Clanmil Housing was Highly Commended in the Cyber-Security category at the Housing Technology Awards 2025. Peter Grimley, the housing provider’s assistant director of ICT, explains how Clanmil Housing’s adoption of a managed cyber-security service has set it on the path towards achieving the highest level of cyber-security excellence.
Trust is the foundation that every tenancy is built on, and today that trust is undermined by growing threats from cyber-attacks. The UK government’s 2025 Cyber Security Breaches Survey found that 43 per cent of businesses experienced at least one breach in the past year. In the housing sector, outdated systems and vast stores of sensitive data make housing providers particularly appealing to hackers, and when they fall victim to attacks, the ensuing service disruptions can last for years.
At Clanmil Housing, we see weak cyber-defences as a core operational risk requiring board-level attention. Over the past year, we’ve taken decisive steps to transition from reactive defence to a proactive, sustainable security strategy.
Motivated by a duty of care
We provide homes to over 11,500 people across Northern Ireland, serving families, older residents, those with support needs and shared communities. Our 300-person team delivers new homes and high-quality responsive repair services to help people live well, strengthen communities and address the region’s housing crisis.
As a customer-centric organisation, protecting our tenants from the impact of cyber-breaches is our top priority. Our 2026 digital strategy identified this threat as a strategic risk, rooted in three core challenges:
- People – Remote working and online service delivery can make staff more vulnerable to phishing, malware and ransomware.
- Processes – Inefficiencies can delay cyber-incident recovery and cause service delivery breakdowns, leading to escalating costs.
- Technology – Undetected weaknesses in legacy systems and a lack of proactive management can lead to corporate infrastructures being compromised.
Though our existing security processes were functional, they were fragmented and difficult to scale. We also lacked the internal resources, particularly specialist knowledge, to deliver a robust cyber-resilience programme. Recognising the need for a comprehensive approach, we evaluated multiple managed security providers and chose NormCyber.
Managed protection across the full spectrum
We created the business case for a managed service spanning the full spectrum of security, from continuously monitoring our IT systems to rapidly responding to threats and providing expert guidance to keep us ahead of evolving risks in the long run.
Our new cyber-resilience strategy is powered by NormCyber’s cyber-security managed service, with individual modules tailored to our needs and priorities:
- Managed detection & response provides 24/7 monitoring from a CREST-accredited UK security operations centre (SOC).
- Incident response offers fast containment in the event of a cyber-attack.
- Incident response readiness exercises enable our leadership to test our response capabilities under realistic attack simulations.
- Vulnerability management continuously scans our IT environment and offers risk-based assessments.
- Human risk management includes on-demand, bite-sized training coupled with regular phishing simulations to improve our staff’s cyber-security awareness.
- Penetration testing helps us to uncover high-risk vulnerabilities, with ethical hackers providing valuable context and actionable advice.
The combination of these tools gives us centralised oversight and control. Norm also assigned us a ‘focal analyst’, a senior security operations expert with deep knowledge of our IT environment, commercial goals and day-to-day operations, who helps us to drive continuous improvement.
Making the complex clear
One of the biggest challenges in cyber-security is making the invisible, visible. The risk landscape is often murky and in-house IT teams can easily get overwhelmed by ‘alert fatigue’. With Norm, we’ve found that we can cut through this noise and act with clarity and confidence.
Within three days of deployment, our online performance dashboard went live and we could see previously-hidden threats. Norm’s Smartbloc platform offers real-time visibility into our cyber-posture, with contextual reporting and actionable recommendations. We can see how our people, process and technology controls are performing, and get a high-level snapshot of our security status via our ‘cyber-resilience score’. This metric informs the board of the RoI of our efforts combined with detailed insights for our technical teams to act on.
We have also transformed our approach to penetration testing. We previously relied on annual tests that gave us a one-off snapshot of our cyber-security posture, rather like a vehicle’s annual MOT, but continuous monitoring now delivers much richer data, more akin to F1-style telemetry.
For example, our last annual penetration test revealed 42 vulnerabilities but the true extent of our risk exposure was actually a multiple of that. And yet, this level of detail isn’t overwhelming and has made prioritisation and resolution easier.
Results that speak for themselves
We set out with high expectations that our new programme would enhance our threat protection, create transparency in reporting and help us achieve compliance, but we were still surprised by how quickly we could make measurable improvements. We hit our targets for patching critical vulnerabilities and phishing compliance training within six months.
We also achieved key customer-focused goals: strengthening our assurance around data security; building trust in our commitment to protection; and improving the reliability and availability of our services.
Looking at the commercial benefits alone, outsourcing saved two-thirds of the cost of building similar capabilities in-house, not counting recruitment and procurement costs. As a result, we’re saving around £235,000 each year.
Finally, our employees also benefit from the enhanced productivity that comes from having a secure system. Our ICT team has reclaimed three weeks of manual effort per quarter, which we now use to plan and deliver further improvements.
A culture of continuous cyber-security improvement
Cyber-criminals might never sleep, but now we can. With our new model, we’re systematically reducing our risk exposure and focusing on the right priorities. The process has instilled great confidence in our cyber-resilience and given us much-needed assurance about our performance.
With cyber-security elevated to a board-level responsibility, our future goals are to create a resilient and adaptive security culture and achieve a cyber-resilience score in the upper quartile, placing Clanmil Housing among the highest-rated organisations for cyber-security.
We’re building more business cases to upgrade systems and extend the programme into supplier risk management and data protection, with the goal of reaching the highest level of cyber-security excellence in the sector.
Peter Grimley is the assistant director of ICT at Clanmil Housing. The housing provider was Highly Commended in the Cyber-Security category at the Housing Technology Awards 2025.
