Is Your Affordable Housing Organization Cyber Smart?
October is Cybersecurity Awareness Month, now in its 19th year. So why should you—someone working in the housing industry—care about cybersecurity? Public and affordable organizations are being breached by cybercriminals with increasing frequency.
Just take it from Jim DiPaolo, deputy CFO of Denver Housing Authority, who recently sat down with HAI Group to talk about a September 2021 ransomware incident that locked the organization out of its own system.
"Cyberattacks are probably the leading threat to housing organizations in terms of a threat an organization can control," DiPaolo told HAI Group. "While you can't control the weather, with cybersecurity, you can be proactive and limit that liability."
WATCH: Denver Housing Authority's Ransomware Scare—How the Organization Responded to an Unexpected Cyberattack
‘See yourself in cyber’
Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance (NCA) and the U.S. Cybersecurity and Infrastructure Agency (CISA). This year’s overarching theme: “See Yourself in Cyber.”
What does it mean to see yourself in cyber? While the news often portrays massive data breaches and hacks that can seem overwhelming, you’re not as powerless as you think. As an individual or stakeholder at your organization, there are steps you can take to protect your online information, and that of your colleagues and residents.
Adopt these key cybersecurity behaviors
NCA and CISA are focusing on four key cybersecurity behaviors this year:
Enabling multi-factor authentication (MFA)
Using strong passwords and a password manager
Recognizing and reporting phishing
Read on as we break down each of these behaviors, with free training resources included along the way.
Enable multi-factor authentication for ‘basically everything’
MFA is a security measure that requires anyone logging into an account to complete a two-step process to verify their identity. This security feature is often referred to as two-factor authentication or two-step authentication.
You might not realize it, but if you use banking or social media apps on your phone, chances are, you’ve used MFA before. Still, there’s a lack of awareness around MFA. A survey of 3,000 adults in the U.S., UK, and Canada conducted by NCA found 43 percent of respondents had never heard of MFA.
MFA verification steps can include but aren’t limited to, an extra PIN, security questions, an emailed or texted code, facial recognition or a fingerprint, or a unique number generated by an authenticator app.
“Any place online that is storing your personal information (especially financial information), or any account that can be compromised and used to trick or defraud someone else should be protected with MFA,” NCA states on its website. “So, basically everything. Simply put, use MFA everywhere.”
Free Resource: What is Multi-Factor Authentication, and Why Should Your Housing Organization Use It?
Use strong passwords and a password manager
Passwords are the first line of defense against cybercriminals. Paired with MFA, a strong password can be ironclad. So, what constitutes a strong password?
According to NCA, all passwords should be long (at least 12 characters), unique (never reuse passwords), and complex (passwords should be a combination of upper- and lower-case letters, numbers, and special characters).
We all have more than a few data-sensitive accounts floating around, which means multiple unique passwords that can be difficult to remember. A password manager, often in the form of an app or browser plugin, can create and store secure passwords so you can ditch the notebook and sticky notes.
The NCA study mentioned earlier found that about 65 percent of Americans don’t trust password managers, mostly because they fear if the manager is breached, all of their passwords will be up for grabs. But password managers with encryption and multi-factor authentication are more secure than a sticky note, or reusing passwords that are easy to remember.
One word of warning for housing organizations: don’t store passwords in the organization’s main server. If that server is breached, the passwords could be leveraged by bad actors. Even worse, if the organization is locked out of the server due to a ransomware attack, it won’t be able to access potentially vital passwords.
Denver Housing Authority stored its password file on its main server, which was locked out in a September 2021 ransomware attack. Within the password file were the housing authorities’ credentials to access its backup server. The housing authority ended up paying a ransom because it couldn’t access those credentials and had no way to work around the breach.
HAI Group Blog: Simple and Effective Password Tips
Keep software and apps updated
Software updates fix known problems and provide new security measures to protect against ever-evolving cyber threats.
There’s good news on the software update front: the NCA study found that 63 percent of respondents always or very often install the latest software updates.
NCA recommends always downloading a software update from the company that created the software. Never use pirated or unlicensed versions of software. If there’s an option to automatically apply software updates, turn it on.
It’s always a good idea to loop your IT team into the software patching process. If your organization doesn’t have an in-house IT team, consider hiring a consultant.
HAI Group Blog: How to Develop Your Housing Organization’s Cyber Incident Response Plan
HAI Group Blog: Does Your Housing Organization Need an IT Consultant for Cybersecurity?
Recognize and report phishingPhishing is a form of social engineering used to lure unsuspecting individuals to download a corrupted file or click on a malicious link. Cybercriminals often use fake emails, text messages, and social media posts as bait.
Sometimes, these fake messages can look so real that it’s hard to recognize the difference between legitimate correspondence. But there are subtle signs to keep an eye out for. For example, if the offer in the message is too good to be true, includes language that’s urgent or threatening, or is riddled with bad grammar and generic language.
If a message appears suspicious, notify your IT team as quickly as possible, and never click on any links in the message.
Free Infographic: Email Security Red Flags
Help your public housing organization fight cybercrime
If you work for a public housing organization, HAI Group’s security team and the U.S. Department of Homeland Security recommend registering for MS-ISAC, a free service that includes cybersecurity alerts, a cybersecurity toolkit, and the Malicious Domain Blocking and Reporting (MDBR) service, which can block the vast majority of ransomware infections by preventing the initial outreach to a ransomware delivery domain.
Visit HAI Group’s Cybersecurity Center for more free cybersecurity resources for public and affordable housing organizations, including online training to help employees identify and avoid cyberattacks.