As the level of hacker sophistication advances, apartment companies must remain vigilant with consistent employee training and monitoring.
Remote work has become commonplace at the corporate level for many national apartment operators. And while security protocols might have been in place for years – even before the pandemic – wise companies are re-evaluating their policies as more attention is being paid to this priority, business operational threat.
Data Privacy Day is Jan. 28 and is recognized as an annual international event. Data Privacy Day’s purpose is to raise awareness and promote privacy and data protection best practices.
Companies with hundreds – if not thousands – of employees working across multiple states, including in-home offices, must pay even greater attention to their technology, IT department, and employee information-sharing systems to ensure they are running smoothly. Equally important, they must continually monitor their workers so that the company’s data stays safe.
Operators must designate staff to continually seek the latest information on how to help employees learn to fight cybersecurity and hacking issues as this persistent corporate challenge across all industries remains a way of life in the office, at home, and on the road.
Cybersecurity Attacks Can Wreck Company Financials
Companies must proactively work to prevent cyberattacks because they can truly wreck a company’s financial growth.
The level of sophistication in these hacks and phishing attempts today keeps going higher. Companies have reported hearing how hackers can access a company via email, use the owner’s contact information to pose as a client, and email staff asking for financial reports. This is malicious.
Therefore, it’s essential to insist that employees make sure websites are legitimate and email addresses are valid, determining who the sender is before corresponding.
Because maintenance team members are sometimes less tech-savvy and idle-minded employees can become vulnerable, company leaders know they’re all just one click away from danger. Cybersecurity is here for good, and it can take place on more than just computers. It’s best to lean into it and embrace it.
Given the high volume of cybersecurity claims, cybersecurity insurance premiums have risen 100 percent to 400 percent year-over-year, according to Trent Iliff, Vice President, USI Insurance Services, Oak Brook, Ill. And some housing provider IT teams are reporting that they have received four times the amount of hacking attempts since the pandemic.
The FBI recently issued an alert that foreign hackers were sending boxes from the U.S. Department of Health & Human Services, HHS, or Amazon with dangerous USB devices enclosed.
There are two variations of packages: 1) Those imitating HHS often include a LilyGO-branded USB accompanied by letters referencing COVID-19 guidelines, and 2) Those imitating Amazon arrive in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.
Cybersecurity Must Be at the Forefront of Employee Training Guides
Cybersecurity training should be near the front of any company’s training catalog for employees and new hires.
It’s important to have policies in place to address the following: background checks cannot be overridden; steps in the verification process may not be skipped (for any reason); and how to spot fake paystubs. For example, training through Grace Hill can serve the company’s compliance purposes. While some workers may have taken courses on cybersecurity before, once joining a new company, it’s best to confirm these employees have been trained correctly and consistently.
Astute apartment operators realize that the next horizon for cybersecurity is to be better prepared for fraudulent applications – either by residents or employees.
Consistent Training Makes a Huge Difference
Grace Hill provides a full suite of cybersecurity training, “The Cybersecurity Series,” built for property management companies of all sizes with various types of properties in their portfolios. The series includes an employee and a supervisor version, and the courses are appropriate and applicable to both site-level and corporate employees.
The courses are intended for non-IT professionals. There are two series in the package: Cybersecurity for Employees (7 titles) and Cybersecurity for Supervisors (6 titles). Each series consists of short courses that take no more than 20 minutes to complete.
Subject matter includes, but is not limited to, storing data, avoiding viruses and malware, social engineered “phishing” attacks, scams, creating strong passwords, and device and document security.
Key takeaways from the course include reinforcing a supervisor’s responsibility to confirm that employees understand cybersecurity threats and a reminder of how easy it is for attacks to happen if employees are not vigilant.
Grace Hill’s training also provides high-level information on the context behind setting solid passwords and the technology that is used maliciously to crack password codes.
IT teams should constantly check and update the company’s software for remote and internal workers, pulling reports on malware and software.
It’s important to have an incident response workflow and even more important that all employees use it. For example, employees must be notified immediately to change their password if it shows up somewhere else.
Passwords Carry a 12-Character Minimum
The Grace Hill team pays mind to its own training applications. Susan Pickens, Director, IT and Business Systems, Grace Hill, says her company trains its employees with the same methods included in its clients’ training products.
“We emphasize that employees must protect their computers – have them locked and that they use password complexity,” Pickens says. “We require 12 characters, and the password must be rotated every 90 days. There’s multi-step authentication, and everything is cloud-based.”
Pickens’ team informs the entire Grace Hill staff about what is acceptable, such as downloading outside programs or applications, especially its remote workers, who comprise about 75% of its 170-person workforce. Routine patching and software updates are in place for Grace Hill’s standard tools, including Office 365, Adobe, and browsers. Endpoint protection is installed on all company-issued laptops to protect against malicious downloads and viruses.
“We want to remain as flexible as possible with our remote work environment,” said Pickens. “Employees are told to not keep personal files on their company computer. It is a work computer and should function solely for their job at Grace Hill. This property belongs to the company, not the employee.”
Regular Scans of Employees’ Devices Key
Grace Hill conducts monthly scans of all company-owned computers to ensure no unauthorized applications are installed. Unauthorized or inappropriate applications are removed immediately.
“We all browse the internet at times on work computers, but social media and online gaming sites, such as TikTok and Candy Crush, can introduce vulnerabilities on our computers and is not permitted,” Pickens says.
“If we have no knowledge of a tool, we can’t allow it to be installed on our work computers.”
Pickens says the staff understands phishing emails and has done a good job of making the IT team aware. She says some sure-fire ways of detecting a malicious email are:
- The email comes from someone, such as the CEO, asking the employee to do something right away, usually involving documents or important data.
- Emails are written in all lowercase letters or contain misspellings.
- The email address of the sender is not displayed, or there is no signature line.
- A bank logo, such as Chase or Citi, is inserted, but when hovering over it, the link is not recognizable or not the valid company’s website.
Pickens suggests using phrases and not just words or letter combinations with passwords.
“[Phrases] are more difficult to crack by these nefarious agents who are using password generators to break employees’ logins, hoping to get lucky,” she says. “And, they do hit it on occasion. More than 80% of malicious activity starts with email. All they need you to do is click on a link or respond to the sender.”
Pickens says that all companies should have a disaster recovery plan and incident response plan, both available in hard copy and electronically. “Because if they fall into certain situations, such as losing power or a weather-related incident, access to electronic documents may not be available,” she says. “That hard copy needs to be kept in a safe place where people know where it is.”
Avoiding digital information files is not a solution. “All it takes is a person to leave an invoice or piece of paper out with personal information on it; someone takes it, or takes a picture of it or copies it down, and a breach could occur,” Pickens says.
Paul Bergeron is Executive Editor of Thought Leadership Today, a platform on his LinkedIn profile that reports on commercial real estate and other topics. He served 18 years as Editor in Chief for UNITS magazine at the National Apartment Association.