The UK government’s Cyber Security Breaches Survey 2023 revealed that 32% of businesses and 24% of charities experienced breaches or attacks without the 12 months prior to the survey.
The rate was higher for medium and large businesses (59% and 69%, respectively). For high-income charities with at least £500,000 in annual income, the rate was 56%.
Housing associations manage a wealth of sensitive information, from personal tenant data to financial records, making them attractive targets for cyber criminals. Yet other research shows that a mere 4% of housing associations feel the sector is prepared for a ransomware attack, while only 46% of HAs are prepared for disaster recovery.
In light of some prominent incidents over the last few years, we decided to address the topic. In this article, we’ll discuss some recent attacks and the measures we use to protect our systems.
The rate of cyber threats targeting housing associations has risen, manifesting in several alarming breaches over the past few years.
The consequences of such attacks are far-reaching. Beyond the immediate disruptions, they shake the trust that tenants place in these institutions. In addition, the recovery process can be long and costly, with organisations needing to invest heavily in security upgrades, and lose funds to potential fines and compensations. The loss of sensitive data can also lead to long-term issues for affected tenants.
Housing associations have enough on their plate at the moment, without having to deal with cyberattacks. It’s vital for these organisations to take all the standard security measures internally as well as ensure their software partners are doing their part.
In fact, Inside Housing’s Risk Register Survey 2024 shows that the risk of cyberattacks has superseded health and safety as the most commonly cited concern.
Some recent attacks are discussed below.
Amongst the most recent incidents is the attack on West Midlands Housing Association. The organisation, which manages 10,000 homes in Herefordshire and Shropshire, was subject to unauthorised access in December 2023.
As well as the risks to tenants’ data, the attack caused a real operational struggle as staff had to prioritise mitigating the consequences over their usual services, leaving tenants frustrated. The company also took their systems offline temporarily as a cautionary measure.
Some tenants reported scam phone calls, which may have been related to the breach. The company advised all tenants to be extremely vigilant about discussing financial information with them or any other financial institutions.
A G15 Housing Association faced a cyberattack in July 2022, which put the 350,000 residents at risk. It was a suspected malware attack which led to the disruption of several critical systems and the breach of residents’ personal data. In fact, the company were not sure of the extent of the impact.
84% of residents experienced an increase in phishing activity after he breach, with one reporting that he was subject to 31 attempts within three weeks.
The severity of the attack led to the request for government intervention, with the aim to replace the board.
In November 2020, Norwich-based HA, was subject to a ransomware attack (by the ransomware known as Sodinokibi). Their systems were taken offline, but not before attackers managed to access personal data of residents and staff. As is usually the case, operations were significantly disrupted.
A London Borough Council has spent more than £12 million recovering from their October 2020 breach. The attack was traced to the cyber-criminal group known as Pysa/Mespinoza, which, three months after the attack, claimed to have published sensitive data – including passports documents – on the dark web. However, the council later stated that the majority of residents were unaffected.
The resulting chaos involved delays to benefits claims, adding people to the housing register, land registry searches, and even the operation of printers in libraries across the borough.
Considering the many cyber threats out there, we knew we needed to use a robust cloud platform for maximum security. AWS continuously develops in order to address the latest cybersecurity threats; along with the features discussed below, it arms us to ensure that our software and end-user data is safe as houses.
AWS offers many advanced security features that safeguard against unauthorised access, data breaches, and other cyber threats. These include encryption, multifactor authentication, and sophisticated access controls, ensuring that sensitive data remains protected at rest and in transit.
Key Management
The AWS Key Management Service provides a secure and resilient environment for creating and managing the encryption keys used to secure data. The service supports the creation of keys, the handling of permissions, and ensures that encryption practices align with strict security policies and compliance requirements.
Network and Application Protection
AWS provides thorough, granular network protection at-scale, minimising the need for manual infrastructure management. As well as its continuous real-time traffic visibility, it offers numerous measures to protect against various risks including unauthorised access, web exploits, and DDoS attacks.
Continuous Monitoring
AWS’s continuous monitoring and threat detection capabilities provide real-time security insights. This proactive approach helps identify and mitigate potential threats before they can cause harm, which is essential given the advanced capabilities of today’s attackers.
In fact, AWS have a broad range of tools for intelligent threat detection and vulnerability management, many of which use machine learning for added robustness.
These are just a few of the near-endless number of security tools that AWS offers.
AWS is compliant with major international, regional ,and industry-specific security standards, which is critical for organisations that handle large amounts of personal data. A few examples include:
As we touched on above, the scalability of AWS does not compromise the security of the operations involved. No matter how vast an operation, users have the assurance that the same stringent controls are in place. Its flexibility also allows for tailored security measures in line with user-specific requirements.
Housing associations can safeguard their data by implementing robust internal cybersecurity policies, maintaining an active posture on the latest cyber threats, and regularly training staff on cybersecurity best practices.
In fact, the overwhelming majority of breaches begin via email, which really illustrates the value of training. What might seem obvious to management is not necessarily going to be clear to all users, so it’s important to address the fundamentals such as phishing and password hygiene.
Associations should always keep software up-to-date with the latest security patches (unless cloud based housing development software is in place – in which case, this is all taken care of by the provider.
An Incident Response Plan is always a must, no matter how well you’re protected. This plan outlines a predetermined set of procedures to follow in case an attack occurs, and should include the following:
As cyber threats continue to evolve, so must the security measures that every organisation implements, especially in sectors like social housing where the privacy and security of numerous tenants is at stake.
Through the measures discussed above, housing associations can better protect themselves from the potentially devastating impacts of cyberattacks, ensuring continuity, trust, and resilience in their operations.
Working with a software provider that prioritises security is vital for minimising the risk. To enquire about our secure solutions or consulting services – or to request a demo – contact us today.