By Thomas Hasard, CISSP, IT Service Manager
If it seems like every time you turn on the news you’re hearing another story about cyber security, you’re not alone. Between new emerging threats and the high profile data breaches that have occurred, cyber security has become a pervasive topic in almost any news outlet. As the security space becomes more complicated, and as more and more revenue is made by malicious actors, it’s important for Boards to consider the cyber risks they face and implement reasonable controls to mitigate them.
Associations are responsible for what attackers would consider a treasure trove of payment information, resident information, and other sensitive data. Regardless of whether the information is kept in a file cabinet, on a PC or server, or in the cloud, it’s vital that how that information is accessed, stored and protected from loss are carefully considered with security in mind. Even in cases where a property manager is involved, it is still the Board’s responsibility to ensure the security of the Association’s data.
In almost all areas of cybersecurity, there is an overarching message regarding the need to exercise due care. In all but the most exacting security standards, the most important responsibility of anyone entrusted with sensitive information is to take the time to review how they are protecting this information and their sensitive processes. Determining what the “right” amount of security is can be a challenge, but understanding some of the common risks facing Associations will help you start down the right path.
The biggest source of security threats to an Association is email. Because email has become integral in many processes, from authorizing transactions to communicating Board information or simply transmitting minutes, it is also a prime target for malicious cyber threats. There are a variety of different ways email that can be attacked and understanding these various threats will equip you to better prevent them.
First and foremost, there is the ever-present fear that your email will be breached, or hacked. Typically, this comes down to an attacker being able to gain access to your account by guessing or discovering your password. The most frequent source of this type of breach is, ironically, another breach of your information by a third party. While it is human nature to try to simplify accessing our growing collection of online information, by reusing usernames and passwords on multiple websites, your online information becomes vulnerable. Simply put, it means that if one website is compromised, anywhere else that same password is used could now potentially be accessed by the attacker. The most important thing anyone can do to protect their email account is to have a long and complex password that is only used to secure that account. Also, wherever possible, enable Two Factor authentication to ensure that even if your password was compromised, your account cannot be accessed without additional confirmation on your smartphone. By having a strong and unique password on your account, and leveraging Two Factor authentication, you can greatly reduce the chance of someone getting control of your email.
Unfortunately, simply protecting your email from unauthorized access won’t ensure that email is a safe platform to use. Email is commonly thought to be a reasonably private means of communicating information, when it is actually not private at all. A great way to think about email is as a digital letter. It is likely anyone who intercepts it will be able to see who sent it, who it is intended for, and its contents, including any attachments. Similar to a letter, the “from” address can be forged to appear to be someone you know and trust. For this reason, when you receive an email, even if it looks to be from a trusted source, you need to carefully consider if the email is actually sent by that person.
From a practical standpoint, this becomes a significant issue when authorizing financial transactions. Associations whose board members authorize financial transactions via email (for example, to approve the issuance of a check or wire transfer) with no other verification may be especially susceptible to fraud. If an attacker found out on Facebook or LinkedIn who you are and who you know, it can be relatively easy for them send a fraudulent email, which appears to be from a board member, authorizing or requesting a transaction. Organizations of all sizes have fallen victim to this kind of attack, resulting in loses ranging from tens of thousands to tens of millions of dollars. When designing your processes for approving transactions, consider a secondary confirmation system such as a text or phone call to verify that a transaction has been approved.
Email can also be a source of another type of threat, known as phishing. Phishing is when an attacker tries to craft an email that will elicit sensitive information from you. Typically, these will take the form of an email telling you to reset your password, a notice that you have won a prize, or a fake receipt for something you didn’t purchase. The attacker’s hope is that these emails will cause you to click on a link in the email taking you to their website. Once there you may be asked to enter sensitive information, or some malicious software will attempt to attack your computer. Phishing can be a source of information for an attacker; for instance, if you enter your email credentials, they can now access your account and all in the information contained there. Falling for a fraudulent email can sometimes lead to further attacks leveraging the information they have already gathered about you.
Traditionally, the main threat to our computer systems were viruses which, for the most part, were designed to damage or cripple your computer. Unfortunately, a relatively new strain of virus called ransomware has grown rapidly over the last few years. In fact, of all of the malware identified in 2016, 70% of it was ransomware. Ransomware is an ingenious way of using encryption technology to hold the information on your computer hostage. Imagine if all of your Association’s records were gone, and your only hope of recovering them was to pay a ransom to a criminal and hope that they return it. It’s not difficult to see why this type of attack has become financially successful for the attackers, estimated by the FBI to have generated over $1 billion in 2016. The success of these types of attacks has led to a rush of other attackers writing their own ransomware in the hopes of launching a successful attack.
The best prevention against ransomware and other malware is being aware of the risks, and careful of what emails and attachments you open, as well as what websites you visit. Modern antivirus software is adding more and more ransomware specific protection in a virtual arms race, and is a critical part of protecting yourself. Having a backup technology in place that is protecting your data and keeping a copy of it elsewhere is also a great way to reduce the risks posed by ransomware.
In addition to protecting your email, your processes, and your computers, it’s important to consider what compliance obligations you may have. Many Associations accept credit cards for the payment of dues or other services. Like any merchant accepting credit cards, it’s important that Associations have an awareness of the Payment Card Industry Data Security Standard, or PCI DSS. Specific compliance requirements vary depending on the volume of transactions and if cardholder data is stored at any point. It’s important to be aware of the requirements you may be subject to and ensure that you understand them as you are deciding to accept credit cards. Typically, your card processor will be able to provide more detail on any obligations you may have.
In any Association, but especially in Self-Managed Associations, you should consider acquiring cyber liability insurance to address the risks your Association faces. Insurance coverage should be tailored to your Association’s needs, including potential email fraud and ransomware protection. Since resident information is maintained by the Association, data breach coverage may be needed, depending on the amount of personally identifiable information stored.