First published in Housing Technology.

It seems like cyber-attacks on British businesses, public-sector and not-for-profit organisations are now weekly news events. Fortunately, the housing sector is much more aware of the threats posed by cybercriminals, who are keen to make a quick profit, than it used to be. This is in part due to more media attention on successful cyber-attacks in all sectors in the UK and around the world.

But as attacks continue to increase in frequency and sophistication, and as more people work either remotely or in a hybrid model, it’s essential that associations and their employees remain vigilant and can adapt to these changes.

In what’s now an unpredictable and sometimes hostile digital environment, it’s important to ensure that end user devices such as laptops and smartphones are always secure and that employees don’t succumb to cyber security fatigue.

It’s often said that it’s not if, but when an organisation will experience a cyber-attack. It might find out because it receives a ransom note, or a cybercriminal might have stolen data quietly without notifying the business. Thankfully, more executive teams are taking action to strengthen their cyber security and improve cyber resilience – their ability to survive whatever is thrown at them and bounce back in better shape from any setbacks.

Awareness, education, and training

Employees can be the frontline of defence for any association. Regular cyber security training for remote employees is essential; it’s good practice to show them how to identify the latest social engineering tactics and phishing attacks, and test their ability to spot malicious messages.

While the old approach to cyber security was to build a wall around the organisation’s assets and assume nothing breaks through, this method is now well and truly redundant. IT estates are complex and often huge, so the optimum approach today is to monitor all assets regularly and assume that adversaries do get through anyway. No business is fail-safe all the time, so it’s best to work by the mantra ‘not if, but when’.

What is the Zero Trust model?

Many organisations have adopted the Zero Trust model, which has three principles:

1. Verify explicitly: always authenticate and authorise everything
2. Use least-privileged access: limit user access with just-in-time and just-enough-access to tighten data security
3. Assume breach: compartmentalise infrastructure to minimise any damage, verify end-to-end encryption and use analytics to detect any threats and strengthen defences.

Most threats will be reduced by following these principles.

Adopt a cyber security culture

By creating a culture of cyber security in the boardroom and cascading it down through every department and team, every employee should gain the right mindset to protect the association’s assets, its data, its tenants’ data and ultimately the association’s reputation with its stakeholders and with the wider industry.

As we head towards 2026, we can expect more organisations to adopt a cyber security culture and embed the principles of zero trust. Many are also planning compulsory cyber security training for all employees.

For the housing sector, thriving in the hybrid and remote working era is achieved by optimising security culture, prioritising security training, and fostering security collaboration with other organisations. There are a lot of benefits to be gained by combining efforts with others in the industry to act on threat intelligence and bolster security through these partnerships.

Protect your employees, your business, and your reputation

Our comprehensive portfolio of threat-led managed security and professional services including Clarity Data, Offensive Security, Cyber Resilience Assessment (CRA), Incident Response Preparedness and Incident Response Retainer are designed to protect housing associations’ employees, tenants, data and reputation from ever-evolving cyber-attacks.

Get in touch with us today to find out how to strengthen your cyber security posture and cyber resilience so that you can thrive in an inhospitable digital environment.