Housing Technology

Housing | IT | Telecoms | Business | Ecology

Home / Free Subscriber Access / From vulnerable to vanguard

From vulnerable to vanguard

Newark & Sherwood’s cyber-security transformation

Newark & Sherwood District Council was Highly Commended in the Cyber Security category at the Housing Technology Awards 2026.

Against a background of housing providers facing sophisticated cyber-threats, our cyber-security project moved Newark & Sherwood District Council from a position of cyber-vulnerability into a model of resilience and best practice. Our project shows how leadership, governance, technological innovation and cultural change can deliver measurable, sector-leading outcomes.

Facing up to reality

The journey began with an independent, risk-based audit that delivered only ‘limited assurance’ on our cyber-security posture. The findings were stark: vulnerabilities remained unaddressed, risk ownership was ambiguous and legacy systems undermined our regulatory compliance. The audit identified 21 issues – nine high, ten medium and two advisories, therefore exposing us to unnecessary risk and threatening our ability to meet sector standards.

Crucially, the auditors noted that security awareness wasn’t fully embedded in our culture, processes or policies. Without decisive management action, the risk was likely to intensify. The situation was exacerbated by our lack of a dedicated cyber-security budget, minimal event monitoring and limited alerting capabilities. Staff often viewed security as an obstacle and IT teams lacked specialised training. Legacy on-premise systems, including our core housing management system (HMS), weren’t properly segregated, thereby compounding our compliance and vulnerability concerns.

Phishing simulations revealed an above-average number of compromised users, highlighting our susceptibility to social engineering. Incident reporting was low, indicating gaps in staff awareness and response protocols. The message was clear – a fundamental shift was needed.

Setting the tone from the top

Our transformation began with our senior leadership. Recognising the gravity of the audit’s findings, the council’s senior executives endorsed a major project to address governance, risk ownership and compliance. Drawing on the Local Government Association’s Cyber360 programme, the organisation restructured its approach, engaging not only IT but also leadership and staff across all of the council’s departments.

We developed a comprehensive cyber-security strategy, and governance was formalised through a corporate information governance group (CIGG), accountable for cyber risk at the highest level. Risks are now considered in all leadership reports, with regular updates to the council’s audit committee. Importantly, every board member has completed National Cyber Security Centre-accredited training.

Modernising systems and proactive defence

A major pillar of the transformation was technological renewal. We implemented a security operations centre (SOC) with real-time monitoring and alerting, powered by a cloud-based security information and event management (SIEM) solution. This replaced minimal event visibility with proactive threat detection and rapid response capabilities.

Our legacy systems, previously a source of critical vulnerabilities, were systematically segmented and migrated to modern cloud platforms. By May 2025, our HMS (a high-risk area) had been moved to a secure SaaS architecture, greatly reducing our exposure and strengthening our compliance.

Adopting the NCSC’s active cyber defence (ACD) services further safeguarded our housing systems. Protective DNS blocked access to malicious domains, reducing the risk of malware and phishing. Mail Check enforced robust email authentication (DMARC, SPF & DKIM), preventing spoofed communications and protecting tenants’ data. Web Check identified and remediated vulnerabilities in our public-facing portals and the Early Warning Service provided timely alerts on emerging threats.

As a mark of commitment, we became the only organisation in the UK to adopt all of the Local Government Association’s cyber-security offerings, setting a new standard for sector compliance and innovation.

Cultural shift

Technology alone can’t deliver resilience, so we had a parallel focus on cultural change, embedding cyber awareness into organisational behaviour, governance and service delivery. The Cyber360 review provided a cultural lens, engaging leadership and staff beyond IT and driving the adoption of targeted training, phishing simulations and incident-response protocols.

Security is now seen as an enabler, not an obstacle. Our staff and contractors all complete mandatory annual training, while cyber risk is decentralised to departmental leads, making it a shared responsibility. Incident reporting has improved and a cyber-aware culture is evident across all of our services.

Replicable models

The transformation was distinguished by a holistic, innovation-driven approach. By leveraging a mix of free services, partnering with the technology community and decentralising risk ownership, we’ve achieved outcomes not widely seen across the sector. Supply-chain due diligence was enhanced, ensuring that cyber risk is now considered at every stage of procurement and delivery.

A cyber-risk framework now looks holistically across all departments, ensuring that IT isn’t the sole owner of cyber risk. We think these innovations can provide a replicable model for other councils and housing providers seeking to integrate cyber resilience into their digital transformation strategies.

Quantitative & qualitative achievements

Our transformation is reflected in clear, measurable results. Between September 2024 and November 2025:

  • Staff phishing susceptibility dropped below five per cent, achieved through targeted campaigns.
  • Mandatory annual training reached 100 per cent completion for staff and contractors.
  • Security incidents were addressed within agreed KPIs 100 per cent of the time, up from a target of 95 per cent, thanks to enhanced monitoring.
  • Audit outcomes improved from ‘limited’ to ‘substantial’ assurance.
  • No serious security events occurred during the period.
  • Operational risks: 82 per cent addressed within three months of identification, exceeding a 70 per cent target.
  • Workforce skills: Two staff achieved CISM certification by 2025, with ongoing professional development.

Qualitatively, we have moved from limited assurance on audit assessments to delivering 92 per cent of the Cyber360 action plan, with full completion targeted for this year. A cyber incident response plan was established, with policies aligned to ISO 27001:2022, ensuring confidentiality, integrity and availability of systems and data.

Our suggestions

This transformation underscores several key lessons for all organisations.

First, leadership and governance are critical and cyber-security must be championed from the top and embedded in organisational culture. Second, technology upgrades are essential but only effective when paired with staff engagement and robust governance. Third, innovation, whether through free services, community partnerships or decentralised risk ownership, can deliver substantial value and replicable models for others.

Above all, measurable outcomes matter. Clear targets, regular audits and transparent reporting ensure progress is tracked and celebrated. For those seeking to enhance cyber security in their own organisations, the message is clear: combine strategic leadership, technological renewal and cultural change to build resilience against evolving threats. By doing so, you protect your tenants, your reputation and the future.

Dave Richardson is the ICT and digital services business manager at Newark and Sherwood District Council. The council was Highly Commended in the Cyber Security category at the Housing Technology Awards 2026.