Which of These 8 Multifamily IT Security Issues Are Yours?

I was asked: “Mike, based on your 40+ years of experience in technologies, as a business manager, what are the common technology security issues that I should be concerned about.” Well, I am not going to dive into the architecture of data centers, computing platform data leakage, network ‘sniffing’, DOS or DDOS attacks and perimeter defense strategies, but as a business manager I suggested the following security risks that are all too commonly found (and exploited):

1.       No policy on password resets.

If you allow passwords to remain unchanged for more than 90 days you are setting yourself up for a breach. Sure it is pain for your company, internally and may seem even more of pain for your customers who need passwords to access the services you provide. But those very customers are the easiest source of a breach. Would you rather explain ‘security’ or the fact that every lease and background check report has been downloaded? Having robust password structures and prohibiting re use are good starting points. Do the math. A password of less than 12 characters begs for cracking. Using ‘remember me’ means just that - except the computer really doesn’t know who you are so, in one quick unattended minute the thief is in. Look around the leasing office and see how many passwords you can find written down – start with the post it notes they are a dead giveaway.

2.       Unsanctioned file shares.

If you allow staff to use ‘rogue’ or ‘freemium’ file shares you have lost control. Letting staff store company or resident related documents on a file storage services of their choosing is just crazy. Once a document is sent off site under THEIR control you set your company up for problems and risks. No ability to audit access, no control over access, it’s their password not yours, no control of re-distribution of documents, when they leave they take the documents with them.

3.       Bring Your Own Device (BYOD) permitted.

Nightmare city. The wild, wild west. Managing the access and use of personal devices may seem enlightened but the risks are truly great. What gets put on that personal device? What access codes are stored on it? Who else in the family can play with it? Oops, where is it? Wow, look at all those e-mails and e-mail addresses! If allowed it must be formally understood, managed, monitored and controlled…not just permitted. An interesting sidelight is the issue of engaging hourly staff ‘after hours’ because their device ‘buzzes and pings’ with your business matters. Be ready to pay for that intrusion. The labor laws are on the side of the employee.

4.       Unmanaged ‘wifi’ access.

It is too much of a nuisance to have a password protected ‘wifi’.  We have lots of guests and it makes it hard for them to get on line. Remember you don’t have to be in the room to get a wifi signal. Every signal is a beacon for a drive-by hacker. Why make it easy to ‘come on in’?

5.       Unsecure printing and storage of paper files.

Allowing multiple users to print to a shared printer when they are not present to collect their print output. Unattended output is left in print trays, in full view and can be easily picked up by the wrong user. Personal identity theft is a significant theat. The cost of that breach is severe. Look around the leasing office and just see how much personal resident information is left unattended. Now, where is that application form? Are resident paper files really locked down? Do the cleaning staff have unsupervised access to paper file storage rooms?

6.       Lost or stolen smartphones and laptops.

Need I say more about this drama and trauma? If you don’t have a ‘red event’ team and policy to shut lost devices down or immediately restrict access, stop reading and get one started. Maybe, just maybe it is all backed up? For two reasons: (1) the employee can continue to work and (2) you can audit what was lost or stolen.

7.       Social Media APPS on corporate systems.

A treasure trove for ‘phishing’ and re-directs. “Tell me more, oh tell me more”. “I just love being ‘connected’ and sharing. It is sooo cool…social media publishing is so friendly and helpful”. …really?

8.       Malware everywhere and viruses from hell.

“All I did was click on that message, it said I had to”. “Oh, that web site - seemed like it was going to be helpful”. “Here, use this jump drive storage stick, I have others”. Unless you ensure and enforce the maximum use of ‘firewalls’ and device resident security software you have no chance at even a semblance of protection.

In the end, a rigorous security awareness program such as frequent mandatory end user security training sessions and frequent bulletins and newsletters that make security awareness part of your culture will go a long way to reducing your risk.

One last piece of advice…make someone available to help end users when they have a security question. Encourage them to call before they do something. Everyone will benefit from the ‘ounce of prevention that avoids a ton of grief’.

True, security is a living ‘eight-ball’ that we will seemingly always be behind. Those are my ‘8 balls’. How did you do?

As I always offer, if I can help or you want some advice or counsel just send me an e-mail. I’d be happy to share what experience has taught. I am at the moment on the warpath about the use of unsanctioned file shares. There are cost effective solutions that can mitigate that risk and make your end users happy.