When CTS started supporting property management companies over 15 years ago, the threat landscape of the multifamily industry looked nothing like what it does today. Back then, a common threat management companies faced were fax machine scams with bogus invoices that printed out at the leasing office for you to pay. Today, with the high availability of broadband internet, practically all property management software vendors (e.g Apfollio, Entrato, Yardi) have moved to web based applications. Then we added smart technology to the mix with the internet of things (IoT) which has its own inherent security risks. (see our latest blog about Smart Light Bulbs being vulnerable to hackers).

As a result, the multifamily industry is connected more now than ever before..and the risk of cyber attacks are greater than ever. Unfortunately, many property management companies do NOT make these growing cyber threats a priority. This mentality goes in line with the mindset of most small business owners. A 2018 US Census reported that 2 in 3 SMB leaders believed a cyber-attack is unlikely, but that same year 67% of SMBs experienced a cyberattacks. (2018)

Why doesn't the multifamily industry take cybersecurity more seriously? When we exhibited at the NAA Aparmentalize last year, we asked property management companies that stopped by our booth what cyber-security programs they have in place at their properties. Most of the smaller companies (under 35 properties) we talked to reported that they had little or no cyber protection whatsoever. Here are the top 5 reasons they gave us for not making cyber security a priority at their properties.

Top 5 reasons why property management companies don't make cybersecurity a priority

How are property management companies vulnerable to cyber attacks?

Most owners and management teams "don't know what they don't know" when it comes to cyber security, so we compiled this list with some real world examples to illustrate how your property and corporate office can be vulnerable. If you read this list and don't feel warm and fuzzy afterwards about your security at your properties and corporate office, then it's a really good idea to have a serious conversation about cybersecurity for your management company.

• Human Error / Social Engineering. Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. An example of social engineering is someone calling the leasing office claiming to be from Entrata or Yardi and asks the manager or leasing agent to give them their username and passwords so they can help "troubleshoot" a problem. Another example is someone calling claiming to be with the "IT Dept" or "Microsoft" and wanting to help "fix" your computer by installing remote support software.  This is why having a cybersecurity awareness training program in place for your leasing teams and corporate staff is really important. They become your human firewall and help prevent cyber attacks!

 

• Phishing Attacks. Phishing is  defined as the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. We have engaged with multiple property management companies in the past who have been hacked because of this type of attack. The reason it happened was lack of awareness and training of the leasing agents or executive to recognize they were being phished. The website link they clicked on in the email looked really legitimate so they inputted their credentials as requested. Many phishing attacks use vendor sites commonly used in a specific industry. It could be entirely possible for a hacker to send fake emails pretending to originate from Entrata, Appfolio, or Yardi requesting the user to reset their password. What would happen if a hacker logged into your lease management systems? Who would be on the hook for damages from identity theft of your tenants? It would be your property management company, not Entrata. Office 365 along is not capable of catching all phishing emails. Make sure you have an effective email scanning system in place to detect and prevent these types of attacks!

 

• Fake email requests with similar domains and company directory farming This type of phishing attack is where the hacker registers a domain name that is very similar to your management company's domain with one letter different. They then go to your website and look at your company directory. If you have your staff listed, which many management companies do this, the hacker will  identify key decision makers or financial team members at your company. They will then create an email (often they will find their identity on the Dark Web ) and craft an email appearing to be from that person requesting the recipient to transfer money, or buy gift cards. We have engaged with at least three property management companies that called us after this type of attack happened. In one case, the CFO received an email appearing to be from the CEO requesting an ACH bank transfer for 300k for a new property being acquired. Because the email domain was very similar and the email looked like it came from the CEO, the CFO transferred the funds.

 

• Free thumb drives and USB phone power cables. Avoid the temptation!! These items have inherent security risks and can possibly contain keylogger software that auto executes when plugged into a computer, enabling the hacker to capture sensitive data entered into a secure system like Entrata or Yardi. Even worse, a hacker could remotely execute malicious software contained on these devices, taking your network and company hostage. We exhibit at apartment industry trade shows, and their is usually at least one vendor giving out "free" thumb drives or phone power cables. Our advice is to STAY AWAY FROM THIS TYPE OF SWAG! Most of these free items are made in china or other countries at very low cost with very low oversight, and often times, spyware and malware is installed during the manufacturing process.  Do your executive teams and leasing staff know about this threat?  Our advice is to always buy thumb  drives from Best Buy, Staples, or Office Depot where they sell reputable brands.

