Like most challenges and successes companies experience, strong cyber security traces back to one factor — the people.
Not only the people at your corporate office or communities, but also the people at your vendors and the steps they take to protect resident data. That was the message delivered during the “Cyber Security Action Plan: Ten Things to Do Right now” session at NMHC OPTECH 2016 Tuesday in Dallas.
By properly managing the people risks, companies can significantly reduce their risk of adding to the ugly statistics, such as 169 million records were exposed in 2015, stemming from 781 publicized breaches. In 93 percent of those cases, it took hackers minutes to compromise systems and 82 percent of the victims did not realize they had been breached for weeks. The average cost of the data breaches was $4 million.
But the focus of those breaches wasn’t credit card numbers.
“There’s this myth that hackers are really interested in credit card numbers because you can buy stuff with them,” said Ryan Byrd, vice president of engineering for Entrata. “What they’re really after is PII, personally identifiable information. Because multifamily housing uses so many vendors, protecting that information is a team effort.”
That team includes company associates, who present the greatest cyber security risk. According to Byrd, phishing and spear phishing, which are scams that entice people to click on a link in an email or text and provide personally identifiable information, are the number one delivery mechanism for ransom ware and malware.
That’s why it’s important for both owner/operators and vendors to utilize methods that keep human behavior in mind, train associates and audit cyber security practices with an impartial third-party, according to the panelists.
Among the most important cyber security methods being employed today that keep human behavior in mind is multi-factor authentication. “You have to insist on multi-factor authentication from your vendors, not only for your corporate or community staff, but also for your residents,” Byrd said.
Multi-factor authentication protects the majority of people who use the same password, or variations of it, for many of their online accounts. The methodology requires users to present at least two forms of evidence to authenticate their identity. One example of multi-factor authentication is when a site sends a user a code to their cell phone to input before granting access to the site.
Associate Cyber Security Training
In addition to using the same password, people tend to click on links in emails that offer incentives, regardless of how unrealistic they are, or appear as if they have important information. The best way to protect against that behavior is through cyber security training, according to the panelists.
“People really are the weakest link, but also the first line of defense,” said Jeremy Rasmussen, managing partner of Abacode, a cyber-security consulting group. “If you regularly phish your people and get them to click on phishing links, you can significantly reduce your risk.”
Auditing Security of Systems
The risk in Rasmussen’s experience is that 50-60 percent of associates will click on phishing scams the first time companies run a test. Through regular tests with associates, companies can reduce the risk to one to three percent, according to Rasmussen.
Audits, however, should be comprehensive and regular, not just of associates but of the IT network as a whole inside the company and at vendors.
“When you’re dealing with vendors you have to understand what their security practices are,” said Byrd, who has his systems at Entrata audited and certified regularly by a third-party. “It’s reasonable for a client to ask for an audit of their IT vendors on a regular or annual basis.”
Through audits, a people first mindset and training, apartment owner/operators can reduce the risk of costly cyber security breaches.