Property management firms and block managers looking after residential blocks of flats face several cybersecurity challenges, and we’d like to address some of the common problems AND solutions here.
First of all, let’s list the common cybersecurity challenges our colleagues in property management face:
- Data breaches
- Ransomware
- Insider threats
- IoT vulnerabilities (Internet of “things”)
Cybersecurity challenges for property managers
To dive a little deeper into each of the above, I’ll give an overview of what the usual headaches and problems could be, how to keep on top of them and also measures to address them for your internal policies and external reports, possibly required for evidence when it comes to insurance, etc.
Data Breaches
A data breach is when there has been unauthorized access to sensitive personal information of your own files, but more importantly your leaseholder residents, such as financial details, contact information, and lease agreements. You will hold an awful lot of information on each resident, and past resident, especially as collecting service charges.
We’d urge all block managers to regularly monitor for unusual activity and conduct security audits. What we mean by “unusual” activity could be failed or repeated login attempts from unknown sources, or login attempts from unusual locations and/or devices. Perhaps you’ve noticed sudden increases in network traffic, or unexpected spikes in bandwidth usage. Have there been any of your systems that have unexplained system crashes, or slow performances?
Problem-solving should include your firm implementing stronger encryptions across the board, use multi-factor authentication (MFA), and keep on top of regular software updates and excellent communication with your IT providers.
Phishing Attacks
Employees at the block management organisation or its residents may fall victim to phishing emails, which can quickly lead to compromised credentials or malware infections. Simply put, a phishing email or text messages that contain links to websites trick users into revealing sensitive information (such as passwords) or transferring money. There are various phishing attacks to look out for and being aware and implement this knowledge into your employee training will help identify any.
It’s well worth communicating similar update with your residents too.
The NCSC recommends using two-factor authentication (2FA) on your important accounts such as email. By using 2FA it means that even if an attacker knows your passwords, they still won’t be able to access that account.
Talking of being able to crack passwords, this image gives you an idea of how best to protect yourselves, but add a 2FA approach and you’ll be feeling able to sleep better at night.
Do encourage colleagues and residents to report any suspicious emails. Even if they include legitimate links, it’s better safe than sorry.
Try investing in email filtering systems. They are a method of email security that involves identifying and sorting emails that are deemed non-productive, spam, or malicious.
Ransomware
“Why would anyone want to threaten me with a ransomware?”
This is what many of us in a smaller business think right? If you hold sensitive information, then any of us are at risk of a ransomware attack. In Malwarebytes‘ 2024 State of Ransomware report it stated that ransomware attacks had surged in the UK by 67%.
“Ransomware gangs have time and motivation on their side. They constantly evolve to respond to the latest technologies chasing at their tails.
“We’ve seen this very distinctly over the past year as widespread adoption of technologies like EDR has helped identify attackers before they launch malware, pushing ransomware gangs to work more quickly and put more effort into hiding themselves.”
Marcin Kleczynski, Founder and CEO, Malwarebytes
Newer findings included ‘Night-time Attacks’ which are happening between 1am and 5am when IT staff are less likely to be present. The report also shows that the “attack chain” (how long it takes to execute a ransomware attack) has reduced from weeks to hours.
As a reminder, ransomware is a type of malware that locks and encrypts data, files, systems, and devices. This means that those Macs, those files, those phones that have been attacked will be unusable until the attacker receives a ransom payment. Extremely frustrating and very worrying.
As a precaution against ransomware attacks, definitely take these two key steps:
- Install security software before you get hit with ransomware
- Back up your important data (files, documents, photos, videos, etc.)
Insider Threats
We are all human, and if an employee, former employee, or contractor wants to harm you and your business either through malice, vulnerability or desperation, and you haven’t taken precautions to protect data, you could be in real trouble.
Remember the case of the ex-Marriott employee who hacked into Marriott’s hotel reservation system and slashed up to 95% rates on more than 3,000 rooms…..or the Barclays banker who was jailed for six years and four months for assisting two cybercriminals to launder more than £2.5 million from the Ealing branch, where he worked.
In a report by the ICO covering Q3 2022 – Q2 2023, 60% of identified data breaches in the UK (legal) sector were caused by insiders.
The findings show that, combined, data from the firms affected relating to 4.2 million people was compromised. Almost half of the cases (49%) impacted clients, and 13% impacted employees. Basic personal information (49%), economic and financial data (13%), health data (10%), and official documents (10%) were the main types of data breached.
