The apartment industry now universally accepts that it’s a matter of when not if, a company’s network will be breached. Apartment firms and their third-party service providers use and store highly sensitive personally identifiable information (PII) for current residents, prospective residents and employees, making them vulnerable to such attacks. To help NMHC members prepare for an incident and its aftermath, three cyber experts offered their tips on how to best manage a data breach during a panel discussion at the 2015 OPTECH Conference & Exposition.
The panel brought perspectives from Special Agent Erik La Com of the United States Secret Service; Matt McCabe, senior vice president of network security and data privacy at Marsh FINPRO; and Mark Seifert, co-leader of the privacy and data security practice at Brunswick Group.
Special Agent La Com said that many people don’t realize that the Secret Service is involved in data breaches. He explained that in addition to protecting the president and others, the Secret Service investigates crimes against the United States’ financial infrastructure, including computer fraud. In his capacity, Special Agent La Com works with bank investigators and merchant processors across the country. They contact the Secret Service when they see fraudulent charges and then the Secret Service works to identify the source of the breach.
Special Agent La Com said that nearly every time he contacts a company, the company has no idea that they have been breached. To help the apartment industry communicate with federal investigators and facilitate efforts, he noted that NMHC developed a relationship with the Secret Service and its Electronic Crimes Task Force.
(Contact NMHC’s Julianne Goodfellow at email@example.com to learn more about this partnership.)
Special Agent La Com also provided some practical advice on how to prepare for a breach and demonstrate that a company has taken steps to protect their network. His recommendations include:
- Conduct risk analysis. It’s important to understand the value of the data you store to the dark web. When you know the value, you can then develop a sliding scale of risk and protection.
- Have data storage policies. While this sounds simple, it takes time to develop procedures.
- Know your end user. The best network security is only as good as users’ adherence to good cyber hygiene.
- Diagram the network. Think of this as the floor map of your house. It does not need to be overly granular, but it does need to be reviewed and updated regularly. Investigators will start with this as they try to determine the initial point of compromise.
- Backup logs. Intrusions are often discovered long after an initial breach. Often, logs are stored for a short period of time (even as little as 24 hours). Data storage is inexpensive and this information is invaluable after an intrusion.
- Segment the network. Determine what actually needs to be on the network and if it needs to be accessible to everyone.
- Maintain software. Some vendor programs will only work with certain versions of Windows, but keep your software as up-to-date as possible.
- Remove default and shared admin passwords. A lot of hardware and software come with admin passwords that need to be changed. Also, change credentials regularly.
Panelist McCabe said that Marsh looks at breaches as an issue of cyber risk management rather than just cyber insurance. He noted that 70 percent of breaches come from a party external to your company and “you are hoping that news of a breach is coming from law enforcement instead of the media-and in particular, from Brian Krebs’ security blog. If you are hearing through the media, then the incident is going to be highly publicized.”
“The reality,” McCabe said, “is that 80 percent of incidents could have been prevented by good cyber hygiene. You are never going to be able to address the more sophisticated risks if you haven’t addressed basic cyber hygiene.”
Brunswick Group’s Seifert emphasized the need to have a public relations plan in place before an incident occurs. The first thing you need is a statement that says that you are taking the incident seriously.
“It’s literally all you can say on the first day. The people who say more lose jobs or face lawsuits. During a cyber crisis, you don’t know what you don’t know. Unless you are willing to risk your job, don’t tell me something is a fact unless you know it to be a fact,” Said Seifert.
Seifert stressed that a cyber incident is different than a physical incident. With a cyber incident, you don’t know who the attacker is, how they got in, what information they took and if they are still in your system. “Before you face a breach, practice, practice, practice. Then adapt your plan and educate your employees. Think about your response in the customers’ terms, not the company’s terms. Your customer will want to know if they were harmed.”
Additional educational resources related to data breach and data security are available here.
- Data Compliance and Connectivity Concerns Mount
- National Multifamily Housing Council Issues Data Privacy and Protection White Paper
- Data Privacy and Protection: Practical Considerations for Apartment Firms - White Paper
- Congress Presses Forward on Consumer Data Privacy
- Data Security Letter to Senate Committee on Banking, Housing and Urban Affairs