Cyber Threats to Public Housing: What Every Agency Needs to Know

Cyberattacks targeting public-sector organizations, including public housing authorities, continue to rise.

For housing organizations, a single cyber incident can interrupt daily operations, compromise sensitive information, and create financial and reputational challenges that are difficult to recover from. To help agencies better understand these risks, HAI Group hosted a virtual event, Cyber Threats to Public Housing: What Every Agency Needs to Know, focused on the evolving cyber threat landscape and practical ways to strengthen preparedness.

The discussion brought together cyber, insurance, and housing industry experts for a candid conversation about the risks facing housing organizations and practical steps agencies can take to strengthen their defenses.

The panelists included:

• Megan Peyton, Senior Cyber Advisor at M3 Insurance Solutions
• Troy LePage, Chief Operating Officer and Executive Vice President at HAI Group
• Doug Fleming, Executive Director at the Lansing Housing Commission
• Brandyn Fisher, V-CISO Capability Lead and Senior Penetration Testing Technical Lead at Centric Consulting

Watch the full recorded session to hear the complete discussion, including a firsthand account from a public housing authority that experienced a cyber incident and the lessons learned during recovery.

Why this conversation matters for public housing

Public housing authorities manage sensitive information, including resident identification details, financial information, income records, and other data needed to administer housing programs. That makes cybersecurity not only a technology issue but also an operational, financial, and resident-trust issue.

During the discussion, LePage emphasized that HAI Group continues to hear from housing organizations affected by cyberattacks. While the threat landscape continues to evolve, the panelists made one message clear: Housing organizations do not need to solve everything at once, but they do need to start taking practical steps now.

The conversation covered:

• Cyber trends HAI Group is seeing across the public and affordable housing industry
• Common vulnerabilities that can increase an organization’s exposure
• A real-world cyber incident experienced by the Lansing Housing Commission
• How cyber insurance can support incident response and recovery
• Practical cybersecurity controls agencies can begin strengthening right away

What cyber threats are housing organizations facing

Fisher explained that many cyber incidents start with social engineering, including phishing emails, phone scams, and attempts to manipulate staff into sharing credentials or resetting access controls.

The panel also discussed business email compromise, which LePage described as one of the most common threats HAI Group sees affecting housing organizations. These scams often create a false sense of urgency and appear legitimate, frequently impersonating trusted vendors or partners to deceive employees into sharing payments or sensitive data. They can target finance, operations, leadership, and other roles beyond the IT team. Watch HAI Group’s Business Email Compromise video to learn how BEC attacks work, how to identify warning signs, and what steps your organization can take to protect itself.

Deepfakes and artificial intelligence are also making social engineering more difficult to detect. Fisher noted that AI can increase the speed and volume of attacks while making messages, voices, and impersonation attempts appear more realistic. For housing organizations, this means cybersecurity awareness cannot be limited to the IT department. Finance teams, leadership, frontline staff, and anyone with access to sensitive data or payment processes all play a role in prevention.

A real-world reminder from the Lansing Housing Commission

Fleming shared the Lansing Housing Commission’s experience with a cybersecurity attack that quickly escalated into a full-scale response involving IT partners, law enforcement, and legal counsel. What began as an employee reporting that her computer was not working quickly became an urgent effort to understand what happened, restore systems, and confirm whether sensitive information had been compromised.

In the HAI Group case study video, Fleming reflects on the day of the attack, the organization’s recovery process, and the steps taken to confirm that no sensitive data was stolen. He also shares lessons learned since the incident, including the importance of employee training, multifactor authentication, reporting suspicious activity, working with trusted technology partners, and carrying cyber insurance coverage. 

One of the most important safeguards was a segregated backup system. Because Lansing had backups that were separate from the affected network, the agency was able to restore operations without paying a ransom.

The experience reinforced a key message for housing organizations: cybersecurity preparedness is essential for agencies that manage highly sensitive resident and applicant information. Strong technology partners, clear response planning, employee awareness, and cyber insurance coverage can all help organizations respond more effectively when an incident occurs. Watch the Lansing Housing Commission case study video to hear Fleming’s firsthand account and the lessons other housing organizations can apply to their own cybersecurity planning.

Practical steps agencies can take now

While cybersecurity can feel overwhelming, the panel emphasized that strong foundational controls can make a meaningful difference.

