As technology advances and there’s more reliance on third-party applications to collect and store critical business data, multifamily executives are looking to beef up their data security while minimizing the risks and exposure that could come from a security incident.
During a panel discussion on cyber security at the 2016 NMHC Spring Board of Directors Meeting, Christopher G. Cwalina, a partner with Holland & Knight, reminded executives that in the overwhelming majority of security attacks, intruders are able to get into the systems quickly but remain undetected for 250 days on average, putting everything from employee and customer personal information to financial information and trade secrets at risk. And as surprising as it might sound, most intruders gain access through simple email phishing schemes.
Multifamily executives can protect their companies, employees and customers by doing the following.
- Involve senior management. Data security isn’t just an IT problem, and board members and senior executives need to lead on the issue and dedicate appropriate resources to keeping sensitive data safe. “No one is going to give a flip about this problem, if you don’t,” Cwalina said.
Rob Prager, director of information security for AvalonBay Communities, said he’s initiated a monthly cyber security meeting with ten senior executives to ensure that the issue remains a perennial priority for leadership.
- Get a written response plan together. The plan needs to get down into the details, clearly spelling out things like when a report of an incident needs to be escalated up the management chain to senior leaders to how to talk to affected parties about an incident and what assurances to offer them.
“Everyone-and I mean regulators-knows that breaches are going to happen,” said Cwalina. “But the question is: Are you prepared? When regulators come knocking and investigate what happened, they go after about a third of companies. The thing that makes the difference is what your plan looked like.”
- Train and test. It’s not enough to just tell employees what they should be doing, multifamily executives need to invest in training and testing.
“We created a cyber training and development course that we require all new employees to take,” said Prager. “And we’re working on a lighter version that’s required annually. In addition, we have an extensive phishing program where we target every employee once a month. The ones that are susceptible to that, they are immediately directed to a learning and development page.”
Similarly, Shawn Mahoney, CIO for GID, said phishing tests can be very effective in identifying weaknesses in the system. “When we started doing our phishing test our click through rate was 40 percent,” he said. “Now it’s down to 10 percent, but still, that’s 10 percent.”
- Go for 24/7 coverage. Because most attacks happen at night, leading multifamily executives are working with third-party monitors to get around-the-clock monitoring. Moreover, many recommend putting appropriate forensic experts on retainer to do initial analysis on suspicious activity, leaving executives to focus on responding to actual incidents.
- Dig into third-party contracts. Since many data intruders find entrée through third-party systems and applications, experts recommend executives look long and hard at the indemnification clauses in the business contracts. Executives will also want to see language that clearly outlines how fast you’ll be notified of a security incident and what role the vendor and you will have in responding to an incident.
“What we are trying to achieve is protection for us and them,” said Prager. “If you have a partner who is challenging you on the contract, maybe walk away.”
- Data Compliance and Connectivity Concerns Mount
- National Multifamily Housing Council Issues Data Privacy and Protection White Paper
- Data Privacy and Protection: Practical Considerations for Apartment Firms - White Paper
- Congress Presses Forward on Consumer Data Privacy
- Data Security Letter to Senate Committee on Banking, Housing and Urban Affairs