This article first appeared on National Apartment Association ~ NAAHQ.org
By Jeffrey Kok
As onsite processes continue their rapid advance toward digital, multifamily housing organizations have increasingly focused on cybersecurity in recent years. Companies are taking cybersecurity more seriously at the board level as investors have pushed for more stringent data-privacy measures, and many of the practices are funneling to the site level, especially with the emergence of the Internet of Things (IoT).
But significant gaps remain in the industry’s grasp of cybersecurity and data privacy effectiveness and how to improve it. That is regularly evident in the incomprehensive contracts written throughout the industry by different providers. In addition, 80 percent of observed cyberattacks used vulnerabilities reported and registered in 2017 and earlier, according to data from Entrata. More than 20 percent of the attacks exploited vulnerabilities that are at least 7 years old.
While the industry has taken steps to promote cybersecurity awareness in several areas, particularly regarding phishing attacks and ransomware, a large part of the shift has been reactive. For instance, when new legislation is introduced—such as the California Consumer Privacy Act (CCPA)—companies are only then more likely to focus on how their data privacy and cybersecurity practices are being upheld.
As 2020 has brought a host of new threats from opportunistic infiltrators, many organizations don’t yet have a comprehensive understanding of contract law and the company’s obligation to further secure data. Legal teams are helping to bring awareness to existing and forthcoming threats, but it remains in the early stages in the apartment world.
Following is a look at the current state of cybersecurity in multifamily housing and what the industry can do to better protect itself from cyberattacks that could lead to costly data breaches.
In multifamily housing and elsewhere, there’s been a rise in cybersecurity threats during the pandemic. In a recent Deloitte study featuring some 880 executives, nearly 70 percent of those surveyed indicated they had seen more cyber incidents this year. Entrata data shows that hacking skyrocketed early in the pandemic, with phishing attacks jumping from fewer than 5,000 in February to more than 200,000 in late April. Cyberattacks as a whole were up 34 percent from March to April, according to Check Point Research’s mid-year report.
The increase during tumultuous times is not surprising, as the adversary never sleeps. And, unfortunately, the adversary isn’t always a third party: Attackers inside an organization often use times of change to take advantage of their knowledge of systems. Whether from outside or inside, attackers will prey on organizations that are spread thin during a disruptive situation like this pandemic.
For instance, when cybersecurity is breached, thieves can manipulate access controls and sneak into buildings through tailgating, duplicating access credentials, having an accomplice on the inside or using more sophisticated methods to compromise controls. Apartment communities need to understand what risks they are exposed to and how threats can happen.
Cybersecurity is rooted in knowing what data you have in your possession and what categories of data matter most to your organization. IT teams must then classify that data accordingly, whether it’s intellectual property, sensitive data, public data or other. Organizations must also understand the risk to that data being shared, exposed or breached. Part of that awareness involves knowing where the data is located.
Essentially, education is the key to data privacy. Different classifications of data exist—such as personally identifiable information (PII)—and onsite associates must be aware of whether it is resident data or associates’ data. And they need to know whether the PII is all stored in one location or in multiple locations, and whether it is in a cloud-based location or stored elsewhere.
Once fully aware of data types and locations, housing community teams can educate themselves on the potential risks. For instance, if PII Is leaked out, what impact could that have on residents or associates? What if their information is sold on the dark web? What impact could this have on your company from a brand reputation and financial perspective? Separately, what if an insider takes or leaks intellectual property? Could it lead to a competitive disadvantage?
Knowing these details allows you to quantify and classify the data, then institute controls. Whether a control involves a policy or a physical operation (such as automatically deleting any PII on a device), teams must then decide how to audit that control to make sure it’s effective.
Other data-privacy measures require foresight and forward-thinking approaches from IT teams. These include network segmentation for Wi-Fi and smart home-equipped buildings, as well as deciding whether the networks are physically or logically separated within the infrastructure based on risk threshold. IT teams also should monitor data transference enough to recognize abnormal trends and assign behavioral analytics to get additional information.
Instituting proper corporate controls—such as multifactor authentication, privileged access management, and encryption in transit and at rest—also helps keep the data secure. Endpoint protection for antivirus and malware scanning is naturally a must-have, but organizations should also be able to identify and quarantine any suspicious data events.
Organizations also need to ensure that vendors have proper indemnification against potential liability when accessing systems, such as willful misconduct, gross negligence or breach of confidentiality. And in the unfortunate event that a breach does occur, organizations should have a solid data-backup strategy, disaster-recovery strategy, incident-response plan and cyber insurance. If your data is ransomed, corrupted or destroyed, a plan should immediately be set into motion.
While cybersecurity and data privacy are typically subjects reserved for IT and legal teams, the industry has made a concerted effort to educate onsite associates as well. According to Entrata, attacks on site-level associates’ computers are the most common, often with the attacker posing as an executive-level person requesting data or other sensitive information. Email attacks are much more common (78 percent) than web attacks (22 percent).
While apartment companies regularly deploy phishing tests to monitor site-level associates’ level of awareness of fraudulent emails, training the onsite team is very important in several other areas, including keeping residents abreast of privacy laws. Associates should be able to readily direct residents to the apartment community’s privacy policies when residents inquire about them.
In addition, onsite associates should be trained in the nuances of building security. When a technician arrives to work on a system, onsite team members should know how to authenticate that person. They must be able to verify the company the technician represents, the task to be completed and whether the tech will be connecting to the network and is authorized to do so.
Onsite teams should also be trained in the community’s high-level cybersecurity initiatives to ensure residents are protected. They have to be transparent when residents ask about smart-home devices, and able to assure them that the community is not collecting data, watching video or listening in. Associates need to be able to appropriately communicate those data-safe boundaries.
Although much of cybersecurity and data privacy training is tech-based, tabletop exercises can be invaluable as well. For instance, you propose a scenario such as a C-level associate receiving a call from the FBI saying: “We have some of your data.” The data clearly has been breached—now how do you respond? In these exercises, organizations can craft plans as to who will talk to the press, the ideal time to go public based on legal guidance and jurisdictional laws and who is going to oversee the investigation of how the breach occurred and breach remediation.
In addition, make sure onsite leaders are acutely aware of your organization’s acceptable-use policies for residents as well as associates. And if you are following a framework such as ISO 27001 or NIST and following data-privacy laws such as CCPA or the General Data Protection Regulation (GDPR), ensure that your associates know the parameters.
When navigating a topic as complex as cybersecurity, ongoing education is vital. Connect with subject matter experts and watch trends with the understanding that not every new innovation will necessarily have the desired impact. Decide on your methodology, whether it’s a “least-privileged” approach (where individuals with certain credentials can gain access) or a zero-trust approach, in which any activity within your network must be verified.
In the end, proper cybersecurity measures include watching cyberattack trends; focusing on the data and understanding where it’s kept, how and where it’s used, and what it’s used for; and making certain all data is properly protected.
Jeffrey Kok is the Chief Innovation Officer and Chief Information Officer for Mill Creek Residential.
With so much resident and prospect information collected by operators, it’s critical to understand and comply with the laws regulating data privacy. Interested in learning more? Read And That’s the Way the Cookie Crumbles: Resident Data Privacy