You may not think that your homeowners association (HOA) is likely to be targeted by a computer hacker. After all, we usually hear about data breaches affecting large organizations, like the 2018 breach at Children’s Mercy Hospital in Kansas City, Missouri, that affected more than 60,000 people.
However, small businesses like your HOA may be at more risk than ever before. According to the Ponemon Institute’s annual study, the number of small and medium-sized businesses that had had a data breach went from 55% in 2016 to 61% in 2017.
At the same time, digital technology has been a tremendous asset for HOAs. “Nowadays, residents and board members can more readily take care of their HOA-related tasks,” says Chris Cady, director of information security and enterprise architecture at FirstService Residential, “Technology has made it easier to pay fees online, communicate and access information. Still, these statistics do point out the importance of having a solid security strategy.”
Both Missouri and Kansas have laws addressing the security of personal information. These laws apply to small businesses as well, so your HOA also has a legal obligation to implement strong cyber security.

What your HOA board should do

Protecting the personal information of residents and HOA data is an important part of your board’s responsibility. Improve your association’s online security by following these tips.

1.  Create a policy around cyber security. Having a common set of guidelines and procedures to reference provides your association with a consistent approach to your security. Make sure your policy identifies those people who are authorized to access confidential information and those who have management responsibility for the HOA’s cyber security.

In addition, it should explain preparation steps to help your HOA recover its data quickly, describe common cyber threats and define an action in case a breach happens. If your HOA has its own devices, include any restrictions that apply, like who is allowed to use them and which websites to avoid to reduce possible infection.

2.  Set up a required training program for board members. Have cyber security training for board members. Make it mandatory that new and existing members take the training each year after board elections.

3.  Verify that your property management software is secure. Property management software simplifies your HOA’s ability to conduct association business. However, it could put your data at risk if it lacks strong built-in security or if that security is out of date. Ask your software provider if the program automatically detects and prevents potential threats and if its built-in security is kept up to date. Also make sure that no matter what device HOA members use or where they are, they can safely log on.

4.  Make residents aware of security best practices they should apply. Your HOA’s data can be compromised even if only one homeowner’s device is infected with malware. “Awareness is the best way to keep HOA information protected,” says Cady. “Residents who understand the risks and are familiar with the steps they can take will do a better job protecting data.”

Let residents know about the different types of threats they could face and what they can do to defend against them. Try to reach everyone in the community by sharing this information across a wide range of communication channels. For instance, use email, postal mail, flyers, your community website and your newsletter. Get the message out regularly so that residents remain vigilant, and be sure to include the recommendations below.

What HOA residents should do

Residents can keep their devices safe and protect HOA data, as well as their own personal data, by applying these 5 best practices.

1.  Keep devices with you. Making sure not to leave a device unattended in a public place is a common-sense step you should always take. Also remember that even a locked vehicle isn’t a safe place for your device since a car break-in only takes seconds. Thinking of packing a device in your checked luggage? Think again. Keep it with you on your flight or leave it behind.

2.  Don’t trust URLs or emails that look odd. Verify URLs before clicking on them by hovering over the hyperlink to see if the website it points to matches the one indicated in the text. Legitimate transactional websites (like those for banks or credit cards) will always begin with “HTTPS,” so make sure this is the case before entering any personal information.

Since many email scams originate overseas, possible indications that an email isn’t legitimate include spelling and grammatical mistakes and foreign extensions on the email address. Also look for attachments with a “.pif,” “.exe,” or “.bat” extension. And don’t trust an offer that’s too good to be true.

3.  Learn about common attacks. You’ll be better able to recognize a threat if you learn what to look for. Below are some of the common ways cyber criminals try to hack into your system:
  • Email scams – Sorry to say that a Nigerian prince isn’t really going to put a large sum of money into your bank account, and you didn’t win the jackpot for a contest you don’t remember entering. If you receive an amazing email offer out of the blue, it’s most certainly a scam to obtain your personal information or to get up-front money from you.
  • Phishing or smishing – Be suspicious of emails or SMS texts warning you of an issue with your bank or other transactional account. Although it may seem legitimate, this is a common way for scammers to obtain your personal information. These messages contain a link that takes you to a fake website where you are asked to enter your personal information.
  • Viruses – Downloading  infected software or opening email attachments containing malicious code are common ways a virus can infect your system.
  • Botnets – These software “robots” access your email account and those of your contacts to conduct large-scale email spam campaigns. By infecting and controlling multiple systems, attackers are able to overwhelm and take down a business or government site or spread malware.

4.  Use complex passwords along with other protections. It is more difficult to guess a long, complex password. Therefore, passwords should include a mix of upper and lowercase letters, numbers and special characters. Avoid using the same password on various websites, and change them often. Use additional protections like multifactor authentication and passcode locks.

5.  Immediately disconnect if you may have clicked a suspicious link.  a If you realize after clicking that a link might expose your system to malware, disconnect from the internet right away. Create backups of crucial files, and run a security scan. If you’re not sure how to do this, get help from a reliable information technology (IT) professional.

What a good HOA management company can do

Many HOAs depend on a management company to handle their day-to-day operations. Although this typically means turning over maintenance, policy enforcement and resident communication responsibilities, the best HOA companies will also have to ability to help you keep your data secure. Look for a company that exhibits:
  • Strong technology experience
  • Knowledge of the latest cyber security developments
  • A solid grasp of your HOA’s unique IT requirements
  • Fast response time to IT issues
  • Significant in-house resources to prevent the need for third-party access to your data
  • An ability to reduce or even eliminate downtime if offsite hardware repairs are needed
Of course, we’d rather not have to worry about cyber attacks, but ignorance is definitely not bliss. Protect your data with robust security and up-to-date knowledge regarding the threats. By working together, your board, residents and HOA management company can significantly reduce your risk of a data breach.
Find out how to know if your management company has what it takes to handle your HOA’s IT and cyber security needs. Just fill out the form to download our complimentary white paper, Who’s Minding Your Association’s Technology?
Thursday August 30, 2018