You lock the door to your home because you want to keep yourself, your family, and your property safe. The same logic should apply to your condo community’s data and information. Unfortunately, too many databases and platforms are left unprotected.
It’s not that property managers and board members don’t care. Rather, they aren’t aware that a “door” has been left ajar until it’s too late. Here’s what you should know about cyberattacks, how to improve your cybersecurity network, and what to do if your corporation is hacked.
Communities Have An Obligation To Protect Resident Information
Condominium communities must maintain adequate records, including financial records, meeting minutes, and governing documents. “If the corporation stores these records in an electronic format, they must be able to reproduce them accurately, intelligibly and within a reasonable timeline,” states the Condominium Authority of Ontario. “They must also reasonably protect records against unauthorized access and have data recovery capabilities.” That means condos must keep accurate records of sensitive information, as well as take reasonable steps to keep that information safe.
Top Cybersecurity Threats
Ransomware
Ransomware is by far one of the top threats to corporations. Ransomware is a form of malware designed to encrypt files, rendering them unusable to the person trying to access them. The person responsible for the ransomware will demand ransom, often money or some other financial asset, in exchange for decryption.
Ransomware is very harmful to condominiums because the organizations store so much personal information. In addition to sensitive emails, they have hundreds of bank account or credit card numbers, email addresses, phone numbers, license plate numbers, etc., belonging to tenants and owners. Then there are all of the records which could not be replicated if they were lost.
The most common ransomware techniques used by intruders include:
Email phishing campaigns: email with a malicious file or link is sent. Malware is deployed when someone clicks on the link. They may also use precursor malware, which enables the attacker to use someone else’s email account to target more victims.
Remote desktop protocol (RDP) attacks: RDP provides additional convenience as it lets people access files and data from virtually anywhere. However, cybercriminals may try to guess as many password combinations as possible, or purchase credentials illegally, to infiltrate the remote network.
Exploiting software vulnerabilities: cyber criminals can take advantage of security weaknesses in software to deploy ransomware.
Internal hacks
It can be hard to believe that an employee would willingly sabotage their own company, but it’s happened before. An employee who is upset, or who has just been let go, may delete files, change passwords, or steal information.
Being Proactive Is Key To Minimizing Security Breaches
Make two-factor authentication the default
Two-factor authentication (2FA) is an extra layer of security that makes it more difficult for unauthorized individuals to gain access to accounts, databases and software systems. It essentially requires users to enter two pieces of information – a password that they have memorized and a one-time code – in order to access a platform or data. The code is usually accessed through the user’s smartphone. This way, even if someone does guess your password, they would still need to obtain your phone and see the unique code to get your data.
This simple step is highly effective, and it costs the user nothing to implement. In 2019, Google found that SMS-based multi-factor authentication successfully blocked 100 per cent of automated bots, 96 per cent of bulk phishing attacks, and 76 per cent of targeted attacks. While the efficacy rates may have dwindled from three years ago, it is still one of the easiest and best cyber defence mechanisms to employ.
On a similar note, don’t give all staff access to everything. They should only be able to access tools or information that they need to have in order to do their jobs. This helps ensure sensitive information doesn’t get into the wrong hands and reduces potential damage caused by ill-willed employees.
Assess Your Corporation’s Cybersecurity Risks
Boards and managers are strongly encouraged to educate themselves about cybersecurity in general and understand the cyber risks that they are most likely to encounter. If you’re not sure where to start, consider looking at the federal programs.
The Cybersecurity & Infrastructure Security Agency (CISA) offers small American organizations toolkits, planning templates, and essential cybersecurity information.
In Canada, CyberSecure aims to raise the cyber security baseline for small and medium-sized enterprises. Victor Beitner, CISSP, GG, and E-Technologist, says this is one of the easier (and more economic) starting paths for small corporations. Victor is the CEO of Cyber Security Canada, one of three accredited certification bodies recognized by the Canadian government. His company works collaboratively with CyberSecure, and evaluates an organization’s implementation of the program’s certification requirements.
Make Use of Good Cyber Infrastructure
Invest in an antivirus program
Antivirus software will help to limit the impact of a virus. Malware is very dynamic and is always evolving as hackers try to target software or system vulnerabilities. As such, they may eventually have success getting past the basic protection offered by your operating system and gaining access to the corporation’s data. Antivirus programs provide an extra layer of protection so that even if malware gets onto your computer, it is detected and can be removed before critical damage is done to the corporation.
Update software regularly
When prompted to update your work computer’s operating system, or a software program, do it as soon as possible. While it can be a minor annoyance, the updates ensure your program is as secure as possible.
Developers release updated versions of systems to address bugs, minimize security vulnerabilities, and introduce new features. However, if you continue to use the old version of a program, you leave the corporation vulnerable to viruses or threats that exploit or take advantage of recently identified security flaws.
What To Do If There Is A Cyberattack
Even if your corporation takes reasonable steps to protect data, a cyberattack may still occur. That is why every corporation must have cyber insurance. In addition to assessing cyber risks, condos need to create the appropriate risk responses. The CAO cites four risk response types, including transferring risks. Obtaining cyber insurance is a perfect example of what it means to transfer risk.
Cyber insurance covers things like regulatory defence expenses, legal and civil damages, forensic investigations, and crisis management costs. Having this could save the corporation, or your property management company, thousands of dollars.
Condos may also consider having liability coverage, or third-party coverage. Cyber liability policies cover legal fees and judgments in cases where owners sue the corporation for damages caused by a cyberattack.
Like all insurance, you hope you won’t need to use your condo’s cyber insurance policy, but you’ll be very glad to have it if there is an attack.
How Much Protection Does Your Corporation Really Need?
The size of your condo corporation will dictate how much cyber protection you need. A corporation with one work computer will need less than a corporation with dozens of computers. Managers will need to scale as they grow and implement layered cyber security architecture. Finally, once you have a system in place, don’t assume that’s the end of it. Cybercriminals are always looking for new ways to infiltrate vulnerabilities; your cybersecurity plan must also evolve.
Brian Bosscher is the president and founder of Condo Control, a leading software company that provides web-based communication, management and security solutions for condos and HOAs of all sizes. He is also a board member, having served more than 14 years as both treasurer and president.
