Recent hacks and data breaches at prominent property management firms have highlighted the various risks the industry faces in these difficult times. From phishing to ransomware, operators of systems containing tons of personal identifying information (PII) and other highly valuable data are constant targets of attack.
In this series of posts, we will be discussing a broad range of associated topics, including why this industry is a tempting target, what kinds of attacks are occurring, and what can be done to reduce the risk firms are facing. While our focus will be primarily on multi-person operations, much of what will be covered is applicable to individuals as well.
First, let’s think about why the industry is being targeted. There are several reasons this is occurring, and while some of them interrelated, a few are not. The biggest reason is most likely the same as why Willie Sutton robbed banks way back when – it’s where the data is. If you haven’t given this much thought before, think about it now – what data do firms working in the cooperative and condominium market – such as property management companies, accountants, etc. – keep that hackers and other bad actors might find interesting?
Well, we keep a whole lot of PII for both the coops and condos themselves, plus unit owners, employees, and vendors. Further, each of these categories includes historical data as well – former customers and clients, former unit owners, former employees, and former vendors.
Why is PII meaningful? Because PII includes both necessary and sufficient information to commit what is broadly known as identify theft crimes. And what a treasure trove of data we have – full names, addresses, past addresses, taxpayer ID numbers (social security numbers and employer identification numbers), bank account information, phone numbers, email addresses, income information, credit scores, automobile information – the list goes on and on.
Then, add to the juicy targets the idea that we haven’t really been targeted too much until recently. For most hackers, our data stores weren’t big enough to be interesting when they could go after much richer targets such as large retailers, banks, and other consumer-oriented organizations.
Our industry has tended to lag behind larger enterprises in adopting increased security measures, leaving us open to attacks. For a long time the approach has been to install some antivirus software on the servers and workstations and let it go at that. However, now that many companies have significantly tightened up on their security, the focus has turned to smaller more loosely managed entities.
Given all of the above circumstances, it seems past time to take a hard look at our information security standards, policies, practices, and procedures to get control of the data we store and take necessary steps to protect that data, our clients and customers, and our own operations.
Where to start? If you don’t have one already, the place to start is with an inventory of what you have, what you do, and what you need to protect.
What you have should include the four key pieces of your information technology infrastructure – hardware, software, services, and data. Hardware is usually the easiest – you can reach out and touch it. However, make sure your hardware inventory includes all the relevant pieces – servers, workstations, laptops, tablets, phones, printers, faxes, scanners, switches, routers, virtual private network (vpn) devices, modems, backup devices, network attached storage (disk drives), etc. For each piece of hardware, make sure you know what it is attached to – a network (wired or wifi), another device, off the network, etc.
Next, put together a list of all software and online services you use – not just the mainstream applications like Microsoft Office, Outlook, PowerPoint, etc., but any and all specialty programs you use for bookkeeping, accounts receivable, check processing, account payable, banking, unit owner information, ordering, etc. Make sure to include all the online banking, retail (Amazon, Granger, etc.), credit bureaus, job posting, etc. Also include all the lower-level software in use – operating systems, databases, email servers, backup software, etc. For all applications installed on desktops, laptops, tablets, and servers, include current version numbers, and update settings (automatic, notification, manual, etc.).
Finally, list all the categories of data you store, how old it is, and what your retention requirements are for each data type. It can be helpful to gain a view of how much of each type of data is stored as well, although a total figure is almost as useful. While data management in general and data retention requirements specifically are better discussed in detail separately, it is important to note in the context of this discussion that one critical way to reduce your information security risk is to keep less data. Broadly speaking, unless you have a good business reason to retain it, don’t keep any data longer than required by law, regulation, or industry standards.
In the next part of this series we will discuss evaluating your existing security stance, some of the specific protections that can be put in place, and the tradeoffs involved.