Over the last 40 years, the social housing rental sector in England has declined from 5.5 million homes in 1979 to 4.1 million in 2022. Despite this reduction in availability, demand has not subsided, and social housing remains integral to the UK’s social system. Run in tandem by local councils and housing associations, social housing offers accommodation at reduced rates where rent is tightly regulated and generally means tested. Social housing provisions are currently used by almost one-in-five households in England and Wales, and nearly one-in-four households in Scotland – a significant proportion of the population. Waiting lists for social housing are also on the rise. As of March 2023, there were almost 1.3 million households on local authority waiting lists in England alone – a year-on-year increase of just over six percent.
With the volume of applicants for social housing increasing, local councils and housing associations are under increased strain. The growing backlog of applications, compounded with the issue of outdated IT infrastructure leaves these organisations increasingly vulnerable to cyberattacks and data breaches. Councils and associations are responsible for mounting quantities of sensitive personal information, which if acquired by cybercriminals can be used for malicious and lucrative purposes.
Why are social housing providers so susceptible to attack?
Unfortunately, the cybersecurity dilemma confronting the social housing sector is commonplace in public sector operations. Many find themselves in the midst of integrating traditional analogue paper methods, with new digital services in an attempt to try to modernise their operations. However, strained budgets and the absence of a cohesive digital transformation strategy have led to a fragmented modernization effort fraught with persistent delays and setbacks. More than a quarter of councils say they are making little to no progress in replacing legacy systems and upgrading cyber defences. This sentiment is likely echoed by housing associations, who typically work under – or near – local councils. After all, a chain is only as strong as its weakest link, particularly when it comes to cyberattacks.
The push towards digital transformation in social housing, which is designed to improve efficiency and tenant services, may be exacerbating the problem. As providers increasingly adopt online platforms for tenant interactions and internal operations, the risk of cyber threats multiplies. This digital shift, while beneficial, demands an equal investment in cyber security measures to ensure that advancements in service delivery do not compromise data security – and that is where the issues are emerging.
The threat to social housing providers
In 2020 Norwich-based Flagship Group, which provides social housing services to over 76,000 people, experienced a ransomware attack that saw both staff and customers data compromised and caused “considerable disruption” to services. Clarion Housing Association, which provides services to roughly 350,000 people, reported a major breach in 2022 that resulted in phone lines and IT systems being taken offline to protect tenant’s sensitive information. More recently, in December 2023, Connexus – a housing association that operates in Shropshire and Hertfordshire – said it was investigating a security incident involving unauthorised access to its systems, thought to be the result of a phishing-based social engineering attack.
These incidents only scratch the surface of what the social housing sector is currently dealing with. According to research by tax consultancy firm, RSM UK, roughly a quarter (25 percent) of the country’s housing associations were impacted by a cyberattack between 2022 and 2023, and there are fears that this number is likely to rise.
If you liked this content…
How local authorities can balance digital transformation with data protection
In the Spotlight: Office for National Statistics (ONS)
Cybersecurity and digital identity in 2026: Designing trust for a world built on deception
How experiential learning enables public sector readiness and risk compliance
Women in Digital: Gigi Schumm
The human risk factor
Vulnerabilities in the social housing sector are not just due to technological inadequacies. The human element plays a pivotal role in cybersecurity within the social housing sector, often representing the frontline of defence against cyber threats. According to the UK Parliament, an estimated 95 percent of cyber-attacks succeed because of human error, stressing the severity of the problem.
Human errors, such as falling for phishing emails or mishandling confidential information, can lead to significant vulnerabilities. Addressing this requires not only stringent protocols and IT measures but also a comprehensive education and awareness strategy. Regular training sessions, up-to-date information on the latest cyber scams, and a culture of cyber security mindfulness can empower employees to act as diligent custodians of tenant data, significantly reducing the risk of breaches.
Take the initiative in defence
Introducing proactive cybersecurity measures within the social housing sector has become crucial. Beyond simply maintaining good cyber hygiene on networks, it’s imperative to establish secure communication channels for both internal and external communication. This includes implementing robust data encryption protocols to safeguard sensitive tenant information during both transmission and storage.
For example, bolstering email security might involve the integration of encryption technologies to ensure the confidentiality and integrity of email communications. Tools can be deployed that automatically detect sensitive information within an email and then encrypt it, ensuring that sensitive information is only read by the intended recipient. Additionally, implementing multi-factor authentication adds an extra layer of security, verifying the identity of users before granting access to email systems and sensitive data. These measures collectively fortify the defences against cyber threats, ensuring that tenant information and organisational data remain protected.
By taking these steps, housing associations can not only defend against the immediate risks they are facing, but also lay the groundwork for future resilience, ensuring the long-term protection of sensitive tenant data.
