Attacking the Hack: How to Keep Resident Data Safe

Cybersecurity breaches are an ever-growing concern, as almost every month seems to bring news of a major incident. In the multifamily industry, the issue came to the forefront three years ago when Essex Property Trust announced a major intrusion.
Cyber-safety checklist

Cyber-safety checklist

Cybersecurity breaches are an ever-growing concern, as almost every month seems to bring news of a major incident. In the multifamily industry, the issue came to the forefront three years ago when Essex Property Trust announced a major intrusion. For today’s operators, the prudent question is not whether an attack will occur, but when.

The theft of residents’ private information is of special concern, since operators are stewards of data that criminals are only too eager to exploit. Failure to protect residents exposes owners and operators to damaged finances, reputation and good will. With this in mind, multifamily owners and managers must make it a priority to develop and maintain an effective cybersecurity strategy.

Managing the data

Experts say that the most important part of any anti-hacking strategy is monitoring and visibility, which give specialists a clear view of security measures and facilitate their management. Like any other enterprise responsible for large stores of personal data, a multifamily operator must know the ins and outs of its network in order to protect it from hackers. And as a growing volume of data is collected and retained, the choice of management software plays a growing role in cybersecurity.

“In today’s multifamily (industry), this is more of a rule than an exception. If you have all this important information retained by a third party, the company needs to think about how they can protect themselves and their residents,” said Dave McKenna, CEO of ResMan Property Management Software. “It’s on the service partner to provide that security, because they are the ones being handed valued data. We owe that trust to clients, but customers also need to be aware that this relationship exists, and should be asking proper questions.”

Rapid response

Creation of a well-designed, flexible response plan is crucial preparation for damage control when an incident occurs. Development of the protocol should draw on a variety of sources, including a cybersecurity consultant, a forensic guide to analyze the causes and origins of the breach and a team monitoring the system. Having that protocol in place is essential to stopping the breach quickly and determining what information may have been accessed or stolen. 

Frank Santini, co-chair of the cybersecurity and data privacy practice at Trenam Law, notes that the customer service impact is one of the most important issues of a breach. “If someone finds out their information has been stolen, they will be upset and they will want to know what your company plans to do about it,” he said. “Dealing with this in an organized way will alleviate some of the deeper issues that could occur, such as lawsuits.”

Residents should be notified immediately of any breach that puts personal information at risk, says Santini. The operator and its consultants should prepare for the possibility of a breach by establishing a system to handle first-party issues such as client phone calls and public relations inquiries. Setting up a call center and sending out notification letters through the legal team are steps toward dealing with these issues.

Immune system

Contrary to widespread belief, an IT department is not set up to handle cybersecurity. Whereas the IT team serves as the company’s central nervous system, making sure the network functions properly, the cybersecurity team is like its immune system, explained Jeremy Rasmussen, chief technology officer & cybersecurity director of Tampa-based Abacode.

In order to know what information hackers might look for, multifamily operators need to take an in-depth look at system operations. “These companies need SIEM—security information and event management—and an expert team of trained analysts to watch the system 24/7 and have an incident response plan in place for real-time breaches,” Rasmussen observed.

“This will give them instant feedback on how the cybersecurity network is doing, and what effective changes need to be made. Most companies go 270 days until a breach is discovered, because they don’t have visibility. A defender has to defend 1,000 ways in, and an intruder only needs one.”

Beating the breach

Experts recommend further steps to mitigate network vulnerabilities and reduce the odds of an attack. Implementing a cybersecurity system is a top-down process, multifamily technology executives contend. “You will never get the backing of your C-Suite with just the IT department,” explained Michael Reese, chief information officer for USA Properties Fund. “You need the CEO, the CFO, the marketing team, all the higher-ups to be involved in this process in order to get the buy-in the company will need. Everyone needs to participate.”

However, that participation must be far more extensive than many multifamily operators probably realize. Making sure that each employee understands regulations and completes safety training is a highly effective yet sometimes underutilized tool for minimizing breaches caused by human error.

(On the corporate side, experts advise that access to Social Security numbers, salaries and other sensitive employee data should be limited to human resources, payroll and similar departments.)

At the same time, employees need to make sure that all company-provided devices are using up-to-date software and systems. “This is a never-ending battle. All users need to be aware of these threats and how they play a part in the system’s vulnerability,” added Reese. “Users are the weakest link and 50 percent of breaches could be prevented with employee intervention.” 

Lastly, penetration testing—often called white-hat or pen testing—is a go-to strategy for cybersecurity success. In this exercise, the consultant enters the network unannounced, mimicking a real attack. As Rasmussen notes, this enables the consultant to identify vulnerable points, assess potential damage and recommend upgrades.

Originally appearing in the September 2017 issue of MHN.