The Other Reality of Remote Work

Work-from-home policies sparked by the COVID-19 crisis highlight the importance of sound cybersecurity practices. Here are four areas where apartment firms should keep a close watch.

The COVID-19 pandemic has forced apartment firms to change the way they operate their headquarters, regional offices and apartment communities. While some roles have proved adaptable to remote work, others have required more creative and innovative solutions.

READ THE DIGEST

For those who have abruptly shifted to remote work, this transition has been made possible thanks to business continuity planning and new technology, especially cloud-based software applications. Yet this transition is also revealing new challenges and cyber-related vulnerabilities for apartment firms.

Some team members may be unfamiliar with these different technologies, and, of course, all employees are vulnerable to existing and new cyberthreats in the absence of on-site IT security support. As apartment firms continue to navigate the effects of COVID-19 on their residents and employees, it is crucial to follow cybersecurity protocols and best practices for managing new network vulnerabilities. Here are a just a few areas that apartment operators and managers should pay attention to.

No. 1: Video Conferencing

Julianne Goodfellow

As firms adjust to the new paradigm, their teams have rapidly adopted video conferencing as a means of communication and collaboration. However, recent reports show that some of the available software services may have gaps in security and privacy. For example, following complaints of video conference hijacking, often referred to as “Zoom-bombing,” many video conferencing software providers are implementing additional security measures in order to address consumer concerns. Additionally, news reports indicate that nefarious actors have recently obtained credentials for more than 500,000 Zoom accounts, so Zoom passwords now need to be changed.

Apartment firms can raise their level of security and privacy by taking simple measures to control access to meetings. For example: not sharing meeting links on public channels; using passwords and other privacy settings; and requiring registration and waiting rooms so that hosts can vet potential participants. When selecting vendors, apartment firms should ensure that they are using strong security in clouding end-to-end encryption. In addition, they need to be sure that all video conference attendees use updated versions of remote meeting applications.

No. 2: COVID-19 Phishing

Daria Dudzinski

As apartment firms put COVID-19 precautions in place and transition to full-time teleworking status, malicious actors are capitalizing on these turbulent and emotional times. While implementing and maintaining business continuity plans, companies need to educate employees about the influx of COVID-19-related phishing schemes.

Bad actors are tapping into the fear surrounding the novel coronavirus to dupe their targets into clicking on links and attachments that will lead them to bogus protection products, fake alerts about cases in the community, inaccurate prevention tips and illegitimate fundraisers for victims. These scams are often made to look like they come from credible sources like the World Health Organization or the Centers for Disease Control and Prevention, complete with logos or email addresses that appear authentic. Firms should remind their employees that phishing emails can be highly sophisticated, and that organizations like the CDC or WHO do not require logins for access to their information, provide grants or award prizes.

No. 3: Remote Security and Access

A variety of enterprise technology solutions are available to connect employees to a firm’s information technology network. Critical lines of defense include utilizing an enterprise virtual private network (VPN) and requiring multi-factor authentication.

The Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security, recommends that IT staff should be “ … prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery … these tasks should be documented in the configuration management policy.”

With these recommendations in mind, experts recommend training and communicating with remote staff to ensure that they are using strong passwords on their home wireless networks, changing the default password on modems and routers, and accessing the latest security configurations and patch updates. These recommendations should already be a part of standard cyber-hygiene practices, but this new environment necessitates a reminder. (NMHC provides member resources on cybersecurity best practices at nmhc.org/data-privacy.)

No. 4: Personal Devices  

In this environment, many employees may have to rely on personal devices including tablets, cell phones and home computers while working remotely. However, if these personal devices are connected to an organization’s internal network, they can pose an elevated risk because they are not typically secured at the same level as enterprise-provided devices.

For this reason, we recommend that firms develop Bring Your Own Device (BYOD) policies that address security measures, information access and functional capabilities for personal devices, and communicate those policies to employees. The National Institute of Standards and Technology recently released a helpful Guide to Enterprise Telework, Remote Access and Bring Your Own Device Security that will help any firm’s efforts. If your organization already has these measures in place, now is a great time to remind your employees how your BYOD policy translates during this prolonged period of teleworking. At a minimum, set up a separate and external wireless network strictly for BYOD devices and ensure the network is consistently monitored.

Another option to mitigate BYOD risk is to establish a system of tiered remote access managed by the information security team. In this system, company-owned devices may have access to the full suite of company resources, files and software. BYOD personal computers would then have limitations on that access. And finally, BYOD devices like smartphones or tablets would have limited access to lowest-risk resources, such as an email account. Organizations should also consider access to collected data and personally sensitive information when creating and enforcing their tiered access system.

In addition, as work and personal lives blend, employees may use their business devices for personal work. We recommend reminding employees about existing policies for the use of business devices and communicating best practices.

Cybersecurity Best Practices Work

Remote-work technology is allowing many apartment operators to continue to provide safe and secure apartment homes for 40 million Americans. That’s why protecting cyber infrastructure needs to be top of mind at all levels of your enterprise. Fortunately, adhering to long-standing cybersecurity best practices can make this time a little more navigable. These next few weeks will certainly show us just how much of our workload can be done remotely, how fast we can adjust to new technology and protocol, and what our true teleworking capabilities are.

Julianne Goodfellow is the senior director of government affairs for the National Multifamily Housing Council (NMHC) in Washington, D.C. She can be reached at jgoodfellow@nmhc.org.

Daria Dudzinski is manager of government affairs at NMHC. She can be reached at ddudzinski@nmhc.org.

Read the June 2020 issue of MHN.