The U.S. multifamily property management industry encompasses 40 million multifamily units valued at $3 trillion. More than 800,000 people work as employees of the management industry, while tech and service vendor companies employ hundreds of thousands more. And the industry is growing, requiring 4 million more units by 2030 just to keep up with demand. (Source: https://www.forbes.com).
Say you’re one of those hundreds of thousands who has just been given the reins of an I.T. infrastructure in multifamily housing property management, and you don’t know where to start from a cybersecurity perspective. Well, this is your lucky day, because we’re here to take you from zero to hero in a few easy steps. Okay, well, they’re not that easy, and there are significant costs involved, but hopefully you will come away enlightened and prepared to justify your cyber budget to executive management.
Step 1: Identify Critical Data. And determine where it is: on premises, in the cloud, with a software-as-a-service (SaaS) provider, and elsewhere. For example, a typical company might host its own Microsoft Exchange Server, or else it might be using Microsoft 365 online or Google Workspace. The corporate file server may be in the data center, or in AWS or Azure, or maybe it’s hosted with DropBox. Corporate finance might be hosted on-premises or in the cloud with Oracle NetSuite or Microsoft Dynamics 365, CRM with SalesForce or Pipedrive, property management and customer payments with RealPage, Yardi, or Entrata. Don’t forget social media, websites, and other places that I.T. might leave up to other groups (e.g., HR, payroll, marketing). You get the picture: your data is probably all over, and all of those places will require centralized I.T. visibility and control.
Step 2: Identity and Access Management (IAM). Lock-down all of that critical financial data, personally identifiable information (PII), and intellectual property (IP) with a single sign-on (SSO) solution that includes multi-factor authentication (MFA) and automated provisioning/de-provisioning. This will make life a lot simpler and allow you to get a handle on IAM. Some options here include Okta, Duo, and Microsoft AD. Before you roll out that IAM system, however, you’ll probably want to perform an audit of all required roles and permissions. There are a few reasons for this: (1) many companies have evolved over time via mergers and acquisitions, resulting in many duplicate roles, and (2) it would behoove you to minimize the number of roles for configuration management purposes. So, some data normalization might have to be done here. The result, ultimately, is a well-defined, managed, and maintained system that grows with your organization.
Step 3: Continuous Monitoring. I might even move this to Step 1, because as I have written before, it is the most important thing you can do for security: implement a Security Information and Event Management (SIEM) and/or Detection/Response for Endpoints/Network/Cloud (XDR) solution with 24/7 eyes-on-glass monitoring and incident response. This will allow you to keep tabs on all traffic traversing corporate firewalls, as well as events from the network infrastructure (routers, switches, VPN concentrators, etc.), servers (domain controllers, databases, files, etc.), endpoints (workstations, laptops, mobile, etc.), and cloud (SaaS applications, IAM, Microsoft 365, Azure, AWS, etc.). Security Operations Center (SOC) analysts watching the SIEM/XDR will immediately see if anything anomalous is happening and initiate an incident response. The new normal is “Zero Trust.” Assume someone is already inside your enterprise. You want to keep them from getting to anything critical via segmentation, IAM, and continuous monitoring. Having 24/7 XDR/IR capability is essential to containing threat actors and kicking them out as quickly as possible – not to mention it provides insights into other security architecture issues that led to the alert in the first place and need to be addressed.
Step 4: Vulnerability Management. Regular scanning for security vulnerabilities, researching emerging threats, downloading patches, regression testing, and deploying to all systems is also critical to maintaining a compliant program. Vulnerability scanning identifies and forms an inventory of all systems connected to a network. Don’t just include servers and endpoints – also remember printers, switches, firewalls, containers, virtual machines, remote access software, etc. Scanning also helps keep track of operating systems, software versions, user accounts, and open ports. How often should you patch? Well, that is a loaded question that many have asked.
Step 5: Governance, Risk, and Compliance (GRC). To ensure everything you’re doing aligns with industry cybersecurity best practices, you should perform a gap analysis versus a framework, such as the CIS Controls Version 8, NIST Cyber Security Framework for Critical Infrastructure Protection, or the ISO/IEC 27001 Information Security Management. Then, you should collect evidence from your deployment efforts to prove that you are compliant. Maintain all of this with a compliance portal or reporting tool that will serve as your central repository for artifacts and will provide visual management and dashboarding of your progress. This is better than having a bunch of disparate spreadsheets sitting around in SharePoint or wherever. It also helps you prepare for a third-party audit. As supply-chain pressures mount – i.e., B2B relationships requiring you to prove you have a certain level of cybersecurity practices in place – having all of this compliance data at your fingertips is crucial. You will be asked for attestations and security questionnaires. Short-circuit this by providing your attestation report. By the way, it's all required when you are are trying to acquire a cyber breach insurance policy.
Step 6: Ongoing Controls. To ensure that you are maintaining an adequate security posture, ensure that you undergo regular penetration testing from a qualified “red team” that provides probing externally (black box, as n outside attacker would attempt), internally (emulating what an attacker with an initial foothold in the network might attempt), and don’t forget any custom-developed Web applications (and mobile apps, as applicable). Also, ensure that you have cybersecurity awareness training for all employees – especially those handling sensitive financial and PII data. This training should include videos or interactive environments that provide tutorial information, but this should be bolstered by simulated phishing campaigns to make users aware of the tactics of threat actors. The point is not to trick people but to empower them to be the first line of defense into your environment.
This is not a complete list, but it is a great starting place for cybersecurity practitioners in multifamily. Any program you implement should include an aspect of continuous improvement – i.e., after any security incident is encountered, perform a lessons-learned analysis to improve your posture for the future. Always be evaluating and maturing your program (people, processes, and tools). Remember, the threat actors are constantly improving their methods, and so must you.
One last note to consider is that a proper program of best practices can be difficult for executive leadership to comprehend or fund. My advice here is: first, show them that you are not just making up stuff; you are aligning with objective industry standards. And second, consider outsourcing this work to experts who can help you with all aspects (GRC, professional engineering services, and cybersecurity operations). Justifying a monthly Opex budget might be more palatable than trying to hire several full-time staff members. For one thing, they’re very difficult to find, and for another, they’re very expensive. Thus, we read the recent headline: “83% of IT leaders are looking to outsource security to MSPs in 2021.” (Source: Computer Security Magazine, 1 Feb 21).
Jeremy Rasmussen is CTO of Abacode, a firm focused on helping the multifamily industry with cybersecurity. He is also adjunct professor at University of South Florida teaching courses in cybersecurity. He is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH).