Elevated Risk of Cyber Threats for Housing Sector

Building societies are responsible for securing the sensitive and confidential data of every tenant using their services. Every name, phone number, postcode, bank detail; the cyber security of millions of families depends on the security implemented by Housing associations.

In the UK alone there are approximately over 2.4 million managed homes ran by over 1,600 associations. It is these associations that are responsible for the security for all the residents occupying these buildings, across the country.

Now put this on a global scale. The Housing industry, and with it the multitude of processes and systems, is exceedingly vulnerable to cybercrime. Why? Because with such a large digital footprint, and with-it multiple attack vectors and entry points, including that of the agent, the landlord, the tenants, the providers, the maintenance (the list is endless), means that there are more ways than ever for bad actors to infiltrate systems and processes.

Why Are Housing Associations an Easy Target?

Housing associations face many challenges when it comes to their cyber security. Organisations face issues with a lack of qualified staff and security management. Business operations often take priority over security best practices, and the budget is frequently limited for a cyber security department. In addition, infrastructure hosted in the cloud can grow quicker than most companies can keep up with, making business data, people, and processes vulnerable to attack. 

Not only this, but many housing associations and their associate 3^rd parties are SME’s or emerging businesses. A single attack can destroy a business overnight, yet there is still a misconception that only large companies are at risk. Often protection is unfairly pushed to IT teams, but IT teams do not have the same skills or resources as security experts, and cyber security remains an afterthought for many SMEs only once an attack takes place. But by then, it is often too late.

Phishing and Ransomware Attacks in the Housing Sector

Ransomware attacks have increased significantly, across all sectors in recent years. But within the housing sector, ‘the threat of data publication is often more impactful for organisations such as housing associations who will commonly hold both personal and special category personal data. The sector is already well served by a healthy claimant legal community, and a data breach arising out of a cyber-attack can expose organisations to a significant legal cost exposure from claims.’ – Dac Beachcroft

We all remember the Hackney Council Ransomware attack, where criminals ‘attacked the council with Pysa, or Mespinoza, ransomware in October 2020, and the following January, cyber criminals published documents on the dark web, which allegedly included personal details of council staff and residents.’- ComputerWeekly

In response to the attack against Hackney Council, and after observing a sudden increase in ransomware attacks across the globe in the industry, a white paper entitled SecurityHQ’s Zero Trust x40 was written by SecurityHQ, to provide a list of simple, inexpensive and common-sense mitigations that seek to break the adversarial tactics required to successfully orchestrate an enterprise-wide ransomware attack, including Initial Access, Privilege Escalation, Lateral Movement and Exfiltration. Download White Paper Here.

Supply Chain Attacks in the Housing Sector

‘Even if organisations aren’t attacked themselves, housing providers are also exposed via their supply chain and third-party partners. Many housing providers use third parties to provide services (for example, housing repairs). Should the third party be hacked, there is a risk that the housing provider will be held responsible.’- Dac Beachcroft

If a supply chain attack impacts an organisation, this can cause mayhem between other providers. Which means, while it is costly to respond to an incident and fix the issue itself, the downtime of systems can be equally financially devastating. Critical services including payment systems (rent, deposit etc), application processes, maintenance, and repair services, can all be impacted.

For instance, the phone systems were shut down following a recent attack against Clarion housing association, which ‘owns and manages 125,000 homes, said on its website that it was working urgently with its cyber security partner to restore systems after the attack. According to a spokesperson, Clarion staff noticed disruptions to some of its systems. The landlord said the attack had affected a number of its phone lines and it is now advising residents not to contact it by phone unless they need to book an emergency repair, which is anything that affects a tenant’s health and safety.’ – Country’s largest housing association hit by cyber attack

Recommendations to Improve Cyber Security Posture of the Housing Sector

By dealing with issues that are a high priority first, you deal with the challenges that have the biggest impact on closing out security loopholes and protecting data. The quicker you can get something contained, the safer and better it is for all. Which is why it is necessary to orchestrate and automate a response to block or isolate an infected machine. Skilled MSSP experts are trained to identify attacks and mitigate threats before any impact is made.

1. To mitigate against exploits, ensure that you have Managed Detection & Response (MDR) capabilities in place, and that you have the latest Threat and Risk Intelligence to cover key Threat Intelligence use-cases.

• Learn how services, including Vulnerability Management, can be used to visualise and understand malicious or anomalous activity. Analyse, prioritise and respond to threats in rapid time. Safeguard your data, people, and processes.

• Ensure employees know how to spot and report a cyber incident. Watch this webinar for more.

Having conducted incident response investigations across a wide range of industries, and with clients across the globe within the sector, SecurityHQ are best placed to work with housing organisations both large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on how to improve your security, or if you have a question about a service, speak to an expert here.