10 measures to help guard your social housing providers against cyber attacks

In just one recent example, the Electoral Commission issued a public notification of what it called a ‘complex cyber-attack’ in which ‘hostile actors’ gained access to the UK’s electoral registers, which contain personal information for an estimated 40 million people.

In this update, we have identified the 10 key areas that should be prioritised in your approach to cyber security management.

1. Recognising the threat landscape

The threat landscape in the cyber security realm is continually evolving. Social housing providers are attractive targets for cybercriminals due to the wealth of personal and financial data they store. Staying informed about the latest cyber threats and vulnerabilities – such as ransomware attacks, phishing scams and data breaches – is essential.

2. Employee training and awareness

One of the most significant vulnerabilities in any cyber security framework is human error. Social housing providers should prioritise ongoing cyber security training and awareness programs for their staff. Employees need to be regularly educated about recognising phishing attempts, maintaining strong passwords and following best practices for data protection.

3. Implementing Multi-Factor Authentication (MFA)

MFA is a simple yet effective measure to enhance security. By requiring users to provide multiple forms of authentication before gaining access to systems or data, the risk of unauthorised access is significantly reduced. If you don’t have MFA, why not?

4. Regular system patching and updates 

Outdated software and systems are prime targets for cyberattacks. Every organisation should have an established, audited routine schedule for applying security patches and updates to all software and hardware. This proactive approach can prevent known vulnerabilities from being exploited. Some organisations still don’t do this!

5. Access control and ‘least privilege’ principle

Limiting access to sensitive data is crucial. By adhering to the principle of ‘least privilege’, organisations ensure that employees only have access to the data and systems necessary for their roles. This minimises the risk of insider threats and unauthorised data exposure.

6. Data encryption and secure file storage

Social housing providers should prioritise data encryption both in transit and at rest. Encrypting sensitive data ensures that, even if it falls into the wrong hands, it remains unintelligible and protected. Additionally, secure file storage solutions should be employed to safeguard documents and records. 

7. Incident response plan

No organisation is immune to cyber attacks. Having a well-defined incident response plan in place is critical for minimising damage and downtime. However, unless it is regularly reviewed and updated the incident response plan will be ineffective. When did you last conduct a drill to ensure swift and effective responses to potential breaches?

8. Third-party vendor assessments

Many social housing providers rely on third-party vendors for an assortment of services, whether that is for IT, finance, or maintenance. It is essential to assess the cyber security practices of these vendors and ensure that they meet security standards and compliance requirements. Contracts with vendors should include clear cyber security clauses and expectations.

9. Compliance with data protection regulations

Compliance with data protection regulations, such as the General Data Protection Regulation (GDPR), is not only a legal requirement but also a best practice for data security. Social housing providers should regularly audit their data handling processes to ensure alignment with these regulations.

10. Continuous monitoring and threat intelligence

Cyber threats are continually evolving. Social housing providers now need to invest in robust cyber security monitoring tools and services to detect and respond to threats in real time. Staying updated with threat intelligence reports can help organisations proactively defend against emerging threats.