Cybersecurity

NMHC Best Practices

By Lee Ann Stiff on Sep 5, 2016 in Technology

If you think cybersecurity is “just an IT issue,” better think again.

Experts agree that cyber risk in the multifamily industry is largely underestimated, given the volume of personal and financial data multifamily companies collect and maintain about their prospects, residents and employees. And the fact that many real estate organizations rely on third-party service providers to collect and protect data further increases exposure to damaging cyber incidents.

What are some of the common risk factors? Using disparate software solutions and multiple vendors with various interfaces and logins elevates exposure to breaches. To further complicate matters, information security programs in the multifamily industry tend to be relatively less sophisticated compared to more heavily regulated sectors such as banking and retail. Since cyber criminals will always take the path of least resistance, this poses a major threat to the industry as a whole, which maintains information about tens of millions of Americans. And after a well-publicized breach in 2014, the multifamily industry is — or should be — on high alert.

To not only reduce risk but also to increase operational efficiencies, many companies have made the move to a single platform — and now consider it a best practice to consolidate core property management and accounting along with ancillary products in one database supported by a single vendor. And while no business can expect to achieve perfect security, in the current cyber threat landscape with so much at stake a comprehensive plan — and one point of contact for software and services — can mean a direct line to better peace of mind.

At the NMHC 2016 spring board meeting, panelists emphasized that cybersecurity is not simply an IT problem, but rather an enterprise risk management issue. Developing a strong cybersecurity program is not a one-time effort, either – an effective program needs to be continually tested and refined. This expectation is now held by state and federal regulators. And recently, members of Congress have introduced federal legislation that would mandate board oversight for information security programs.

To help their members understand and create a comprehensive data security program, NMHC released a white paper in June and hosted an educational webinar on July 21, 2016. The white paper, titled “Multifamily and Cybersecurity: The Threat Landscape and Best Practices” was authored by Christopher Cwalina, Esq., Kaylee Cox, Esq., and Thomas Bentz, Jr., Esq,. of Holland & Knight.

Some key statistics were provided in the webinar to help attendees understand the current threat landscape. In 93 percent of cases, attackers needed only a few minutes to break into systems, while 83% of victims didn’t discover the breach for weeks. It was also noted that on average, intruders are in a company’s network for more than 200 days before they are discovered. Social engineering and ransomware attacks continue to succeed. And perhaps most alarmingly, “insider threats” keep causing havoc for companies — and of all the incident types, insider misuse is likely to take months or even years to discover, causing extensive and costly damage.

The most important takeaway: recommended best practices. All panelists agreed that a robust cybersecurity program includes incident response, management of third-party relationships, oversight and staff training. It might come as a surprise that many incidents are avoidable, as the result of thoughtless user error (non-compliance with password protocols, for example) so make sure training is a priority — especially for employees with access to the most sensitive information.

Top down leadership is key, and executive management should drive a cybersecurity program including cultural expectations within the company. An incident response plan — including an incident commander — and communication protocols should be established and documented, and consistent with other company policies and procedures, with roles and responsibilities clearly defined.

The experts reiterated that third-party relationships bring significant risk, and should be carefully evaluated. Make sure all your vendors have a solid data protection program in place, and conduct periodic audits — it’s your revenue, brand and reputation on the line.

Read more about data security and NMHC’s initiatives. Learn more about Yardi Voyager and the Yardi Multifamily Suite.