A recent NAA series of articles by Jeremy Rasmussen, Chief Technology Officer & Cybersecurity Director of Abacode focused on the importance of informing multifamily professionals of the threat-scape and recommended best practices for dealing with Cybersecurity Issues. These articles highlighted the fact that multifamily housing industry professionals are sitting on a goldmine of information about their residents that hackers would love to steal. They collect personally identifiable information about customers—such as names, addresses, phone numbers, credit cards, Social Security Numbers, bank accounts, background checks, etc. All of this information can be used by thieves to get credit cards, file false tax returns, create fake credentials, drain bank accounts, open new utility accounts, or even get medical treatment on a victim’s health insurance. Additionally, multifamily property managers/owners need to be concerned about their own company’s intellectual property, financials, employee personal information, bids/proposals, and other company sensitive data that must be protected from hackers.

When it comes to cyber security some of the questions you need to consider are:

  • What would it cost to replace it if it were stolen (or encrypted and held for ransom)?
  • What is it worth on the open market?
  • What is it worth to my competitors?
  • What sort of reputation hit would I take?
  • What is my legal liability?
  • What regulatory fines could I incur?

Although, there is no Cybersecurity Legislation specific to the multifamily housing industry, there is emerging data breach regulation at both the state and federal levels that could have an effect on the industry.

The cost of a data breach is significant today and that cost will only continue to escalate as liability, regulation, and other factors increase. Cybersecurity systems today are so complex and interconnected that it’s not a matter of if an incident will occur, but when, and how prepared you are to respond. Multifamily Housing providers should commit to practicing due diligence in protecting their data because failing to do so can lead to hefty financial penalties in terms of lost business and productivity, regulatory fines, and litigation.

Everyone knows that a firewall is absolutely necessary for network protection, but it often provides little more than a false sense of security because the reality is that most hackers will try to go around the firewall. The reality is that effective cybersecurity can’t come from a single product such as a firewall or antivirus software. It comes from a comprehensive framework that encompasses: Prevention, Detection, Reaction, and Continuous feedback/ improvement. According to cryptography expert and security pundit Bruce Shneier, “Security is a chain; it’s only as secure as the weakest link. Security is a process, not a product.”

A common cyber industry description of a secure computer system is “the one that is unplugged, wrapped in chains and sunk to the bottom of the ocean. However, it’s not very usable.” Whenever humans interact with systems, they introduce errors, which can lead to exploits by attackers. People use weak passwords. People click on links to malicious sites. People give out too much information via email or phone. It is imperative that property owners/ managers invest the resources to provide continuous cybersecurity training for employees. Your team offers the first and last line of defense. An untrained workforce can subvert other protections you have put in place. A well-trained workforce, on the other hand, lowers risk.

As Jeremy Rasmussen points out in his articles, “every organization needs a formalized cybersecurity awareness training plan, and a process for repeatedly beating it into employees’ brains!” He recommends using the following method:

1 Policy.
Develop an Acceptable Use Policy (AUP) for the organization. This should define people’s roles and responsibilities for security. It should outline the do’s and don’ts on the corporate network. This policy document should be readily accessible

2 Initial Training.
As part of the onboarding process, train new employees on the AUP, to the extent of making them pass a quiz on it, and then have them sign an acceptance of the AUP – all prior to granting them access to any computing assets.

3 Ongoing Training.
Require periodic (say, annual) cybersecurity awareness training – either live in-person sessions, educational videos, or other computer-based training. Make sure this training is concise, engaging, and relevant. Remember, attackers’ methods change often. For example, no one was talking about ransomware five years ago. So, your training needs to be fresh.

4 Phishing Campaigns.
You should send periodic fake phishing emails to your employees, and track their response to them. Those who fall victim to these attacks should receive remedial training. Habitual offenders might require H.R. action – because they are continually putting the company at risk.

Remember You can never eliminate all risk in your company, but by making it as small as possible, hackers will move on to lower hanging fruit.