Is Your Affordable Housing Organization Cyber Smart?

  • October 10, 2024

October is Cybersecurity Awareness Month, and cyberattacks are on the rise. Whether you're managing properties, maintaining IT systems, or serving residents, cybersecurity should be on your radar. Protecting sensitive data and ensuring uninterrupted operations isn't just an IT concern—it's a critical part of housing management today.

 

Just take it from Jim DiPaolo, deputy CFO of Denver Housing Authority, who recently sat down with HAI Group to talk about a September 2021 ransomware incident that locked the organization out of its own system. 

 

"Cyberattacks are probably the leading threat to housing organizations in terms of a threat an organization can control," DiPaolo told HAI Group. "While you can't control the weather, with cybersecurity, you can be proactive and limit that liability." 

 

WATCH: Denver Housing Authority's Ransomware Scare—How the Organization Responded to an Unexpected Cyberattack

 

 

‘See yourself in cyber’

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance (NCA) and the U.S. Cybersecurity and Infrastructure Agency (CISA). This year’s overarching theme: “See Yourself in Cyber.”

What does it mean to see yourself in cyber? While the news often portrays massive data breaches and hacks that can seem overwhelming, you’re not as powerless as you think. As an individual or stakeholder at your organization, there are steps you can take to protect your online information, and that of your colleagues and residents.

Adopt these key cybersecurity behaviors

NCA and CISA are focusing on four key cybersecurity behaviors this year:

  • Enabling multi-factor authentication (MFA)

  • Using strong passwords and a password manager

  • Updating software

  • Recognizing and reporting phishing

Read on as we break down each of these behaviors, with free training resources included along the way.

Enable multi-factor authentication for ‘basically everything’

Man typing in password on computer

MFA is a security measure that requires anyone logging into an account to complete a two-step process to verify their identity. This security feature is often referred to as two-factor authentication or two-step authentication.

You might not realize it, but if you use banking or social media apps on your phone, chances are, you’ve used MFA before. Still, there’s a lack of awareness around MFA. A survey of 3,000 adults in the U.S., UK, and Canada conducted by NCA found 43 percent of respondents had never heard of MFA.

MFA verification steps can include but aren’t limited to, an extra PIN, security questions, an emailed or texted code, facial recognition or a fingerprint, or a unique number generated by an authenticator app.

“Any place online that is storing your personal information (especially financial information), or any account that can be compromised and used to trick or defraud someone else should be protected with MFA,” NCA states on its website. “So, basically everything. Simply put, use MFA everywhere.”

Free Resource: What is Multi-Factor Authentication, and Why Should Your Housing Organization Use It?

Use strong passwords and a password manager

An illustration of weak, medium, and strong online passwords

Passwords are the first line of defense against cybercriminals. Paired with MFA, a strong password can be ironclad. So, what constitutes a strong password?

According to NCA, all passwords should be long (at least 12 characters), unique (never reuse passwords), and complex (passwords should be a combination of upper- and lower-case letters, numbers, and special characters).

We all have more than a few data-sensitive accounts floating around, which means multiple unique passwords that can be difficult to remember. A password manager, often in the form of an app or browser plugin, can create and store secure passwords so you can ditch the notebook and sticky notes.

The NCA study mentioned earlier found that about 65 percent of Americans don’t trust password managers, mostly because they fear if the manager is breached, all of their passwords will be up for grabs. But password managers with encryption and multi-factor authentication are more secure than a sticky note, or reusing passwords that are easy to remember.

One word of warning for housing organizations: don’t store passwords in the organization’s main server. If that server is breached, the passwords could be leveraged by bad actors. Even worse, if the organization is locked out of the server due to a ransomware attack, it won’t be able to access potentially vital passwords.

Denver Housing Authority stored its password file on its main server, which was locked out in a September 2021 ransomware attack. Within the password file were the housing authorities’ credentials to access its backup server. The housing authority ended up paying a ransom because it couldn’t access those credentials and had no way to work around the breach.

HAI Group Blog: Simple and Effective Password Tips

Keep software and apps updated

A computer updating software

Software updates fix known problems and provide new security measures to protect against ever-evolving cyber threats.

There’s good news on the software update front: the NCA study found that 63 percent of respondents always or very often install the latest software updates.

NCA recommends always downloading a software update from the company that created the software. Never use pirated or unlicensed versions of software. If there’s an option to automatically apply software updates, turn it on.

It’s always a good idea to loop your IT team into the software patching process. If your organization doesn’t have an in-house IT team, consider hiring a consultant.

HAI Group Blog: How to Develop Your Housing Organization’s Cyber Incident Response Plan

HAI Group Blog: Does Your Housing Organization Need an IT Consultant for Cybersecurity?

Recognize and report phishing

An illustration of a phishing scam

Phishing is a form of social engineering used to lure unsuspecting individuals to download a corrupted file or click on a malicious link. Cybercriminals often use fake emails, text messages, and social media posts as bait.

Sometimes, these fake messages can look so real that it’s hard to recognize the difference between legitimate correspondence. But there are subtle signs to keep an eye out for. For example, if the offer in the message is too good to be true, includes language that’s urgent or threatening, or is riddled with bad grammar and generic language.

If a message appears suspicious, notify your IT team as quickly as possible, and never click on any links in the message.

Free Infographic: Email Security Red Flags

Help your public housing organization fight cybercrime

If you work for a public housing organization, HAI Group’s security team and the U.S. Department of Homeland Security recommend registering for MS-ISAC, a free service that includes cybersecurity alerts, a cybersecurity toolkit, and the Malicious Domain Blocking and Reporting (MDBR) service, which can block the vast majority of ransomware infections by preventing the initial outreach to a ransomware delivery domain.

Visit HAI Group’s Cybersecurity Center for more free cybersecurity resources for public and affordable housing organizations, including online training to help employees identify and avoid cyberattacks.

Contact our Risk Control and Consulting team for more resources and answers to your housing organization’s risk-related questions.

This article is for general information only. HAI Group® makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group® and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy. 

HAI Group® is a marketing name used to refer to insurers, a producer, and related service providers affiliated through a common mission, management, and governance. Property-casualty insurance and related services are written or provided by Housing Authority Property Insurance, A Mutual Company; Housing Enterprise Insurance Company, Inc.; Housing Specialty Insurance Company, Inc.; Housing Investment Group, Inc.; and Housing Insurance Services (DBA Housing Insurance Agency Services in NY and MI).

Don't Miss This

Related Content

Strengthening Cybersecurity Culture: How Public Housing Organizations Can Embrace Cybersecurity Awareness Month

October 1, 2024
Given that public and affordable housing organizations play a critical role in our communities—providing essential...

Cybersecurity Terms Affordable Housing Agencies Need to Know in 2024

February 26, 2024
Since cybersecurity can feel overwhelming for those outside the information technology sphere, we've developed a list...

Create a Cyber Incident Response Plan to Protect Your Housing Organization

March 24, 2025
Despite a housing organization’s best efforts to boost cybersecurity, not all incidents can be prevented. To prepare...