Case Study: Sutton Housing Society - strengthening cybersecurity

Cybersecurity: Staying one step ahead of the hackers

3C provide cybersecurity reviews specifically designed for the smaller social housing provider. Sutton Housing Society wanted to ensure they stayed one step ahead of the cyber criminals. Read more from their case study.  

Executive summary

Sutton Housing Society (SHS), a provider of housing for older people in the London Borough of Sutton, recognise the growing and evolving importance of cybersecurity in safeguarding sensitive resident data and ensuring operational resilience.

The Regulator of Social Housing’s Sector Risk Profile now has data security and integrity as a primary threat to housing providers. Although SHS already had many protections in place, it commissioned a cybersecurity assurance review, from Campbell Tickell and 3C to assess evolving risks, strengthen controls, and ensure cybersecurity protection was aligned with best practices. The review resulted in actionable recommendations that improved Sutton’s security posture, providing assurance and peace of mind to the executive team and board.

Sutton’s Chief Executive Robin Roberts commented: “The level of detail was great. We gained assurance we were already doing many things right, together with a number of actions we can take to make our systems and data even more secure.” 

Background

Sutton Housing Society manages 509 homes and stores highly sensitive personal data, including financial and welfare information. With 26 work devices and a reliance on approximately 75 third-party IT platforms, the organisation faced challenges in maintaining visibility and control over the security of its digital ecosystem.

Baseline

To their credit SHS already had a number of relevant policies, checks and risk management initiatives in place. The review took these into account in determining the subjects and issues which were exposing SHS to higher levels of cybersecurity risk.

Challenges

SHS’s challenges mirrored those of a great many organisations and included:

• Ensuring a complete asset inventory of systems and suppliers.
• Password management and safeguarding against credential compromise.
• Broad access providing exposure to data breaches.
• Ensuring that there is an adequate incident response plan.
• Ensuring devices nearing end-of-life are secure. 

Solution

SHS commissioned a comprehensive cybersecurity review to identify strengths and gaps in the current security landscape. It was clear that cybersecurity was already robust, with a range of important protections already in place, but the review was able to highlight a few important areas where it could be further improved. These included:

• A method to improve password management.
• Reassessing access controls within the housing management system.
• The identification of 3 new cyber risks and treatment actions for their risk register, which was key to SHS’s existing governance practices.
• An assessment of security compliance against the Regulatory Sector Risk Profile.
• Discussion with SHS and their IT provider to check insurance cover and review 3rd party access.
• The identification of any potentially compromised passwords, exposed files and suspicious email rules.
• Better visibility of third-party software.
• Gaining Cyber Essentials certification and strengthening cybersecurity training for staff and board members.
• Suggesting further improvements such as, strengthening incident response planning, penetration testing and policy updates for AI usage and data retention.

Results and impact

• Creation of a centralised asset register for systems and suppliers.
• Approval and rollout of Password Manager software for secure credential management.
• Enhanced security awareness through ongoing training.
• A strategic roadmap for future improvements.
• A strengthened compliance posture and reduced risk exposure. 

Key takeaways

The executive team at SHS found great value in gaining assurance on the things they are already doing, together with an understanding of the issues where changes could make them more secure. It was great to work with a client who understands that cybersecurity is not a one-time exercise; it requires regular review and improvement. Organisations must have visibility of third-party systems and regularly check and enforce strong password management and access controls if security is to remain robust. Simple measures such as a regular cybersecurity review, the use of password managers and board-level training can significantly reduce risk.