Housing associations provide homes for some of the most vulnerable people in society. They handle large volumes of sensitive data, making them a prime target for cybercriminals looking to steal and exploit that data. They face significant challenges in securing data and systems at a time of digital transformation and complex digital supply chains yet shrinking budgets. In this article, we highlight the critical challenges housing associations face in trying to keep their systems and data safe, and explore third-party risk management solutions to secure their vulnerable supply chains.
There are more than 1,300 registered housing associations in the UK, providing two million affordable homes for around five million people. They range from major providers, such as Sanctuary Housing and Clarion Housing, through to smaller associations catering for specific groups, such as single young people or the elderly.
Housing associations handle huge amounts of data, including sensitive personal information, rental agreements, banking details and financial records. This, combined with often outdated IT systems and generally weaker cybersecurity defences, makes them lucrative targets for cybercriminals seeking to steal data for financial or malicious purposes.
According to tax consultancy RSM UK, a quarter of the UK’s housing associations have been hit by cyber-attacks in the past 12 months alone. As associations increasingly move to digital service delivery, the potential attack surface for cybercriminals grows – and the likelihood of attacks increases. Furthermore, the network of suppliers and service providers digitally connected to any housing association presents a huge number of potential entry points for cybercriminals looking to exploit weaknesses in supply chain defences.
In a volatile geopolitical environment, any organisation providing critical national infrastructure or services is at increased risk of cyber attacks. Criminals, including state-affiliated threat actors, are using increasingly sophisticated methods and multiple attack vectors to breach cyber defences and steal sensitive data.
The recent surge in attacks on housing associations include some high-profile breaches on some of the UK’s biggest organisations. In June 2022, the country’s largest housing association, Clarion, suffered a significant malware attack that severely disrupted its IT systems and phone lines, meaning many of its 125,000 tenants were unable to report issues or contact their landlords.
Shropshire-based housing association, Connexus, was forced to take its systems offline to protect tenants’ data following a cyber attack in December 2023. In August 2024, Scottish housing charity Albyn Housing Society experienced a ransomware attack that resulted in confidential data being leaked to the dark web. The hack was attributed to a ransomware gang with connections to Russia, highlighting the risks posed by international threat actors.
Attacks such as these not only cause disruption and inconvenience to tenants, landlords and associations, they also put the private information of tenants at risk of further exploitation. The elderly, disabled or people on low incomes are particularly at risk. That means protecting the operational security of housing associations is vital not only to prevent financial losses and service disruption, but also to safeguard the security, privacy and well-being of some of the most vulnerable people in society. Restoring services and systems following a cyber-attack can take weeks or even months, while repairing the damage to trust and confidence among tenants can take much longer.
To give themselves the best possible protection against cybercriminals, housing associations need to increase their focus on hardening their own cyber defences. However, protecting their own systems and data from attack is only part of the solution. Many cyber-attacks originate in the supply chains of organisations, where criminals can often find weak points in cybersecurity defences. Given the vast network of suppliers and service providers digitally connected to any housing association, the potential attack surface for criminals is huge.
Supply chain attacks have become one of the biggest cyber threats to organisations worldwide. Cybersecurity Ventures predicts that the annual cost of these attacks will rise from $46bn in 2023 to $138bn in 2031. Gartner has estimated that in 2025, almost 45% of all companies worldwide will experience attacks on their software supply chains – a threefold increase since 2021.
The scale of the supply chain threat is directly linked to the number of suppliers an organisation has – each of which is a potential attack entry point. As housing associations expand their digital services, the risk of cyber-attack increases. Any vendors or suppliers with poor security controls can leave their housing association clients open to security breaches.
That means assessing and monitoring the security controls of all critical suppliers must be a top priority. This process of third-party risk management (TPRM) involves initially carrying out risk assessments of existing and potential suppliers to determine their security status and then to continuously monitor their suppliers security postures, so that any lapses can be identified and quickly addressed – before cybercriminals exploit them.
Having worked with many UK housing associations and discussed the cybersecurity threats they now face, we have identified five key third-party risk management (TPRM) challenges the sector is struggling with.
