When cybercriminals strike, it’s easy for housing providers to forget the impact a breach can have on their tenants as they focus their energies on restoring IT systems.
Housing providers might not seem to be obvious targets for cybercriminals, but they appeal to them for several reasons:
- They hold a treasure chest of personal data;
- They often lack the IT resources of other sectors;
- They rely heavily on digital solutions to manage tenancies.
The RSM’s ‘Health of the Social Housing Sector 2021’ survey revealed that 25 per cent of housing providers had suffered a cyber-attack. Over the past couple of years, notable attacks include those on Flagship Group and on property service providers Liberty Group and Plentific.
More recently, in June 2022, the UK largest housing provider, Clarion, was breached. While carrying out the necessary post-breach forensic investigations, Clarion disabled its online services that its tenants rely on to make payments, request repairs and report antisocial behaviour. Communications between the organisation and its tenants were limited to emergencies only and at the time of writing, most of its digital services still hadn’t been reinstated.
And then in July 2022, Bromford Group discovered malicious attempts to access its systems. Although it reported that its data hadn’t been compromised, its online systems were affected, with its customer service portal becoming temporarily unavailable.
With many services being digitised, tenants are frustrated when normal operations aren’t resumed quickly. Without adequate dialogue with their housing providers, they increasingly turn to social media and the press to express their frustration.
With the Clarion incident, tenants were particularly concerned about rent payment processing and whether their personal information had been exfiltrated, particularly as some tenants claimed that they’d seen an increase in phishing emails. During this ongoing investigation, Clarion confirmed that its CRM system hadn’t been accessed but it was still investigating the impact on data stored elsewhere. The Social Housing Action Campaign (SHAC) group took up the tenants’ cause and wrote to Marcus Jones, government minister for housing, and Fiona McGregor, chief executive of the Regulator of Social Housing, asking for Clarion’s board to be replaced. In turn, this action made its way into the press.
Reputation and communication
It’s important not to underestimate the reputational impact of breaches. Your IT team might be doing a brilliant job behind the scenes to re-establish normal operations, often working around the clock to reinstate services. Yet those efforts won’t be appreciated unless you plan how to maintain services offline when tenant portals are down and how you’ll communicate developments effectively to stakeholders.
Reducing the time to recovery is critical to maintaining smooth relationships with tenants, but this is one area where cyber insurance won’t solve your problems. Yes, if you qualify, it will help with remediation costs but it won’t help you get systems back online quicker. Sophos’s recent ransomware report revealed that it took respondents an average of one month to recover from a breach.
What can you do to increase the chances of stopping a breach in the first place and be better prepared if you do get compromised?
Not just IT’s responsibility
IT teams can’t carry all the responsibility for managing cyber-attacks. Executive boards need to take an active role in incident response planning or potentially face legal action from tenants and investigation by the ICO. Lack of cyber resilience can also affect an organisation’s credit rating; in a recent report, ratings agency Standard and Poor’s said it could change a housing provider’s management score based on its cyber-risk preparedness.
A ‘whole organisation’ approach is needed. As phishing attacks are often the entry point for cybercriminals, focus on your organisation’s cyber hygiene and train staff to recognise malicious behaviour through mock phishing exercises. Create an incident response plan that addresses not only how you will communicate with employees when systems are taken offline but with your tenants too.
When a breach occurs, it can be overwhelming for small IT teams. Consider whether your staff will be able to respond quickly; do they have the skills and expertise to deal with sophisticated hands-on attacks or indeed hunt for them in the first place? Not all housing providers have the right products, people and processes in-house to effectively manage their security risks around the clock while proactively defending against new and emerging threats.
Managed detection and response
As a result, a growing number are using managed detection and response (MDR) services such as Sophos’s solutions. According to Gartner, 50 per cent of organisations will be using MDR services by 2025 (up from fewer than five per cent in 2019).
Peter Firstbrook, a Gartner analyst, said, “We see a huge interest in managed security services because the whole security market is becoming far too complicated for the average organisation.”
Sophos’s MDR service provides 24/7 threat hunting, detection and response capabilities delivered by an expert team as a fully-managed service. Going beyond simply notifying you of attacks or suspicious behaviour, our team takes targeted actions on your behalf to neutralise even the most sophisticated and complex threats. They also provide actionable advice for addressing the root cause of recurring incidents, improving your security posture.
We have a very helpful document on our website entitled ‘Effective Communications and Public Relations after a Cyber Security Incident’ (sophos.com/en-us/medialibrary/pdfs/other/cyber-security-incident-communication-framework.pdf), which provides a framework for effective corporate communications.
Jonathan Lee is the director of public sector relations at Sophos.