Defending your data: a housing sector spotlight

Safeguarding data is a constant struggle for every business. Any business that holds sensitive data or deals with the public is always going to be at risk.

For not-for-profit organisations, the resources often simply aren’t there to help them deflect attacks and then recover quickly, risking the provision of often public services, and potentially exposing private data while issues are resolved.

Given the tough economic climate, Housing Associations are playing a vital role in our economic recovery, investing in construction of new social homes, and providing safe, well-maintained homes for their tenants. However, as government initiatives like the Affordable Homes Programme (AHP) invest money in the sector and put charities and providers on the map, the sector also comes under the spotlight for cyber criminals who seek to extort and cause harm.

What makes housing associations such an attractive target?

Put simply, housing organisations are in possession of lots of Personally Identifiable Data (PID). They’re managing not only staff and property data, but vast amounts of highly sensitive resident data which can include anything from payment to medical data in some cases. On the dark web this data is of huge value to all kinds of other scams and also makes it the perfect means of extortion in a ransomware attack.

At the same time, stretched budgets and constant pressure often take IT teams’ attention away from the critical problems, as they’re finding themselves too busy firefighting the ‘now’ to prepare for the ‘what if’. The rapid growth the sector is experiencing often means disparate and less well-integrated systems have emerged to keep pace, which are often vulnerabilities cyber attackers love to exploit.

Housing sector cyber attacks that made the news

Let’s look at some recent attacks in the sector. We’ve rounded up three examples of successful breaches and one unsuccessful, but hugely impactful attack:

• Clarion Housing Group in June 2022: This successful malware-borne attack left them unable to deliver critical services and left tenants in the dark. It’s unclear whether tenant and staff data were breached, but Clarion insists that no sensitive data was accessed during the attack. 84% of tenants interviewed reported a significant spike in phishing activity following the attack. It is unclear if that was a direct result of the attack, but tenants attributed it as such. The reputational damage was done.
• Hackney Council: In 2020, Hackney Council suffered a breach that ultimately cost upwards of £12m of taxpayer money to resolve. And one of the biggest impacts? Their housing benefit payment systems. Tenants were unable to make payments and left concerned about how this would impact their living arrangements.
• Plentific in 2021: A property technology company, Plentific’s 2021 breach, resulted in the four large housing providers they serviced having to inform all their residents they’d been impacted. The reputational damage to all companies within that supply chain is impossible to put a cost on. In this case, tenants’ email addresses genuinely were accessed, and they were bombarded with scam emails in the aftermath of the attack, putting them at further risk.
• In 2022 Bromford, a housing association managing over 40,000 homes, chose to shut down their technology precautionarily, after identifying an attempted, but unsuccessful attack. Their communications systems and appointment management systems were out of action, leaving them only able to deliver severely limited services to their customers.

Restoring BAU after an attack

One thing each of these examples have in common is that returning to ‘normal’ is a job in itself, even after an unsuccessful attack. In the Bromford case, they decided that: “returning to normal can only happen when systems are safe”, but the truth is that most housing associations are ill-equipped to even reach that point of safety without external support.

Like so many other industries, housing sector IT teams are often under-resourced, and operating without specialist in-house security knowledge around how to comprehensively protect their business. But that’s where modern data protection tools and experienced external guidance come into play.

So how can Housing Associations better protect and manage their data?

Your approach to protecting your data must encompass detection, response and recovery. Core pillars to this approach involve:

• Strengthening data resilience: Data resilience isn’t just about loss prevention, it’s about recovering quickly should the worst happen, and knowing that your backups are not only secure but accessible.
• Ransomware readiness: With ransomware, it’s really not an ‘if’, but a ‘when’. You need tools in place to protect attempts from entering your estate, and to pre-emptively minimise the impact they can have if they do get past the gates.
• Downtime response practice: As in the given examples, downtime has a direct impact on reputation, so processes designed to minimise time to recovery are what will help keep your business up and running in the event of an attack, protecting your reputation as a result.

Our top 3 tips for making this happen are:

1. Deploy immutable storage – so you can have 100% confidence your backup is secure and not corruptible.
2. Back-up more regularly – when you have the tools to do this faster and more intuitively, backups are no longer onerous, and become a more regularly maintained part of your security practice.
3. Data deduplication and compression – reduce the size of the data you’re storing. This increases its manageability and the cost of storing it, freeing up time and money for better use elsewhere.

We’re currently working with some housing sector clients to deploy Arcserve’s data protection solutions which are specifically designed to help achieve all of these things. As well as increasing data manageability and protection, they’re realising benefits such as reduced IT cost and complexity, more IT time freed up for other projects, and simplifying how they retrieve archive data. For housing associations who never know when they may need to retrieve historical data way outside of typical retention conditions, it’s a big win to be able to access it quickly, easily, and securely.

See it for yourself

The spectrum of Arcserve’s data protection solutions is broad, so we’re able to offer free Proof of Value sessions so you can discover more and even put the products through their paces. If you want to know more about protecting your data with Arcserve, or any other aspect of your IT, get in touch.