Key steps discussed during the event included:

• Implementing multifactor authentication, especially for email, remote access, and administrative accounts
• Creating and testing secure backups that are separate from the main network
• Reviewing vendors and third-party software providers as part of cybersecurity planning
• Establishing an incident response plan before an attack occurs
• Training employees to recognize phishing, business email compromise, deepfakes, and other social engineering tactics
• Creating payment verification processes before changing wire instructions or vendor payment information

The panelists also encouraged organizations to build a culture where cybersecurity is everyone’s responsibility. As LePage noted during the discussion, organizations can begin by making cybersecurity a leadership conversation and taking the first step now. That planning should also include a clear understanding of how cyber insurance can support an organization before, during, and after an incident.

How cyber insurance can support response and recovery

Peyton explained that cyber insurance not only serves as a reimbursement tool but also as a response tool during an incident.

When a cyber event occurs, an insurance carrier or cyber insurance partner may help connect the organization with legal, forensic, notification, and recovery resources. These specialists can help the organization understand what happened, determine next steps, manage response obligations, and work toward restoring operations.

The panelists encouraged organizations to understand their coverage before an incident occurs. That includes knowing who to call, what services are available, and what risk management resources may be included with a policy. Peyton also noted that many cyber policies may include access to resources such as employee awareness training or support for tabletop exercises. These tools can help organizations strengthen their cybersecurity posture before a claim occurs.

To learn more about cyber insurance options for your organization, reach out to your HAI Group account executive.

Questions from the session

What should an agency do first if it experiences a cyber incident?

The first hours of a cyber incident are critical. Organizations should contact their IT provider, follow their incident response plan, and notify their cyber insurance provider or carrier as early as possible.

Peyton emphasized that getting the right people involved early can help the response move more efficiently. This may include legal counsel, forensic specialists, notification support, and other experts who understand cyber incidents and response obligations.

Why are backups so important during a ransomware incident?

Backups can help an organization restore systems and data without relying on the affected network. Fisher explained that backups should be separate from the main environment so attackers cannot easily access, encrypt, or destroy them.

Testing backups is also important. A backup is only useful if the organization knows it works and understands how quickly systems can be restored.

What is one of the most important cybersecurity controls for housing organizations?

The panel repeatedly pointed to multi-factor authentication as one of the most important and practical safeguards organizations can implement.

Fisher recommended asking a more specific question: Where do we not have multifactor authentication? This approach can help identify gaps in older systems, remote access tools, administrative accounts, or other entry points that may otherwise be overlooked.

How can smaller housing organizations improve cybersecurity with limited resources?

Several panelists acknowledged that many housing organizations have limited budgets and may not have large internal IT teams. The recommendation was to start with the basics: multifactor authentication, employee training, secure backups, incident response planning, vendor review, and insurance conversations.

Fleming also encouraged housing leaders to recognize when they need outside expertise. Housing professionals know how to serve residents and manage housing programs, but cybersecurity often requires specialized support.

What role does staff training play in preventing cyber incidents?

Staff training is essential because many attacks begin with human interaction. Phishing emails, fraudulent phone calls, fake payment requests, and impersonation attempts are designed to trick employees into taking actions that grant attackers access.

Training can help employees recognize warning signs and understand what to do when something feels suspicious. It can also reinforce the importance of confirming payment changes, reporting suspicious messages, and slowing down before responding to urgent requests.

Continue strengthening your cybersecurity awareness

Cybersecurity threats will continue to evolve, but housing organizations can reduce risk by building stronger habits, reviewing their coverage, and taking practical steps to improve preparedness.

To learn more, watch the full recording of Cyber Threats to Public Housing: What Every Agency Needs to Know and explore additional HAI Group cybersecurity resources:

• HAI Group Cybersecurity Center
• The Importance of Cybersecurity Coverage: An HAI Group Case Study with Lansing Housing Commission
  
• Business Email Compromise (BEC)
• Five Signs to Watch for When It Comes to Deepfakes
• Don’t Get Hooked: What Housing Organizations Need to Know About Social Engineering Attacks
• AI-Driven Phishing Schemes: What Public and Affordable Housing Agencies Need to Know

For additional guidance, visit the HAI Group Resource Center for cybersecurity articles, videos, and risk management resources designed for public and affordable housing organizations.