by Jeremy Rasmussen
This is the first in a series of articles to inform multifamily professionals of the current cybersecurity threat-scape and recommend best practices for dealing with these issues.
The first thing multifamily housing industry professionals need to know is that you are sitting on a goldmine of information that hackers would love to steal.
You collect personally identifiable information (PII) about customers—such as names, addresses, phone numbers, credit cards, Social Security Numbers, bank accounts, background checks, etc. Thieves can use this to get credit cards, file false tax returns, create fake credentials, drain bank accounts, open new utility accounts, or even get medical treatment on a victim’s health insurance.
You also have your company’s own intellectual property, financials, employee PII, bids/proposals and other company sensitive data that must be protected.
So, how much is your data actually worth? In many ways, this is difficult to quantify—in fact, there have been court cases in which plaintiffs recovered only the cost of a stolen disk because they could not prove the value of the data on it. But you can imagine some types of data might have a devastating business impact if breached. What if your company’s strategic five-year plan fell into the hands of your nearest competitor? This might have a crippling effect on prices, profits, stock value and other financials.
We can try to quantify the value of information via several factors:
- What did it cost to create the data?
- What would it cost to replace it if it were stolen (or encrypted and held for ransom)?
- What is it worth on the open market?
- What is it worth to my competitors?
- What sort of reputation hit would I take?
- What is my legal liability?
- What regulatory fines could I incur?
Regarding the last item: While there is no cybersecurity legislation specific to the multifamily housing industry, there is emerging data breach regulation at both the state and federal levels that could have an effect on the industry.
The European Union (EU) has always been very concerned with privacy protection. It recently approved the General Data Protection Regulation (GDPR) that mandates compliance by May 25, 2018 and includes fines for breaches of private data up to 20 million euros or 4 percent of a firm’s global turnover, whichever is larger. If the U.S. follows suit, companies could be looking at enormous economic liability here as well.
You don’t have to be to be a major corporation to be a target. Even small businesses are targeted for a number of reasons. Virtually all types of data have value to an attacker. An identity sells for $20 to 30 on the Dark Net—which is a portion of the internet made intentionally hidden via anonymous browsing technology and home to an underworld of criminal activity. However, the liability stemming from the loss of a single data record is approximately $158, according to the Ponemon Institute’s annual survey. Therefore, for a database of 50,000 customers, that is $7.9 million of liability.
One phishing attack we have seen a lot lately goes like this: Your accountant gets an email from the CFO requesting a wire transfer to a named bank account. The email has specific account details and even has what appears to be the correct email signature and return address. If the accountant doesn’t specifically confirm with the CFO, the wire transfer goes through. Then, the money is immediately transferred off to a faraway place such as Ukraine or Moldova. Bank rules state if the fraudulent transaction is not reported within two days, the funds may not be recovered. In an instant, the firm is out $20,000.
On occasion, we speak to clients who believe they have minimal exposure or hold little or no data of any value. Once we probe a little deeper, however, they quickly realize that their system could be compromised and then used to launch attacks, or else exploit a trust relationship (either as vendor or client) with another business—with the responsibility for the breach coming back squarely on them.
The cost of a data breach is significant today and that cost will only continue to escalate as liability, regulation and other factors increase. Showing Return on Investment (ROI) on cybersecurity spending is difficult, but it is akin to having the right amount of insurance. No one wants to carry a lot of insurance, but you would be at much greater risk without it. With cybersecurity, systems today are so complex and interconnected, that it’s not a matter of if an incident will occur, but when, and how prepared you are to respond.
Jeremy Rasmussen is chief technology officer & cybersecurity director of Abacode, a company based in Tampa, Fla. that provides all aspects of cybersecurity for growing organizations and employs global thought leaders and industry experts in ethical hacking, digital forensics and corporate governance.