This year’s Housing Association Partnership Network (HAPN) event brought together the great and the good from the housing sector for two days of learning and relationship building, as the sector looks to drive further innovation and growth in 2025 and beyond.

As a strategic IT partner to a significant number of housing associations and organisations – including the likes of Citizen Housing, Southway Housing Trust, Merlin Housing Society, Two Rivers and Transform Housing and Support – we were proud to be at HAPN sharing insights with the wider sector.

Our senior solutions architect Justin Taylor delivered one of the keynote talks at HAPN, outlining how cybercriminals are breaking into the housing sector, and how to prevent them through organisational preparedness and comprehensive vulnerability scanning.

In today’s blog we round-up the five key takeaways from Justin’s talk, helping you to understand and react to the threat.

1. Threats are growing: Email compromise and ransomware are rising year on year

The stats don’t lie. The volume and overall cost of email compromise and ransomware attacks continue to grow, year on year.

Between 2022 and 2023, financial losses due to email compromise grew by 7% from $2.7bn to $2.9bn.

As for ransomware incidents – the number of successful ransomware attacks grew by 18% in 2023 to 2825. That’s up from 2385 in the previous year.

Overall losses due to cybercrime reached $42bn in 2023.

While the 2024 numbers are not yet available, we’re confident there will be another rise in the most recent set of figures when they’re released.

2. Defending is hard: Multiple attack vectors and a shifting landscape

The landscape of cybersecurity threats to housing associations continues to develop at pace. Threat actors are varied and numerous. Here are some of the key threat actors to be aware of:

2.1 Nation-state actors

These are typically countries outside of the UK, the EU and the USA. Nation-state actors pose a significant cybersecurity threat to UK organisations, including those in the housing sector. Whether due to geopolitical motivations, data theft or espionage, nation-state actors have the resources and the skills to cause significant disruption.

Housing organisations are part of a broader critical national infrastructure. Disrupting these services can have wide-reaching impacts on society, making them attractive targets for nation-state actors looking to cause disruption. Housing organisations also hold valuable data, including personal information of residents, financial records, and operational details. Nation-state actors may target this data for espionage or to use it in further attacks.

2.2 Organised crime groups

Organised crime groups (OCGs) are primarily motivated by profit. They target housing organisations to steal sensitive data, such as personal and financial information, which can be sold on the dark web or used for identity theft and fraud.

These groups often use ransomware to encrypt critical data and demand a ransom for its release. Housing organisations, which rely on continuous access to their data for operations, may feel pressured to pay the ransom to restore services quickly.

Housing organisations may have less robust cybersecurity measures compared to other sectors with greater resources, making them attractive targets. OCGs exploit these vulnerabilities to gain access to systems and data.

By targeting housing organisations, OCGs can cause significant disruption to essential services, affecting a large number of people and creating a sense of chaos for those trying to resolve the issue.

2.3 Insider threats

Insider threats refer to the risk posed by individuals who have legitimate access to the systems and data within your organisation.

There are traditionally three main types of insider threat:

• Malicious insiders: Deliberately expose systems or leak data to harm the organisation
• Negligent insiders: Cause harm unintentionally (like an IT team member failing to patch a system or mishandling sensitive information)
• Accidental insiders: An end user accidentally clicks a phishing link or gives up their credentials

2.4 Initial access brokers

An initial access broker is a cybercriminal who specialises in gaining unauthorised access to computer networks and systems and then selling this access to other malicious actors, such as ransomware groups.

Initial access brokers exploit vulnerabilities in remote access services like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs), brute-force login credentials, and leverage malware that steals account information.

This “access-as-a-service” model is one of the drivers in the rise of ransomware attacks and other cyber threats referenced earlier in this blog.

3. Visibility is critical: Understand your environment and investigate alerts

So, sections 1 and 2 have made for some frightening reading. But what can you do to get proactive and protect yourself?

When it comes to securing your environment, visibility is everything. After all, you can’t manage what you can’t see.

By having a clear view of your network, you’re better able to identify and address vulnerabilities and blind spots. This proactive approach minimises the risk of exploitation by cybercriminals, and can help you respond more quickly in the event of an attack.

Many regulatory frameworks, like Cyber Essentials Plus, require organisations to maintain detailed logs and reports of their security position. Visibility tools help in meeting these compliance requirements by providing the necessary data and insights.

Shadow IT (systems that have been launched within the organisation, but that are not being actively managed by the IT team) can be a barrier to network visibility. Particularly in the housing sector where remote sites and large numbers of internet-facing devices can create a larger attack surface.

A quality scanning tool can plug the gaps by discovering absolutely everything that is on your network, before prioritising the patching and remediation required.

LIMA provides free cyber readiness assessments that can help you to more clearly understand your current security posture and how to improve it. Contact one of our experts on 0345 345 1110 to discuss your free cyber-readiness assessment, or drop us an email: enquiries@lima.co.uk

4. Plan your response: If you don’t have an incident plan you’re leaving yourself at risk

As the old saying goes – fail to prepare, prepare to fail.

By creating an incident response plan you’ll arm your organisation with a step-by-step playbook of how to respond in the event of a cyber incident.

Plan for different attack scenarios. Your response to a phishing attack would naturally be different to a ransomware attack, which could cause a full business outage.

Create a responsibility matrix so it’s clear who owns what.

Create a communications plan. Who do you need to contact? How will you contact them if your core systems go down? How will you contact tenants? Who’s your cyber insurer and what do they cover?

A solid incident response plan can lead to a faster response and critically a faster resolution. The longer an incident drags out, the more exposed you are to the risks of downtime and financial loss.

Having executive agreement of your incident plan enables you to act quickly in the event of an ongoing incident, which could reduce the overall impact. You don’t want to be chasing your CEO for sign off on a plan of action when an incident has occurred.

Once you’ve got a plan, make sure you’ve tested it. An untested plan may not survive a live incident, so make sure to run through it!

5. Not “just an IT problem”: Leadership buy-in is worth its weight in gold

Cybersecurity is not just an IT problem. It comes down to people, processes and culture.

If leadership make cybersecurity a priority, it will become a priority across the organisation very quickly.

From the IT side, if senior management are bought in, you’ll have more tools and processes in place to prevent a cyber-attack and becomes less economically viable and less appealing for attackers to target you.

What’s more, if you have exec buy-in it’s easier to develop a full, organisation-wide response plan, so that your customer-facing teams know what to do when their systems are down, enabling business continuity even in the event of an attack.

At LIMA, we tend to speak to two types of organisation. There are those who have already suffered a cyber-attack. These organisations always have buy-in from leadership, because they understand the reputational damage, the lost revenue and the wasted time spent getting systems back up and running.

IT teams in organisations that haven’t yet been attacked often find it harder to get buy in and investment from leadership. The mentality of “It’s not going to happen to us” can prevail in these organisations. This is a risky approach, with attacks continuing to rise.

In cybersecurity, as in dental care, prevention is always better (and cheaper) than cure!

LIMA’s own Vulnerability Detection and Remediation (VDR) solution continuously scans your environment for vulnerabilities and resolves them before they can be exploited, keeping you ahead of the game in the fight against cybercrime.

Want to remove the cyber-strain from your IT team? Contact one of our experts on 0345 345 1110 to discuss your free cyber-readiness assessment, or drop us an email: enquiries@lima.co.uk