Digital transformation is helping housing associations to improve the efficiency and accessibility of their services. But digital services need to be supported by a raft of vendors and service providers, creating a complex web of digitally connected companies, all of which play an integral part in delivering housing association services. As we have discussed, cybersecurity weaknesses at any connected organisation anywhere in the supply chain could enable cybercriminals to access housing association data and systems.
Some of the critical suppliers on which housing associations depend include providers of IT hardware and software providers, which often have direct access to housing association systems and data. Similarly, cloud service providers store vast amounts of sensitive data on behalf of housing associations. Facilities management companies providing cleaning, maintenance, security and pest control services often have physical access to properties as well as handle sensitive data about tenants. Other firms may provide asset-monitoring services, using IoT devices to assess everything from energy-efficiency to damp and mould within properties. These devices could be vulnerable to cyber-attack if not properly secured. All of these essential, integrated suppliers are potential points of cybersecurity vulnerability for housing associations.
Housing associations are exposed to additional risk because of the way they procure many services through framework agreements. This means they rely on key framework organisations, like Phoenix, Total Facilities Management and G-Cloud 13, for multiple services. Any cyber-attack on one of these framework providers could cause significant disruption to essential services for large numbers of tenants. Given this concentration of risk around framework contractors, housing associations should consider having back-up providers in place in the event of a disruption to any framework contractor.
Housing association budgets, like those of local authorities, are under pressure at a time when they face increased operational costs due to inflation, high energy prices and high borrowing costs. Maintenance costs are also rising as associations strive to meet new energy-efficiency, fire-safety and decent homes standards. These cost increases have occurred at a time when housing associations have lost revenue due to government mandated below-inflation rent increases over the past eight years.
With costs increasing and revenues decreasing, associations have few resources to spare for cybersecurity investment. The widespread use of legacy and outdated IT systems means that many associations face an urgent need to update their technology to keep pace with demand. But while investment is being directed towards essential digital transformation, associations must ensure these technological advances are not undermined by insufficient investment in cybersecurity.
Housing associations handle valuable data associated with their tenants, landlords and suppliers. This includes the sort of personal and financial information that is highly valued by cybercriminals, such as tenant and landlord addresses, contact details and personal information, tenancy information such as rent payments and lease details, income information and housing application details.
In addition, working closely with the public sector and UK government makes housing associations a prime target for ideologically motivated or state-sponsored threat actors seeking to gain nationally important information. Such information held by housing associations could include details of the UK housing stock, government social policy, planning applications, infrastructure developments and construction plans.
A growing reliance on digital technologies to manage operations and deliver services in the UK housing sector is not being matched by preparations to deal with any cybersecurity breach. The sector itself acknowledges its shortcomings in incident preparedness. Recent research by Phoenix found that only 4% of associations believe they are prepared to respond to a ransomware attack, and almost half believe they are unprepared for a data breach.
That is particularly alarming, given that a breach may take many days before it is detected, during which time hackers could freely extract data. Once the incident is discovered, it can take further weeks or sometimes months for systems and services to be recovered.
The ability to identify and respond to a breach becomes even more challenging when the attack happens elsewhere in the supply chain. Most housing associations have little visibility into the security status and operations of their immediate third-party suppliers, let alone any sub-contractors and other 4th, 5th and nth parties further down in their supply chains. Without easy access to information about these more remote supply chain participants, housing associations face real challenges in assessing and combating cybersecurity risks.
Housing associations also need to comply with a variety of regulations and consumer standards, as well as the standards set out in the National Housing Federation (NHF) Code of Governance. For organisations handling such large volumes of personal data, GDPR regulations are especially pertinent.
Compliance with these regulations, however, requires thorough oversight of third-party suppliers, and the data they hold and handle. It’s another reason why third-party risk management is such a critical activity, playing a central role in protecting tenants and their data, as well as housing associations’ own systems, staff and services. Failure to meet these standards or comply with regulations can result in significant fines, but also reputational damage.
