How to Defend Your HOA or Condo Association Against a Cyberattack

You may not think cybercriminals have any interest in your condo or homeowners association (HOA), but don’t be so sure.  As a small business, your association may be facing more risk than it did in the past.
 
In its annual study, the Ponemon Institute found that in 2017, 61% of small and medium-sized businesses had had data breaches. In 2016, only 55% reported having had a breach.
 
Although certainly not good news, these statistics do not negate the value digital technology has brought to associations. “Residents and board members have an easier time handling association-related tasks thanks to technology,” says Chris Cady, director of information security and enterprise architecture at FirstService Residential, “Today, they can pay association fees online, access information and communicate more readily. However, these statistics do underscore the importance of having a solid security strategy.”
 

The role of your association’s board

Your board of directors has a responsibility to protect residents’ personal information, as well as the corporation’s sensitive data. How well is your board doing this? The following tips will help you get your cyber security on track.

1.  Establish a cyber security policy. Having a policy gives board members a common set of guidelines and procedures to reference. The policy should identify who is responsible for managing the association’s cyber security and who should have access to confidential information.

In addition, it should describe common cyber threats, explain what the association should be doing to ensure that it can quickly recover data and spell out a plan of action to take if a breach happens. If your association maintains its own devices, make sure that the policy also includes restrictions on those devices, such as websites that users are prohibited from visiting because they could be a source of malware and who is authorized to use the devices.

2.  Implement mandatory training for board members. Adopt a training program around cyber security that all board members are required to take. Have both new and existing members take the training every year following board elections.

3.  Make sure you are using property management software that has robust security. Undoubtedly, property management software simplifies association-related business. However, if it doesn’t have good security built in, or if that security isn’t updated as often as it should be, your software could be putting the association’s data at risk. Inquire about your software provider’s security measures and how updates are handled. Make sure that your data is well protected, the software automatically detects and prevents threats and users can safely log in no matter where they are or what device they are using.

4.  Share best practices with residents. It only takes a single infected device to jeopardize your association’s data. “Awareness is the best way to protect your association’s data,” says Cady. “If residents understand the risk, they can take action to protect information.”

Explain the different kinds of threats that residents might encounter and how they can defend against them. Distribute this information using a combination of communication channels so you’re sure to reach as many of them as possible: your community website, email, newsletters and postal mail. Incorporate the recommendations below into your communications.
 

The role of HOA/condo association residents

By following the 5 best practices below, residents can better protect their devices, as well as their association’s data.

1.  Do not leave devices unattended. A device that is left unattended in a public place can quickly get into the wrong hands, leaving your personal data at risk. Devices are also not safe in a vehicle, even one that is locked. A thief can break into a car within seconds. And never pack devices in checked luggage when traveling. It’s best to leave devices at home or to pack them in your carry-on bags.

2.  Learn about different types of malware. Familiarizing yourself with the various types of cyber threats will help you recognize an attempted attack. Here are some of the threats you are most likely to encounter:

• Phishing or smishing – An email or SMS text may appear legitimate even when it isn’t. Be wary of messages you receive warning you of an issue with a transactional account, such as a bank or credit card. Scammers will send out such messages with a link that seems to take you to the business’s website. In reality, the link is taking you to a fake website where you’ll be asked to provide personal information.
• Email scams – Anytime you receive an unsolicited email with an incredible offer, assume it’s a scam. The scammer will require that you put out money in order to take advantage of the nonexistent deal.
• Viruses – The most common ways in which your system becomes infected with a virus is via an email attachment or a download.
• Botnets – The purpose of these software “robots” is to send out emails to your contact list from your account. Once a botnet has infected your system, it may also have the ability to send emails from your contacts’ email accounts. By infecting a large number of systems this way, an attacker can overwhelm a government or business website or spread malware.
   

3.  Use strong passwords and other protections. Long, complex passwords are more difficult to guess, so make sure your passwords contain a mix of numbers, lower and uppercase letters and special characters. Do not use the same password for multiple sites, and regularly modify them. Add other protections like password locks and multifactor authentication.

4.  If an email or URL looks unusual, don’t trust it. Certain clues may sometimes help you detect an email scam. For example, since scams often originate overseas, an email that has numerous spelling and grammatical errors or an extension indicating a foreign country are some signs to look for. Other clues are offers that are too good to be true or attachments with “.exe,” “.pif” or “.bat” extensions.

With regard to URLs, make sure the hyperlinked text matches the destination. You can do this by hovering over the hyperlink to see if it actually points to the website indicated. And always check that transactional websites begin with “HTTPS.”

5.  Disconnect right away if you’ve click a suspicious link. The first thing to do if you realize you’ve clicked a potentially dangerous link is to disconnect from the internet. Next, make backups of your files and scan your system. If you’re not familiar with running a scan, find a reliable information technology (IT) professional to do it for you.
 

The role of a good association management company

Many HOAs and condo associations have their day-to-day operations taken care of by a management company. While it’s typical to turn over responsibility for maintenance, policy enforcement and resident communication to a management company, you should also look for one that is capable of helping your association with its cyber security. The company should demonstrate that it has:
 

• In-depth IT expertise
• Strong knowledge of advanced security measures
• A thorough understanding of your association’s IT requirements
• The ability to respond quickly to IT issues
• In-house resources so you can avoid having your data accessed by a third party
• The capacity to limit or eliminate downtime when making offsite hardware repairs

 
We all have to live with the threat of cyberattacks, but knowledge and robust security can reduce your risk of a data breach. Keep your association’s information safe by having residents, board members and your association management company working together to protect it.
 
Does your management company have the IT expertise to handle your association’s cyber security? Find out now - Fill out the form to get our FREE white paper, Who’s Minding Your Association’s Technology?