“Best Cybersecurity Practices for Community Associations: Managing Risk in a Digital Environment” – FLCAJ
This article could have been called “Phishing and Hacking and Ransomware, Oh My!” Estimates range from thousands to millions of cyberattacks occurring every day around the world, and community associations and their vendors are prime targets.
Community associations increasingly rely on digital technology for their operations. Official records are stored electronically. Banking records are accessible online, and financial transactions are completed over the internet. Online payment systems and cloud-based property management systems have helped increase efficiency and convenience throughout the industry, but they have provided malicious actors with access and opportunities they have never previously had. Boards and vendors alike must recognize that cybersecurity is not just for IT departments of Fortune 500 companies; it is a matter of proper governance and risk management.
The Growing Cybersecurity Threat
As use of digital technology increases to integrate the functions of community association operations, malicious actors develop new ways to access information or harm associations.
One of the most common types of cyberattack is phishing. Phishing is the term used to describe when an attacker sends an email designed to trick the reader into disclosing sensitive information or transferring funds. Tricking people through psychological manipulation to give away confidential information or access is called “social engineering.”
Even if it looks like an email is from a trusted vendor, a board member, a manager, etc., it may not be. Malicious actors often “spoof” an email address to make the reader believe it is coming from a trusted source. A lower case “l” looks a lot like the number 1. Can you tell the difference between joe@gmail.com and joe@gmai1.com if you are not looking closely? More troublesome is that different alphabets have different characters, some of which look identical to English characters to humans but different to a computer. In those cases you would not be able to tell the difference between two distinct email addresses merely by sight.
A similar threat is known as business email compromise, where a malicious actor gains access to a business email account through hacking or, more commonly, phishing for usernames and passwords. The malicious actors use real credentials and email addresses to trick the reader into divulging sensitive information or even to access bank accounts and drain them.
Additionally, community associations can fall victim to ransomware, where the malicious actor is able to gain access to the association’s digital files and lock them with encryption, making them unreadable to anyone without the key to unencrypting them. Usually a ransomware attack is accompanied by a demand for payment to provide the key, but a disgruntled owner might lock all the association’s files and demand nothing just to spite the association or for revenge.
Cybersecurity Risks for Community Associations
There are several general categories of risk a community association must protect against.
Financial fraud is likely most associations’ greatest concern. Florida community associations are estimated to have lost between $20 million and $45 million to cyberattacks over the last five years, mostly due to fraudulent wiring instructions and business email compromise. These attacks can be difficult to detect without proper safeguards because they often rely on social engineering rather than technical vulnerabilities.
Malicious actors are not only after money in the bank, though. Data breaches are also common. There is a market for personal identifying information, so the association’s stored data, such as confidential resident information, is often the target. Such data breaches not just are harmful to the association’s and board’s reputation but also can subject the association to significant liability. Now that condominium associations are required to accept email ballots if they have not adopted formal online voting, there is a risk that someone may attempt to influence an election or other vote of the owners by gaining access to the association’s emails and deleting ballots or by obtaining owners’ email addresses and spoofing them to submit additional votes.
Ransomware can interfere with billing, recordkeeping, violation enforcement, and communication with the association’s residents.
Some cybersecurity risks are outside of an association’s direct control. Associations frequently rely on third-party providers for management, accounting, and technology services, such as for electronic voting and the owner portal. If the vendors do not have adequate cybersecurity practices in place, the association can be exposed to the cyberthreats.
Best Practices for Cybersecurity Risk Management
Community associations must be proactive and address these risks before an attack occurs. Most associations do not have a dedicated IT team working in the background to keep the association’s data safe, so it is up to board members and managers to do so.
Associations should take the following steps to mitigate the risks of a cyberattack.
- Ensure secure payment procedures. Do not rely on emailed payment instructions, especially for electronic transfers. Verify payment details through a separate, known communication method, such as by phone. Do not simply rely on the phone number provided with the payment instructions. If you do not recognize the number, find the company’s number online and call that number to verify the payment. For large transactions, the association should require authorization from multiple individuals.
- Always use multi-factor authentication for systems that contain sensitive information, including email, banking, payment systems, and management systems.
- Ensure vendors have adequate cybersecurity practices. Ask about the vendor’s policy on data storage, its security measures, and its cyber insurance coverage for data breaches and other attacks. It is always a good idea to include requirements for cybersecurity in vendor contracts.
- Minimize the amount of data available by collecting and storing only the data that is necessary for operations. The association should also limit who has access to sensitive data to as few people as necessary.
- Train and educate board members and managers on phishing techniques and alert them to trending scams. Test them repeatedly and often with simulated phishing attempts. Human error is the largest cause of cybersecurity failures, and malicious actors are constantly refining their attacks and methods. Be extra vigilant before elections and other owner votes.
- If the association is hit with a cyberattack or the association just suspects it may have been attacked, have a plan for how to respond, including a list of key contacts such as legal counsel, insurance carrier, IT, etc.
- Maintain a physical copy of key governing documents, contracts, vendor lists, etc. to ensure the association can still manage operations if its digital files are locked or destroyed.
- Have adequate cyber insurance. Although insurance will not stop a cyberattack, it can help protect the association from the financial effects of one.
Conclusion
It is unlikely that a system can be built to stop all possible cyberthreats. Cybersecurity is a constant game of cat and mouse. However, by being aware of the threats and implementing secure payment procedures, multi-factor authentication, vendor oversight, and training, associations can significantly reduce their exposure to cyberthreats while continuing to enjoy the benefits advancing technology provides.
Coop Cooper, Senior Attorney, Becker
“Coop” Cooper is a senior attorney in Becker’s Condo, Co-Op & HOA practice based in the Orlando office. Mr. Cooper has more than 20 years of experience specializing in real property law, with a focus on community association governance, landlord/tenant disputes, and complex legal transactions. Mr. Cooper graduated cum laude from the University of Miami School of Law where he continued his studies beyond the usual three years of law school to earn an LL.M. in Real Property Development, an advanced degree specializing in real estate law. Mr. Cooper has a deep understanding of all aspects of real estate law, including finance, purchase/sale, title, development, land use, community associations, drafting and enforcement of governing documents, foreclosure, commercial and residential leasing, landlord/tenant, evictions, zoning ordinances, business creation/dissolution, and more. For more information visit www.beckerlawyers.com.