For housing associations, the task of safeguarding their own systems and data against cyber-attack during times of budgetary and resource constraint is challenging enough. Associations must rightly focus on securing their own IT networks and infrastructure, applications, premises, data and people from cyber-attack. That alone requires significant time, resources and expertise.
But, as we have seen, protecting your own systems is no longer enough to keep out the hackers. Cybercriminals can access systems via any of the supply chain organisations connected to a housing association. That means to properly secure systems and data, associations need to maintain continuous monitoring across their entire supply chain. For large housing associations, that could involve monitoring hundreds or even thousands of connected companies.
So how can housing associations today run individual assurance processes and security assessments against all of their suppliers? No housing association has the resources in-house to manage third-party risk management on such a vast scale.
To optimise the use of the limited resources and budget available to Councils, an innovative new approach to supply chain cyber security might hold the answer - a social network approach.
Traditionally, organisations have approached third-party risk management and supply chain cyber security generally as a one-to-one and spreadsheet based assurance process with each of their critical suppliers. With often hundreds of critical suppliers, the time and resources required are simply prohibitive. The burden that this approach imposes on suppliers is also enormous. Suppliers receive numerous security questionnaires from clients and prospective clients all the time, leading to a situation where they simply cannot complete these in a timely manner, and it increases the chance that they don’t take each assessment as seriously as they should. This approach is simply no longer viable.
A more collaborative approach to supply chain security can hold the answer.
Housing Associations face similar challenges than other local authorities, not least Councils. Risk Ledger has been working closely with several WARPS across the UK to collaboratively and efficiently improve their supply chain security. Together with ISfL and SEGWARP, Risk Ledger is running a project for 10 Councils to easily automate and assess supplier risk with less resources than manual processes.
These organisations have decided to come together and form a community on Risk Ledger where (once they have opted in) they are able to share best practices, see each others’ supply chain maps, and collaboratively mitigate against risks identified. In this community, they will be able to see risks raised against specific suppliers by their peers, identify shared dependencies and systemic risks facing all of them, and collaboratively lobby unresponsive suppliers. Moreover, they are also be able to collaborate on supply chain attacks when they strike, significantly improving their access to up-to-date supplier and contextual information in order to quickly ascertain how their critical suppliers might be exposed to any attack.
The main benefit of this collaborative approach is that Councils commonly share many of the same suppliers, which means that not only can they now be assured that numerous eyes are on the same supplier at all times. It also means that this removes the need for an unnecessary duplication of workload and creates an opportunity for shared assurance and collaborative risk management.
Joining a dedicated TPRM community on Risk Ledger with your peers provides participants with numerous benefits. It enables them to:
Within a mere 2 weeks of the start of the project with UK Councils, Risk Ledger was able to compare 300 unique supplier names provided by the participants and connect them to 180 of them. Councils also realised that on average 60% of their suppliers were already on the platform prior to joining, all with completed assessments, making the process of connecting and reviewing their security controls even faster. And just by connecting the participants to these 180 suppliers, Risk Ledger has already been able to identify 20 critical supply chain dependencies and potential risk factors that these Councils were previously unaware of.
With so many service providers, vendors and third-party suppliers that housing associations rely on to provide their critical services, effective risk management has previously been contingent on ample resources and large budgets committed to ensuring their security. This is no longer the case. By leveraging the power of numbers, and collaborating with peers, this significantly reduces the resource burdens and enables, for the first time, a more efficient and effective supply chain risk management.
Building a community of connected organisations helps to improve the resilience of every supply chain participant. In a sector where resources are constrained, housing associations can be much more effective at defending against cyber-attacks when they work together with their peers, and their suppliers.
This ‘defend-as-one’ approach allows councils to collaborate, to exchange best practices and continuously assess the security posture of shared suppliers. It enhances the ability of the entire supply chain to monitor threats and address vulnerabilities quickly when they emerge.
At a time when financially constrained housing associations are facing growing threats from cyber criminals and foreign threat actors, it makes sense to combine resources and work together to reduce the risks.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
