Cybersecurity Basics for Property Managers
2/9/2024 (Permalink)
Property managers wear many hats whether they're responsible for large commercial complexes, multiunit residential properties, mixed-use facilities, or any other property. From managing occupancy rates to handling day-to-day operations or even hiring a water damage restoration company after a major incident, the eyes of tenants, employees, and stakeholders all turn to the property manager. With all of that on their collective plates, it's easy to see how cybersecurity takes a back seat for most property managers.
However, the unintended consequence of that lack of prioritization is a significant increase in the potential liability should a cyber incident occur. Cyber attackers frequently target property management companies, real estate companies, and other related industries Due to the sheer quantity of sensitive information that they possess. For that same reason, data breaches in those industries come rife with negative consequences. You could be facing civil liability, regulatory fines, restitution, and the reputational damage your company would incur from a reported breach.
What Information Should Be Secured?
Without basic training in cybersecurity for property managers, it's likely that they don't even know why they could be targeted for a cyber attack. Property management systems, in particular, provide a mouthwatering target for cybercriminals. Tenants' personal information is sometimes one-sided, with maintenance requests, operational technology, contract details, etc. Cybersecurity risks abound, and high-risk industries like real estate must become proficient in managing those risks.
Property Management Cybersecurity Basics
To that end, we've compiled some of the cybersecurity best practices you can implement to protect your sensitive information from being compromised in a data breach.
Conduct Cyber Risk Assessments
We just mentioned how prevalent cybersecurity risks can be, and you can't possibly mitigate those risks if you don't know where your exposure is. Regular cyber risk assessments should be conducted whether you use a vendor or your in-house personnel. You should evaluate what kind of data you store and utilize, how it's transmitted and backed up, who has access to the sensitive information, and what monitoring solutions are in place. Once you have identified the risks, you can then focus on narrowing the attack surface by enforcing things like multifactor authentication.
Educate All Staff
Just like training in cybersecurity for property managers is essential, all employees need to have a basic understanding of cybersecurity as well. This should include training on possible threat vectors, sensitive information that is at risk, your enterprise's cybersecurity policies, and why those policies are in place. Including the reasoning behind your policies as a part of your training regimen not only makes your staff well-informed but also increases the likelihood that they will then comply with those policies. It's also critical to realize that this training is an ongoing effort. Initial training should be provided during onboarding, but cybersecurity training should be a recurring effort that includes hands-on practical exercises and tests.
Establish Role-based Permissions
Regardless of the size of your company, you should implement system access controls using role-based permissions. This means that instead of applying individual permissions to each user as you add them, you create defined roles within your network that have preset access limits and permitted functions assigned to them. As you create new users, you assign them a role, and all of the permissions associated with that role are automatically applied.
This also reduces the risk of making a mistake when creating a new user and has the added benefit of streamlining the process during onboarding. These roles should be defined using principles of least access, meaning that personnel should only have access to the sensitive data and other information that they truly need to accomplish their assigned tasks. All users should require multifactor authentication to access company networks.
Audit Your System
This applies to both real-time monitoring and true audits. You want to make sure that network activity is within normal parameters. This means tracking and auditing access logs, purchases, and other critical databases to ensure that suspicious activity is not missed. You can leverage software solutions to help you accomplish this task, and some of the best programs out there can learn the patterns of activity across your systems and identify behavior that is outside system norms.
Purge Data and Users
Depending on your enterprise's area, you may encounter applicable data privacy laws that govern what sensitive information or personal data you can request, maintain, and use, as well as rules governing how long you can hold onto that data. Many data privacy laws also require responsible disposal of that sensitive information once it is no longer needed or must otherwise be purged. In addition to cycling out old personal data for tenants and others, you should immediately lock out employees upon their separation from employment. Even if the parting was amicable, the potential for cybersecurity risks with former user accounts still being active is far too high. That doesn't begin to consider the malicious insider threat that could be present.
Encryption
Shockingly, most companies, including real estate property management organizations, do not use encryption regularly. When you have sensitive data, effectively using encryption should be one of the first steps you should take. End-to-end encryption may seem unnecessary, but when you hold payment data for rent payments, personal data of tenants, contractors, employees, and other sensitive information, many regulatory bodies require that you use encryption. Even if they don't, failure to properly protect this information during a data breach can lead to serious consequences. Should you suffer a data breach, it's far better that the attackers find themselves to be the new owners of what appears to be gibberish rather than lists of tenant bank accounts and routing numbers.
Regarding real estate and property management, cybersecurity isn't your only concern. If you suffer a devastating leak, fire, or even storm damage, SERVPRO cleaning can get you back on track and back in your home or property. With residential and commercial experience, SERVPRO has the knowledge and equipment to make your property look like the incident never happened. We can even help manage the insurance process. Contact us today to see exactly how we can help you.