By Katherine McCoid / Published July 2022
Target. Equifax. Colonial Pipeline. Over the past decade, large data breaches have made headlines, frozen accounts, and immobilized parts of the U.S. In 2021 alone, hackers breached over 1,800 organizations. With the prevalence of identity theft, many people are growing skittish to hand over personal information, which means organizations must work harder to gain trust and protect data. For many community associations, becoming cyber aware can be an uphill battle. Very few associations have an official process for handling cybersecurity. This makes sense. Board members are not often chosen based on their IT skills, and it is not easy to stay up to date on the latest cyber threats. So, why are community associations vulnerable, and what steps can board members take to protect themselves and their communities?
First, let’s take a look at why community associations become victims in the first place. According to a Deloitte study, the commercial real estate (CRE) sector believes it is less likely to suffer a cyberattack than other sectors. This is because CRE firms maintain relatively less consumer data and valuable intellectual property directly on their own technology systems. But this confidence opens the door for criminals. As community associations streamline business operations through technology, they also need to update and upgrade security measures. The year 2021 was one of the most active years for cyberattacks, and the number of cyber threats continues to rise. Check Point Research says the number of cyberattacks increases 50 percent each year. Simply put, community associations don’t see themselves as targets, and that makes them vulnerable to attacks.
Community associations that do not proactively work to become cyber secure face liability risks coupled with the challenges of meeting stakeholder expectations. According to research done by Deloitte, failure to prepare for a cyber incident can lead to the following: data theft, damage to physical infrastructure, and attacks on tenants. Each of these could have devastating consequences for your organization.
Residents trust community associations and their board members with sensitive information. Everything from a resident’s name and address to bank account and social security number can be used to identify them individually. Some criminals use the data, known as customer personally identifiable information (PII), for identity theft. This can have decades-long consequences for victims, including problems getting loans or even jobs. Other crooks encrypt the data so a community association cannot access it. This forces the organization to pay a ransom for its return. Due to the sensitive and potentially damaging nature of PII, all 50 states have laws that require organizations to disclose when an unauthorized party has accessed identifying information. In Florida, any data breach impacting more than 500 people must be reported within 30 days. Creating a preparedness plan will not only keep your data safe but is also helpful for compliance.
Physical infrastructure is often a blind spot for cybersecurity. This means that the smart technology that makes our lives easier also makes us vulnerable. Data centers use connected devices for everything from temperature monitoring to surveillance. Attackers can target these systems to cause disruptions and outages. For example, hackers could manipulate cooling systems, causing servers to overheat. Systems at risk include power, HVAC, fire suppression, uninterruptible power supplies (UPS), CCTV, and more.
Similarly, these interconnected systems and vendors leave tenants vulnerable. One of the most notable examples happened in November 2013. The day before Thanksgiving, hackers breached security systems and stole data from 40 million Target credit and debit card users and 70 million of the store’s customer records. The criminals did not target the retail giant directly, but instead they breached a refrigerator vendor servicing Target Corp’s electronic billing, contract submission, and project management. How did this happen? The company provided a portal through which third-party vendors could access data. A com-promise in this portal made it possible to jump into Target’s own network. Analysts believe Target could have limited the scale of the attack by properly segregating its network.
A cyberattack could have a devastating impact on a community association’s finances and reputation. According to the Ponemon Institute, one of the nation’s leading research centers for information security policy, the average cost of a single data breach topped $4.24 million last year. That is up about 10 percent from 2020. The costliest type of attack involved customer personally identifiable information (PII). This type of data breach costs around $161 for each stolen record. Beyond finances lies an equally devastating loss: trust. After Target’s data breach, customers worried their information would be stolen, and they were hesitant to shop at Target. Earnings fell by double digits, and Target had to work to restore its public reputation. Target is not alone. High-profile data breaches caused consumers to shy away from retailers and restaurants alike. In fact, a KMPG study found 33 percent of customers said they would take a break from a business after a breach. No industry is safe.
That brings us to lessons learned. There are a number of practical steps that organizations can take to avoid or reduce the severity of common compliance pitfalls. Encrypting data, reviewing vendors, and getting buy-in from your community will all help prevent security breaches. Having cyber insurance will help in the aftermath.
Cybersecurity is an organizational problem and a technical problem. Cyber-security rules and regulations must be created with the people who use them in mind. Community associations are accountable to their residents and homeowners. Understanding the risk tolerance of these stake-holders can help board members create an appropriate strategy. If security measures are too difficult to follow, people work around them to get the job done. This means the steps in place to protect your data need to work within the structure of your community association. If implemented correctly, these measures will integrate into the culture of the organization.
Included in your association’s stakeholders: vendors. Maintaining a secure organization also requires frequent communication between stakeholders. Because of this, vendors also need buy-in to your plan. You need to inform your vendors about changes to your cybersecurity plan in real time. You also need to update new vendors of your security protocols before they access your systems. When you choose that new vendor, make sure they reflect your organization’s risk tolerance, and review your vendors’ contracts at least once a year to make sure you are protected. If a vendor suffers a data breach and you are not contractually protected, your organization could incur significant costs with little legal recourse.
Data encryption is another powerful preventive measure to ensure your information is secure even in the event of a breach. Encrypting data is a mathematical process that transforms data from readable text to nonsense and back again using a code (called a key). This is also a useful tool in the compliance toolbox. Florida’s Information Protection Act (FIPA) provides strong incentives for businesses to encrypt their consumer data. Under the law, organizations are not required to tell individuals their information was stolen if it was encrypted.
Finally, in the event of a cyberattack, cyber insurance can help community associations weather the storm. As with any type of financial plan, there is not a one-size-fits-all approach. It is not as simple as buying a policy and hoping for the best. Insurance can help buffer the effects of an attack, but getting a policy should not take the place of prevention strategy.
While cybercrimes against community associations may not be front page news, they are major events that can have a devastating and long-lasting impact. If you don’t know whether or not your building is protected against a cyberattack, then it probably isn’t. Cybersecurity is an evolving field and building systems are complex, but that doesn’t mean your organization can’t take steps to mitigate risks. Create a cyber plan, involve your community, and reach out to experts who can help you navigate your path.
Public Relations Manager, Breezeline
Katherine McCoid is a Public Relations Manager for Breezeline. She works closely with Breezeline’s departments and community partners to provide information, education, and superior service for the communities Breezeline serves. Breezeline, a subsidiary of Cogeco Communications Inc. (TSX: CCA), is the eighth-largest cable operator in the United States. Breezeline keeps residents connected and entertained with best-in-class internet, streaming TV, and unlimited calling. Breezeline connects residents with a reliable, high-capacity network with the flexibility to support a community’s future. To learn more, visit breezeline.com.