Cybersecurity in the multifamily ecosystem has reached a tipping point. Recent cyber attacks and malware deployments in the Ukraine warranted a joint cybersecurity advisory by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
U. S. government agencies are not the only ones warning multifamily companies to secure their data and prevent infiltration.
Many multifamily experts have been touting better data protection for years. “For the multifamily industry, which has been shifting more and more toward tech for everything from resident screening to smart home technology, protecting residents’ data is more important than ever,” Holly Dutton writes for Multi-housing News.
While multifamily asset managers may not believe their portfolio can suffer at the hands of ransomware, systems professionals are waving red flags where the Internet of Things, proptech, and basic community-wide Internet access collide. “Water meters, thermostats in the home, and the furnace are just a few of the devices that have the ability to transmit data (replace battery, schedule maintenance, adjust temperature, etc.). These devices should be segmented on their own network,” writes Shaun St. Hill, a cybersecurity advisor.
He continues to advise multifamily managers by saying, “The virtual or physical network you create just for these devices will make it more difficult for a hacker or bad actor to access your core network, thereby keeping your intellectual property and resident data better protected. If a threat actor or hacker was still able to access the smart meter or the thermostat for one of your Internet of Things devices while on a separate network, it is highly unlikely that they would also be able to access your core network that houses your production environment, your employee and client data, and intellectual property.”
Big Data, Bigger Problems
In 2019, the National Multifamily Housing Council commissioned Holland & Knight for a white paper titled, “Data Privacy and Protection: Practical Considerations for Apartment Firms.” Considering the varied channels hackers could access without the proper measures, the research delves into several layers of strong data privacy practices.
“Since apartment firms often collect, use and maintain vast amounts of information about residents, prospective residents and employees, evaluating the scope and potential impact of the constantly evolving privacy and security regulatory landscape is critical to maintaining successful business operations free from regulatory or consumer backlash,” explains Holland & Knight for NMHC.
Simply ignoring the risk of cyber attacks is one of the biggest mistakes organizations can make. “Given the broad and deep reach of these technologies, it is worthwhile to pause and consider the massive amounts of data collected and utilized in each, especially with more than 2,000 PropTech companies in the US alone,” Felicite Moorman writes for CPO Magazine.
Site-Level Associate Attacks Prevailing
While many managers may believe that attacks can only happen to their online operations, like smart devices or community-wide Internet, sensitive data is most often distributed by unbeknownst on-site employees. “According to Entrata, attacks on site-level associates’ computers are the most common, often with the attacker posing as an executive-level person requesting data or other sensitive information. Email attacks are much more common (78%) than web attacks (22%),” Jeffrey Kok clarifies in NAA.
A data breach can happen as easily as opening the wrong email or using a malware thumb drive. “From deepfakes and phishing attacks to malware and ransomware, the cyber threat landscape has further reach and impact than ever before. The facts speak for themselves, and the apartment industry is no less vulnerable to cybersecurity risks than well-known sectors like health care entities and financial institutions,” Multifamily Executive points out.
With so much at stake, managers now have an obligation to prevent data breaches while continuously training staff. “Workload has not changed, it has only increased with the ability to better understand the resident expectations and act on them,” Brittney Nelson tells NAA.
Patchwork Privacy Legislation
Cybersecurity has been a hot topic for years, yet only small steps have been taken to move federal legislation forward. State legislation isn’t moving as quickly as it should be, either, with only a handful of states passing laws that protect user data. “Terms like CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) aren’t just initialisms rental housing operators need to at least know about, they are enacted legislation that operators must adhere to on a consistent and proactive basis,” NAA writes.
“Apartment firms increasingly operate across multiple states and must comply with a patchwork of 50 different state laws governing data security, breach notification and in some cases privacy standards. The current regulatory framework drives up costs, which ultimately affect housing affordability,” claims the NMHC Data Security Fact Sheet.
NMHC goes on to explain that, “The existing patchwork of laws and regulations can be difficult to navigate, and there is no one-size-fits-all approach for multifamily firms. However, it is clear that organizations should prioritize cybersecurity risk management programs—and should do so before a cyber-attack comes to fruition.”
Minimizing Data Breaches, Maximizing Trust
Keeping user data safe is a priority for property teams. “The first step for apartment operators is understanding the responsibility we have for our residents’ information. You’ve got to take steps to ensure convenience doesn’t come at the expense of privacy,” Mark Zikra tells NAA.
The single most important tool that can help in a privacy crisis is a plan specific to the breach. Exabeam untangles this notion in an in-depth video and written explanation. “Incident response plans ensure that responses are as effective as possible. These plans are necessary to minimize damage caused by threats, including data loss, abuse of resources, and the loss of customer trust.”
John Napier of Greystar takes it a step further by reminding firms that Personal Identifiable Information (PII) can be attained as soon as a community tour is booked or an online inquiry is logged. “We were evaluating the touchpoints of where we were acquiring personal information, and a lot of times we were looking at it under the lens of a website or some type of online platform. But there are a lot of interactions that take place on a property. Someone might walk in to take a tour and we might take down their name, email and other personal information.”
Paul Willis illustrates leaders in this space. “Greystar is among the operators that have remained on the cutting edge of keeping resident data secure while regularly monitoring for updates within the space.” Keeping updated best practices means multifamily organizations are realizing the depth of data they protect makes or breaks their brand in the long run. That means keeping tech and IoT secure with constant vigilance so users feel confident.
Residents and management teams alike want secure user experiences, while taking advantage of convenience and resource-saving automation. Arbor’s Betsy Kim describes such an opportunity. “Laura Patel is a real estate strategist at Density, a company that uses technology to measure building occupancy. One of their clients, LinkedIn, provides complimentary breakfast, lunch and snacks for employees. Instead of preparing food for the maximum number of attendees, the company gathered data from swiped employee cards. Using historical data and predictive analytics, the culinary staff knew how many people to cook for on any given day of the week. With the Density technology, LinkedIn saved $1 million by preventing food waste.”
With great technology comes great responsibility. -Multi-housing News
Not all proptech is created equal. Cyber security experts know that when it comes to understanding layered risks, each organization you partner with must be vetted.
Elevated Living is the Best-in-Class proptech known for employing benefits like:
- AWS platform
- CloudFlare DDoS mitigation
- 2FA/Multifactor Authentication
From frontend PII collection to backend big data aggregation, user experience starts with a simple login and password. Now imagine that the more apps residents must use to access a community, the more points of infiltration there are. Multiply apps by users by communities, and soon security perforation seems unavoidable.
To prevent data breaches and protect resident privacy, reduce the number of apps required to access your multifamily building. When management teams trust in Elevated Living to power their communities, they understand that the most reliable and safe all-in-one resident experience app is one that is transparent with its data use. Insulating branded apps from high-risk cyber attacks with app benefits that still provide convenience is what Elevated Living is known for.
By reducing the amount of applications your community and property management team use, liability and pain points diminish as well. The benefits of one white label app that limits vulnerability are innumerable when it comes to cybersecurity today. And while not all proptech can claim that data collection and privacy protection are at the top of their priority list, Elevated Living has been proving it since our inception.