How to overcome a cyber attack in the housing sector

The UK Government’s National Cyber Strategy 2022 promises to strengthen the structures, partnerships, and networks needed to support a whole-of-society approach to cyber, and foster the growth and quality of a sustainable, innovative, and internationally competitive cyber and information security sector. Read our GRC specialist’s advice about how to replicate this in your housing organisation.

We believe that cyber security extends further than simply the protection of your systems, services, and data to include people (your employees, tenants, and partners), processes and policies, and information and data governance, whether mandated through PCI-DSS, NIST, CIS, ISO standards, or others.

When building a successful cyber security strategy, you must consider:

  • Cyber professional services
  • Endpoint and mobile security
  • Identification, authentication, and access controls
  • Incident response and management
  • Information risk assessment and management
  • Internet of Things (IoT)
  • Network security
  • Threat intelligence, monitoring, and detection
  • Awareness, training, and education

You should also include frameworks (NIST, SANS Institute, and ISO standards) as a baseline to ensure everything is up-to-date and compliant, including:

  • Business continuity and disaster recovery plans
  • Cyber security incident response plans
  • Tabletop tests to learn, develop, and mature

However, the strongest cyber security strategies understand exactly how cyber attacks unfold, and considers the challenges to overcome during one to mitigate and remediate successfully.

Read our 10 top cyber security tips for housing associations now.


Laptop on a desk with a secure log in on the screenWhat are the main challenges housing organisations face during a cyber attack?

There are four key challenges that you need to be aware of during a live cyber attack and incorporate remediation for within your cyber security strategy:

  1. Mistakes are made
    It’s a fact that in an immediate state of panic, decisions are made too quickly. Information isn’t communicated clearly with key stakeholders, and too often housing associations (and other housing organisations) under attack will fail to inform regulators in time, leading to fines and further challenges.
  1. Evidence is lost
    One of the most common challenges during incident response is the deletion of vital evidence of the attack and how it took place – either on purpose or accidentally. Integrity of evidence is crucial for an effective incident response, future incident prevention, and regulatory compliance when reporting.
  1. Facts become elusive
    Following an attack, everyone wants to know the facts, but in most cases, they’re hard to find. While knowing everything isn’t always possible immediately after an attack, it is important to record everything on a non-electronic device that can’t be compromised.
  1. Communication breaks down
    Inconsistent communications during a cyber attack can become confusing leading to a slow response. And more seriously, unclear communications can have significant legal repercussions.

How to create a strong cyber security strategy for your housing organisation

  • Plan, test, and build your cyber security incident response plan (CSIRP): ensure everyone knows their roles through tabletop exercises. This approach will allow you to practice and understand should you need to align in a real event, and a working, fit-for-purpose, and tested CSIRP is your best tool during a cyber attack
  • Invest in cyber security training: not as a tick box exercise but as an extension of your ‘standard’ cyber training. Train your mid and senior management in response strategies and their roles in an event
  • Create cyber attack playbooks: during a crisis, even seasoned professionals need guidance. When you’re under stress it’s easy to forget elements, and playbooks for different scenarios – that are relevant to your organisation and tested through tabletop exercises – provide an extra layer of support
  • Devise a clear-cut crisis communications strategy: include what steps to take and when, and a clear catalogue of words to use and avoid to prevent confusion or miscommunication. There are legal and financial implications at stake, so make sure whoever is responsible for your crisis communications is well-trained – this is a vastly different messaging strategy to your typical, day-to-day comms
  • Protect your people: it can be easy to forget that a crisis for your housing association could also be a crisis for your employees who are giving up their downtime to remediate and protect your organisation in the event of an attack. Avoid placing blame and show appreciation for those dealing with the attack, including providing mental health support for those involved

Talk to our Governance, Risk, and Compliance team about overcoming your cyber security challenges during a cyber attack

Our GRC team work as an extension of your organisation’s IT teams. We support you in planning, building, delivering, and testing your cyber plans to ensure that you are always protected against and prepared for an attack.

Speak to us now

Tracey Hannan-Jones
Tracey Hannan-Jones

Tracey is Phoenix's Lead GRC Consultant, with over 25 years' experience across Technical Information Security, Data Governance, and Compliance and Auditing.

See all posts by Tracey Hannan-Jones