How to Avoid a Cyberattack at Your HOA

Wednesday December 30, 2020
 
When you think of the kinds of organizations being the target of a cyberattack, you probably don’t think of your homeowners association (HOA). But as a small businesses, your HOA faces a growing risk. In its annual study, the Ponemon institute reported that more small and medium-sized businesses had been the victim of a data breach in 2017: 61% of respondents as compared to 55% in 2016.
 
These days, HOA boards and residents depend on digital technology to accomplish many of their association-related tasks. “Property management software makes these tasks easier to do,” says Chris Cady, director of information security and enterprise architecture at FirstService Residential. “It’s much more convenient to pay fees online, access information and communicate with the help of technology. But it’s crucial to have a strong security strategy as well, as these statistics show.”
 
In Minnesota, state laws require organizations that retain personal information to take precautions to protect that data. These laws generally apply to HOA’s as well.
 
The role of your HOA board
As a board member, you have a fiduciary duty to protect your HOA’s interests, and that includes protecting its sensitive information (such as financial data) as well as the personal information of residents. The following tips can help you better protect that data.

1. Make a policy to specifically address cyber security. A cyber security policy gives your association a consistent set of guidelines for protecting data. It should also specify who has the authority to access the HOA’s confidential information and who has primary responsibility for managing the association’s cyber security.

You also want your policy to describe what to do pre-emptively to ensure that your HOA can recover data quickly. In addition, it should define the types of threats to watch out for and specify the plan of action you will take if a data breach occurs. If the association also has its own devices, the policy should spell out who is authorized to use them and any websites that users should not visit because of their potential for spreading infections.

2. Create a board member training program. Board members should receive cyber security training. The best time for this is right after board elections to ensure that all members are on the same page.

3. Only use property management software with robust security. Property management software is widely used by associations to simplify HOA business. However, it’s crucial for it to have strong, up-to-date security built in. Find out from your software provider whether the program is capable of detecting and stopping potential threats and how the company keeps its security updated. Ensure that residents can use the program anywhere from any device without forfeiting security.

4. Educate residents about applying security best practices. Just one infected device can put your HOA’s data at risk. According to Cady, “Awareness can go a long way in protecting your HOA’s information. Residents who know the risks and know how to handle them will be better able to protect data.”

Familiarize HOA residents with the types of threats out there and how to defend against them. Do your best to reach everyone in the community by using a variety of communication channels to get the word out. Post flyers, send out emails and postal mail, put information in your newsletter and put reminders on your community website. Put out information regularly to remind residents that they need to stay vigilant. Include the tips below in your communications.
 
The role of HOA residents
The following 5 best practices can help residents keep their devices safe and protect both their personal information and the HOA’s data.

1. Don’t leave devices out of your sight. Anytime you are in a public place, be sure not to leave your device unattended, even for just a moment. Devices also shouldn’t be left in a vehicle. Remember that a thief can break into a locked car in just seconds. When you travel, always keep devices with you, not in checked luggage.

2. Give unfamiliar URLs and emails a second look. Check that a hyperlink actually goes to the destination indicated. You can verify this by hovering over it to see what the real URL is. If they don’t match, don’t click on the text. URLs for transactional websites (such as those belonging to banks and credit card companies) will always begin with “HTTPS.” Never enter personal information on a transactional site that doesn’t have this in its address.

The majority of email scams come from overseas, so be suspicious of unfamiliar emails with extensions indicating they come from a foreign country. Spelling mistakes and grammatical errors are other signs that the email may have originated in another country. Be on the lookout for email attachments with “.exe,” “pif” or “.bat” extensions. And if an email offer seems too good to be true, it’s most likely a scam.

3. Learn how attacks happen. Knowing the different types of malware that cybercriminals use will help you recognize a potential attack more easily. Here are some of the more common ones:
 
  • Viruses – Typical ways to “catch” a virus are by opening email attachments that contain malicious code or by downloading infected software.
  • Email scams – No, you probably didn’t really win a long-forgotten lottery prize, especially if an email says you have to pay a small fee to claim it. And no Nigerian prince wants to pay you a large sum of money to put his family’s riches in your bank account temporarily. Anytime you are offered something for nothing, you can bet it’s an email scam. Someone is trying to get money from you or access to your personal information.
  • Phishing or smishing – An email or SMS text that warns you of an issue with a financial account is trying to get you to reveal personal information. They will generally contain a link to a legitimate-looking website where you will be asked to enter your user ID and password. The problem is, the website is a fake. Contact your bank or credit card company directly (not through the link) to determine the legitimacy of the message.
  • Botnets – These software “robots” access your contact list to send out mass emails as part of an email spam campaign. Attackers will use such a campaign to take down a business or government website or spread malware.

4. If you believe you clicked a suspicious link, disconnect. You may realize after you’ve clicked on a link that the link is suspicious If this happens, immediately disconnect from the internet.  Make backups of crucial files, and then run a security scan. Ask a trustworthy information technology (IT) professional for help if you’re not sure how to do this.

5. Use long, complex passwords. Make passwords harder to guess by making them long and complex. That means creating them from a combination of upper and lowercase letters, numbers and special characters. Change your passwords frequently, and do not use the same password for numerous websites. Incorporate other protections as well, such as multifactor authentication and passcode locks.

The role of a good HOA management company
It’s common for HOAs to partner with a management company to manage their day-to-day operations. Typically, the HOA will turn over responsibility for policy enforcement, maintenance and resident communications to the company. However, the best companies will have the ability to handle data security and your other IT needs as well. These are some of the traits to look for:
  • Significant technological expertise
  • Up-to-date knowledge about cyber security developments
  • An understanding of your HOA’s unique IT needs
  • Demonstrated ability to respond quickly to IT issues
  • The ability to reduce or eliminate downtime during offsite hardware repairs

It would be great if we didn’t need to be concerned about cyberattacks, but the danger is real. Keep your data protected by implementing robust security and staying informed about potential threats. Above all, make security a team effort among board members, residents and your HOA management company.
 
Learn more about the IT services available to your HOA. Fill out the form to get our FREE white paper, Who’s Minding Your Association’s Technology?
 
Wednesday December 30, 2020