intelligence and creativity with Microsoft’s strength and their annual $1billion per year investment in cyber security, you can be sure that you’re in safe hands. But despite our technical expertise, we always focus on our customers’ problems and how we can work with them to reduce risk and optimise their security investment.

If you would like to find out more about our services for housing associations, please visit our dedicated Housing Association industry page.

Contact us if you’d like to discuss how we can help you.