public housing

Sensitive data and digital transformation make public housing a prime target for cyberthreats

Print Friendly, PDF & Email

Cyberattackers are drawn to targets that hold significant amounts of personal and sensitive data and have a largely unprotected attack surface that makes them easy to breach. Public housing associations — a broad group of privately owned, publicly funded, or charitable organizations that provide and manage housing for millions of people on lower incomes or with special accommodation needs — fit the bill perfectly. And as more public housing associations turn to technology and the cloud to enhance services such as resident communications, property maintenance, and operations, the need for them to understand and address the IT security risks that accompany this journey is more pressing than ever.

Assets that need protecting

Data security is a priority for housing associations, particularly the personal, financial, and confidential data that belongs to residents. This is not just to meet data protection regulations and avoid a fine. Residents of public housing can be among the most vulnerable, including people who have suffered domestic violence, human trafficking, and child abuse, and the potential consequences of their personal data falling into the wrong hands are deeply worrying.

Further, many public housing associations are introducing online applications and connected infrastructure to remotely manage properties, streamline operations, reduce costs, and enhance services for residents. Such digital transformation is opening new attack surfaces that cyber adversaries armed with ransomware and other malware won’t hesitate to exploit.

Case study: Public housing associations in the UK

There are currently around 1,600 housing associations in the UK, providing accommodation for around 6 million people in about 2.4 million homes.

In 2022, housing associations in Bromford, which manages around 44,000 homes, ForHousing and Liberty, which between them support 24,000 properties, and Clarion, one of the largest housing associations in Europe with 125,000 homes, were all hit with successful — and headline making — cyberattacks. Bromford was targeted repeatedly with attempted attacks before one succeeded. ForHousing and Liberty were victims of a ransomware attack, while their parent organizations, ForViva suffered data theft.

In most cases, the attack led to IT and communications systems including phone lines being disrupted and shut down, leaving residents unable to pay rent, call for help or repairs and concerned about loss of personal data. The incidents took weeks if not longer to resolve.

One association’s solution

L&Q is a charitable public housing association committed to using advanced technology to let its employees, partners, vendors and 250,000 residents interact with the company whenever and wherever it is most convenient for them via online applications. This means that a great deal of private financial and other regulated data is carried in application traffic and stored in the company’s databases. In addition, they employ an award-winning proprietary building connectivity program to remotely monitor and manage physical-plant assets such as boilers, electrical systems, plumbing, and gas systems. This IoT telemetry data traffic is significant and needs to be protected against theft or sabotage.

“Obviously our stack surface is quite large and diverse, and our hybrid architecture adds complexity to the security challenge,” said Kieron Prince, L&Q’s Cloud and Infrastructure Lead. “We had no visibility into just how frequently we were being probed and attacked.”

L&Q turned to Barracuda’s Web Application Firewall (WAF)-as-a-Service to keep its cloud and on-premises applications secure. “Now, going through the logs, our eyes have been opened. It seems a wonder we never suffered a serious breach in the past,” said Prince.

Checklist for public housing associations with limited security budgets

What can IT professionals in public housing do to enhance protection without having to invest in complex or resource intensive security technologies that require big budgets and expert skills they don’t have?

Here are some key steps to consider:

  • Educate all users on how to spot a phishing email or other suspicious message and report it
  • Patch promptly — install updates as soon as you can, and if you can’t get to them all focus on the most critical and easy-to-exploit first
  • Use two-factor authentication for all network and application access, but especially for remote access services such as RDP and accounts used by residents and non-technical staff
  • Install anti-malware software on every device that connects to the network
  • Ensure you install strong multilayered protection at the cloud application, email gateway, and network layers
  • Disable macros and scripting environments
  • Backup data frequently according to best practice 3-2-1 rule (three copies, two different media, one of which is offline.)

Check out the full case study

Scroll to top