Together Housing Group: How a Regional Housing Association Reduces Cyber-risk by 32%

Together Housing Group is a leading housing provider in the North of England, owning and managing over 37,000 properties and providing a range of support services for residents. It is a non-profit organization, meaning any profits are reinvested for the benefit of residents and communities. Together Housing Group also provides supported housing and extra care schemes and funds community projects through its charity, Newground Together.

Supporting this diverse, highly distributed environment are over 1,700 direct staff members who depend on a combination of laptops, mobile devices, on-premises servers, and cloud-delivered applications to support daily operations.

As a publicly funded, not-for-profit operating entity, Together is required to go through a full, due-diligence process for each contract renewal cycle, using a formal Request for Quotation process and an in-depth evaluation of solution providers for each 3-year contract period. Trend Micro was the only solution provider to meet all requirements out of the box, and Together Housing Group has maintained a 12-year, ongoing relationship with Trend Micro.

Technology is foundational to virtually every aspect of the Together Housing operation. With more than 500 direct workers maintaining and repairing properties, the ability to dispatch, track, and manage this highly mobile workforce is critical to the families depending on housing.

The health and confidence in this critical operating environment underlie the continued growth of this highly scrutinized not-for-profit organization, enabling continued lending and property investment to support the growing needs of the community.

Prior to working with Trend Micro, Together operated multiple siloed security solutions from multiple security vendors. Web filtering, phishing, VPNs, etc. were all separate. “It was almost impossible to trust,” said Assistant Director for ICT Stuart Curran.

Many of Together’s users utilize multiple devices, including laptops and mobile devices, and many work within a virtual desktop environment. In isolation, an activity from an individual device might not appear malicious, but when activities are monitored across all devices, a different story is often seen.

One of Together’s biggest challenges was awareness outside of IT. “We used to be called ‘blockers.’” Curran reported that he learned that Together’s security awareness needed to begin at lower levels within the organization, communicating the importance of cybersecurity to the success of the operation. As they got lower levels on board, they were then able to move up to the executive team.

The team learned that it needed to participate in other groups and show up, share, involve others, explain the impact of security, and engage them at a level where people start getting on board and asking questions. They needed to make it personal whenever possible. And when they did this, they were able to build a strong cybersecurity culture across the organization.

As a not-for-profit organization, compliance with UK Cyber Essentials is critical. Curran regularly depends on self-assessment activities to prepare himself and his team for when auditors come in and start asking questions. He further adds that these activities help with maintaining the right levels of cyber insurance.

Together experienced many challenges that touched multiple business areas, such as the technical environment, resourcing, policies, and processes. These challenges left Together generally unprepared for a major cybersecurity event.