 

• Using “Walmart brand” network technology at your properties and corporate offices. We know a LOT of management companies are guilty of this and we want to educate you on why this is a VERY bad idea. Stop doing this! Walmart, Staples, and Office Depot sell wireless routers and switches meant for home use, not business use and especially not for use at your properties. Common home networking brands such as Netgear or Linksys have well known security vulnerabilities that hackers are VERY aware of. Read this ZDNET article to learn more about how vulnerable these devices really are. Unfortunately, many internet provider give properties a cable modem with a built in wireless router that uses the aforementioned brands. These are just as vulnerable and the ISP has very little liability in regards to the overall security of their devices. This is why it is important that you have a BUSINESS class firewall and networking hardware installed at your properties. Make sure you are choosing products from reputable vendors like Fortinet or Cisco that are built around security. Business class hardware will not only detect threats, but can also respond to threats, reducing your chances of being exposed to malicious software and attacks. Yes, this hardware is typically double or triple the price of the "Walmart brand" technology, but you are getting what you pay for with 3 year warranties, security updates, and active threat protection.

 

• Using business email that is not configured properly, or not using a business email system at all! Most of the management companies we talked to at Apartmentalize were using either Office 365 or a business Gmail account. If you are using an @Gmail.com email address or using a business gmail account (G-Suite), we highly advise you to switch to Office 365 for multiple reasons which goes beyond the scope of this blog (this good article covers the reasons to switch).  If you are reading this and using Office 365, that's fantastic! The good news is that there is a plethora of collaboration and communication tools at your fingertips to really streamline your property operations. If you haven't started using Microsoft Teams yet, you are missing out. All property management companies should be using this to share files and collaborate.  The bad news is that out of the box, Office 365 is not very secure and needs to be configured properly. Many security features available to a Microsoft 365 organization are turned off by default, such as two factor authentication and e-mail encryption, as well as advanced reporting, auditing, and alerts. By turning these features on, you not only decrease the likelihood of your leasing teams and corporate staff from falling for phishing attacks, you also get visibility into the digital health of your Office 365 environment.  Did you know that Microsoft created a tool and index to show you how secure your office 365 account really is? Feel free to reach out to us if you want us to show you how to find your score and learn how to improve it.

 

• Using "Free" Antivirus software on your leasing computers.  Although it is tempting to download and install "FREE" antivirus software on your leasing computers, DON'T DO IT! Most free antivirus programs out there have spyware and other adware related components that collect data about the person using the computer. Read this PC Magazine article about the true cost of Free Antivirus software and its inherent security risks.  Also, avoid buying antivirus software from Walmart, Staples, or Best buy. It is meant for home use and impossible to centrally manage and update, especially if you decide to install it on all of your leasing computers and business center PCs at all of your properties in your portfolio.  In order to protect your properties from threats, you need business / enterprise class security endpoint software installed on your systems to detect and prevent the new evolving threats. This type of security software is centrally manged so it is easy to update and deploy policies. It actively monitors for threats, provides alerts and reports so you can get a jump on the bad guys.

 

• Using outdated/unsupported operating systems and software. All technology devices at your properties have an operating system (OS) of some kind. For example, a computer, android tablet, ipad, a smartphone, smart TV, security surveillance system, door access system, or smart apartment system all have an OS. If they are connected to the internet in any way, whether wireless or wired, it is critical that all of the device's operating systems and associated software gets updated on a regular basis. By updating and patching operating systems or firmware, you protect your properties from known security vulnerabilities that hackers are looking for.  Unfortunately, this best practice is rarely done with property management companies (I am especially referring to the management companies who are STILL running Windows 7 machines which is no longer supported - there are quite a few of you out there!)  Often times, a property has been sold and acquired multiple times and the technology originally installed at that property just gets handed off to the new owner or 3rd party manager to deal with.  When this happens, technology gets lost in the shuffle and doesn't get updated, the technology becomes so old it can't be updated because the manufacture no longer supports the device. These devices become a silent security threat lurking in the corner of the maintenance closet of your leasing office!  This is why it is important to have an IT assessment and audit of ALL of your technology prior to purchasing a new property, or make sure you do this immediately afterward. This audit is something we can do for you as it's included with our outsourced managed IT support service, free of charge.

 

How to protect your multifamily properties and corporate office from cybersecurity threats

We covered a LOT of information in this blog and if your head is spinning and you are feeling a bit overwhelmed,  that is normal!  The main take away from this article is there is no one "silver bullet" solution for protecting your properties and corporate office from cyber attacks. In order to stay ahead of the the threats, there are multiple layers that need to be applied to truly protect your company. Here is list of best practices which every company should really follow.

• Invest in Cyber Security Training for your staff
• Turn on multi-factor authentication for your email as extra precaution
• Invest in email and web filtering software to block phishing email and sites
• Invest in good endpoint protection software to stop cryptoware
• Invest in business class networking hardware which detects and prevents intrusions

If you don't have an internal IT team, we HIGHLY recommend partnering with an outsourced managed IT support company that specializes in multifamily and cybersecurity to help you  with these best practices. Read our buyer's guide on how to assess and pick the right outsourced managed IT company that meets your multifamily IT support needs.