Case Study
Sutton Housing Society
A cybersecurity assurance review.
The Brief
Sutton Housing Society (SHS), a provider of housing for older people in the London Borough of Sutton, recognise the growing and evolving importance of cybersecurity in safeguarding sensitive resident data and ensuring operational resilience.
The Regulator of Social Housing’s Sector Risk Profile now has data security and integrity as a primary threat to housing providers. Although SHS already had many protections in place, it commissioned a cybersecurity assurance review, from Campbell Tickell and 3C to assess evolving risks, strengthen controls, and ensure cybersecurity protection was aligned with best practices. The review resulted in actionable recommendations that improved Sutton’s security posture, providing assurance and peace of mind to the executive team and board.
Background
Sutton Housing Society manages over 509 properties and stores highly sensitive personal data, including financial and welfare information. With 26 work devices and a reliance on approximately 75 third-party IT platforms, the organisation faced challenges in maintaining visibility and control over the security of its digital ecosystem.
Baseline
To their credit SHS already had a number of relevant policies, checks and risk management initiatives in place. The review took these in to account in determining the subjects and issues which were exposing SHS to higher levels of cybersecurity risk.
Challenges
SHS’s challenges mirrored those of a great many organisations and included:
01
Ensuring a complete asset inventory of systems and suppliers
02
Password management and safeguarding against credential compromise
03
Broad access providing exposure to data breaches
04
Ensuring that there is an adequate incident response plan
05
Ensuring devices nearing end-of-life are secure
Solution
SHS commissioned a comprehensive cybersecurity review to identify strengths and gaps in the current security landscape. It was clear that cybersecurity was already robust, with a range of important protections already in place, but the review was able to highlight a few important areas where it could be further improved. These included:
01
A method to improve password management
02
Reassessing access controls within the housing management system
03
The identification of 3 new cyber risks and treatment actions for their risk register, which was key to SHS’s existing governance practices
04
An assessment of security compliance against the Regulatory Sector Risk Profile
05
Discussion with SHS and their IT provider to check insurance cover and review 3rd party access
06
The identification of any potentially compromised passwords, exposed files and suspicious email rules
07
Better visibility of third-party software
08
Gaining Cyber Essentials certification and strengthening cybersecurity training for staff and board members
08
Suggesting further improvements such as, strengthening incident response planning, Penetration testing and policy updates for AI usage and data retention
The Results
-
Creation of a centralised asset register for systems and suppliers
-
Approval and rollout of Password Manager software for secure credential management
-
Enhanced security awareness through ongoing training
-
A strategic roadmap for future improvements
-
A strengthened compliance posture and reduced risk exposure
Key Takeaways
The executive team at SHS found great value in gaining assurance on the things they are already doing, together with an understanding of the issues where changes could make them more secure. It was great to work with a client who understands that cybersecurity is not a one-time exercise; it requires regular review and improvement. That organisations must have visibility of third-party systems and regularly check and enforce strong password management and access controls if security is to remain robust. Simple measures such as a regular cybersecurity review, the use of password managers and board-level training can significantly reduce risk.
Key Contact
If you would like to discuss our work, please get in touch.
Jon Slade
Director
