What do Ashley Madison, Uber, Target, Yahoo, Ebay, Equifax, JP Morgan Chase, and Sony – companies that have incredibly diverse products and expertise – have in common? They have all been victims of data breach!
These large breaches, which affected hundreds of millions of customers, have caused cybersecurity to become a common topic of conversation. What many board members may not realize is that HOA management, and the real estate sector in general, is a popular target for hackers looking to gain access to others’ information.
Associations are such good targets for these criminals because HOAs and their management companies have databases full of information that has high-market value on the dark web, such as homeowner names, addresses, social security numbers, credit histories, credit card numbers, and dates of birth. In other words, associations carry a treasure trove of information that is highly valuable to hackers.
The following tips will help board members create a secure cyber-environment:
Improve your password security etiquette and insist that everyone who volunteers for the association practices good password security etiquette. Currently, the trend is to use a password manager like LastPass, 1Password, or Microsoft SSO to increase password security.
Using one of these companies certainly increases your cybersecurity to a certain point. However, to ensure that password management sites are truly secure, use a system that relies on a multi-factor authentication system. In other words, a good password management company will require more than one method of authentication from an independent source. (For example, the company might text you a code on your phone to verify that it’s really you trying to gain access to the website in question.)
If your board is resistant to adopting a password management system, consider changing the passwords to all the sites that may contain sensitive homeowner information (such as email). Good passwords are ones that are easy for humans to remember, yet difficult for computers to break. For example, consider using a sentence for a password and only changing one or two letters into special symbols.
Consider who should have data, and put strict policies in place for those who have access to data. Most experts agree that often, it’s not who has access within an organization that’s the problem. For cybersecurity, it’s where that information ends up that’s problematic.
If you are viewing homeowner information on a secure website and have a computer with up-to-date anti-virus software, your security risk is minimal. Unfortunately, the association’s odds of falling victim to a successful data breach increase every time someone downloads association information and stores it on their personal computer.
Encourage your Board and ACC to move to a cloud-based storage system, and insist that no one is to download or print anything containing homeowner information. Important caveat: you will want to move to a paid cloud-based storage system to reap the full benefits of that system’s encryption protection.
Know that unless your HOA is self-managed, the majority of your most sensitive data will end up in the hands of your management company. Therefore, it is imperative that your management company is up-to-date in their security practices and takes safeguarding homeowner information very seriously.
To ascertain the quality of your management company’s cybersecurity practices, ask the following questions:
- How are the systems you use for data hosted? The best answer is a cloud-based system, because it will not be dependent on a device. Additionally, cloud-based data storage provides protection against calamities, such as fire.
- What types of software do you have for data protection? Mid-level and larger management companies will have money for enterprise-level encryption software designed to protect homeowner information against data breaches. A machine-learning anti-virus program like Sophos is a must!
- What protocols are in place for managing data access? It takes two to three weeks for most companies to remove an individual’s access from a company’s data. Companies who take data breaches seriously will aim to employ software such as Okta to have the ability to block an individual’s access automatically within 24 hours or less.
- How is information stored, and what protocols are in place for an emergency recovery? Theoretically, storing data on-site and using a cloud-based system are both valid options. Companies that store on-site have more security issues to worry about, and they will usually have fewer protocols in place to recover lost information in an emergency. On the other hand, the main attribute of a cloud-based system is that all information is backed up on cyber-secure sites with no risk of loss.
- The management company should be able to answer all questions you have regarding their data governance practices. If your management company is unable to answer your questions clearly, proceed with extreme caution in selecting them as your association’s management company.
Check with your insurance broker about your community’s potential cyber risks and what type of cyber insurance coverage may be appropriate for your association. Known also as cyber liability, cyber risk, or data breach insurance, this type of liability insurance protects the HOA in the event of data breaches, viruses, network attacks, computer theft, and other losses or compromises of the HOA’s computers, network, or websites.
Cyber insurance may provide coverage for third-party liabilities (e.g., providing credit monitoring for affected homeowners) and direct losses and costs incurred by the HOA, as well as any legal defense costs and/or regulatory fines or fees.
Hire a staff of IT experts to review your current cybersecurity protocols, make recommendations for improvements, and implement necessary upgrades. You can hire IT experts on a full-time basis, or as contractors. If both options are outside your association’s budget, you can also reach out to your association and ask if any homeowners would be willing to volunteer their time. If no homeowner is available, reach out to colleges and programs to ask for an intern.
Ultimately, cybersecurity is everyone’s responsibility. While there are many protocols in place at companies like Spectrum Association Management to protect homeowner information, nothing can replace the truly human element in cybersecurity. It is crucially important for everyone on your board to be on the same page when it comes to cybersecurity.