by Kathy Danforth/ Published March 2015
Electronic information can ease the workload for many tasks—including theft. The security of information, money, and other assets is increasingly dependent on codes and passwords as well as keys and locks, so keeping passwords under the keyboard is akin to putting the key to the vault under your welcome mat.
The methods of stealing and using data are constantly adapting, and communities have multiple, changing people with a need to access sensitive data to do their jobs. These dynamics mean that data security is not a static, check-off concern.
“Resident information is most important to protect, as well as community banking information,” advises Diane Braswell, Information Technology Director for Leland Management. “While Leland does not keep sensitive information such as social security numbers for our residents, we still maintain strict data security guidelines for all resident and community information.”
John Sly, Information Technology Director for AKAM Living Services, Inc. states, “The association is responsible to keep all accounting and financial information secure and organized. Financial records are an obvious example of important documents to keep secure, but it is just as important to keep items such as applications secure as well, since these documents contain social security numbers and bank account information. In addition to unit owner information, vendor information is held by the management company and often includes information sensitive to the property,” Sly points out.
“The association and the management company are also responsible for protecting the physical asset, which is the property itself,” Sly adds. This requires added protection for security information and items such as keys related to the physical protection of the community.
Because of the responsibility and liability involved in guarding information, Sly advises, “Request and maintain only information that is necessary for the successful management of the association and its business. No extraneous information should be requested, provided, and/or kept.”
To best secure the information they maintain, Leland Management has gone to a paperless system. “We scan all papers and store them on a secure server,” Braswell explains. “If employees are walking around with papers that have sensitive information, that’s problematic. By keeping our system paperless, we limit how that paper can change hands or be lost, which might not even be malicious. We also then have a record of who has accessed information.
“We work to make sure our communities’ networks are secure and information is backed up,” Braswell comments. “We’ve taken precautions with antivirus software and anti-malware as well as hourly backups to an on-site and off-site location.”
“AKAM uses more than one security system and a tiered-access approach to safeguard our network,” Sly reports. “In addition to top-of-the-line firewalls, we employ a sophisticated content filtering system to stop attacks before they could even enter the system.”
Computer access to information should be limited to what the individual needs to know. “It would be dangerous for any company to allow each employee full access to all files,” Sly notes. “There are different levels of access for members of a community, also, depending on their responsibilities and needs,” Braswell observes. “Permission to access should be very rigid and limited to the required information. Computers are tools and people need to do their jobs, but access should not be expansive just to avoid an occasional interruption to provide information, which is not regularly needed by an individual. And, when people move in and out of positions within the community or management, their access should change.
“There are two main goals in electronic data security: preventing information from being taken and used in a wrong way, and protetion against loss of data through backups,” Braswell states. “Backing up data is key. Backups are a protection against both shutdown and ransom. You can never fully protect against viruses that may wipe out your data because they change and become more sophisticated. But another big threat right now is a virus such as CryptoLocker, which encrypts your data and then sends a note that you have to pay a ransom to get your information back.”
The viruses CryptoWall and Cryptoblocker have been very active in hitting corporate sites, according to Braswell. “If you don’t have your data backed up, you may be stuck paying the ransom and hoping they’ll return the data to its original form. But, you are counting on criminals to keep their word and return the data.
“Viruses invade through e-mails,” Braswell notes, “so someone is hacked or gets an e-mail purporting to be from a known party, but when they click on a link, you’re sabotaged. You need to educate your team and vendors,” Braswell advises. “They need to be reminded not to open any attachment they’re not expecting. And by clicking on a link in an e-mail, you may think you’re updating your bank information, but, in reality, you’re giving the information away to another party. A quick search will show if the website matches that of the party you think you’re dealing with.
“Also, passwords need to be changed periodically and guarded. You shouldn’t use the same password indefinitely and for ten different access points, and store it on a Word document on your computer. At Leland, we have a conversation with staff every couple of months about secure Internet use,” says Braswell.
Sly recommends, “If you work with a third-party, Web-based software provider, be sure that their website is secure and always displays the lock icon on the address bar. If you are transferring files via File Transfer Protocol (FTP), re-quest to use Secure File Transfer Protocol (SFTP), a secure way of transferring data.”
At many communities, paper information is still in use, and its security is as im-portant as ever. “Paper records should be stored in a locked filing cabinet in a locked officeor storage room with restricted and limited access,” says Sly. “Employ a professional shredding company as they are inexpensive and provide an extra layer of protection for the disposal of old files.”
As the march toward electronic data progresses, though, associations should have a management company or individual who is responsible for the information technologysecurity of the community. An expert with specific knowledge of the community’s systems as well as threats and advances in the technology area should be involved, rather than just an assigned individual with a general awareness of risks. “For instance, the average person would not be aware that Microsoft will no longer support their older operation systems Windows XP and Windows Server 2003, leaving them outdated and vulnerable to attacks,” Sly points out.
Technologies and methods change, but people don’t. Braswell says, “Bad people are out there, and they’ll be looking for your password and a way to get into your system!”