Awareness is key – monitor user activities and conduct background checks on employees. As a precaution, do keep in control of your workplace culture, bullying and mental health. Practically, you should implement strict access controls and conduct regular security training.
IoT (Internet of “things”) Vulnerabilities
First of all, let’s list some IoT assets:
Smart devices in blocks of flats, such as security cameras and smart doorbells, smart locks, automated sprinkler systems for gardens, on-site gym integrated IoT integrated with mobile phones…they can all be exploited if not properly secured.
Keep an inventory of all IoT devices and their security status, and most importantly change default passwords, apply firmware updates, and segment IoT devices on a separate network.
A reminder and summary of cybersecurity best practice
None of us want to be in a situation where we are subject to a cyberattack. Awareness of types of threats, and best practices to mitigate any threats are beneficial to property managers, landlords and leaseholders.
Our colleagues and employees are so important to running a healthy business. As property management firms often have a high employee turnover rate it’s crucial not to overlook new recruit onboarding training.
Employee training
As mentioned above, it is hugely important to train new recruits on cybersecurity best practice as well existing employees. Keep up to date with the latest threats and incorporate that into your training, policies, procedures and controls.
Ensure you have an Incident Response Plan in place that can easily be updated, and be part of the continued training. The quicker any threat is addressed and mitigated to halt a security breach will put you and your residents in good stead.
The NCSC advises that the basic of Incident Response Plans should include:
- Key contacts: IR team/provider, IT, Senior Management, Legal, PR, HR, Insurance. Always consider the risk of people being unavailable – ideally include at least 2 contact methods and 2 or more people (or group) details.
- Escalation criteria: Along with a process for critical decisions
- Basic flowchart or process: This should cover the full incident life-cycle
- At least one conference number: This should be always available for urgent incident calls
- Basic guidance on legal or regulatory requirements: When to engage legal support, HR, or follow careful evidence capture guidelines
Regular Security Audits
Conduct comprehensive security audits to identify vulnerabilities and ensure compliance with regulations like GDPR.
CLICK HERE to read our Quick Start Guide for a GDPR Audit.
Having a GDPR compliance audit, for example, can help a company avoid costly ICO fines and protect your company’s reputation.
Get Cyber Liability Insurance
Consider obtaining cyber insurance to cover potential financial losses from cyber incidents. You already have professional indemnity and other insurances in place, so why not invest in cyber insurance in this hugely digitised landscape.
As an important note to comply with however, is that just by having cyber liability insurance, it doesn’t mean you should be complacent. If anything, having the insurance will help your business with adhering to better cybersecurity best practice. Good article here from the Law Society on why cyber insurance isn’t a substitute for management. Although the article is aimed at law firms, it goes hand in hand with any management business.
Supplier Management
Do you ever check if your suppliers and contractors comply with your own cybersecurity standards and at the very least, have their own policies, relevant insurance and internal training? It’s worth a conversation to commence regular reviews for their security practices whilst doing your own. This could help you’re your suppliers, if not already working on their own cybersecurity, but of course your leaseholders.
Cybersecurity Regulations for Block Management Firms
As you’ll know, block management firms must comply with several key cybersecurity regulations when it comes to protecting personal data, whilst ensuring the security of their systems is also safe. A reminder of the two main regulations, please have a quick read below and remind yourself of them, and implement the details into your internal policies, procedures and training.
Data Protection Act 2018 (DPA 2018)
This act enforces the UK General Data Protection Regulation (UK-GDPR), which mandates that organizations implement appropriate technical and organizational measures to protect personal data.
Network and Information Systems (NIS) Regulations 2018
These regulations apply to operators of essential services and digital service providers, requiring them to manage risks to their network and information systems. –
NOTE: The NIS Regulations and GDPR are related but address different risks. The NIS Regulations focus on protecting key infrastructure, networks, and information systems, including both personal and non-personal data. GDPR focuses on protecting personal data related to identifiable individuals. Essentially, the NIS Regulations have a broader scope and cover various incidents, not just those involving personal data.
Takeaways
The best way to protect yourselves, your residents and your firm’s reputation when it comes to cybersecurity is to:
- Train employees regularly in latest threats
- Develop and maintain a robust Incident Response Plan
- Supplier and Contractor checks for their own cybersecurity management
- Conduct regular audits to identify and address any vulnerabilities in your systems
We are in this together! The more we learn from each other the more we’ll be on top of potential threats.
Laura