Cybercriminals continue to target public and affordable housing organizations at an alarming rate. The good news? Protecting yourself doesn’t have to be complicated—or expensive.
HAI Group’s Amy Hourigan sat down with cybersecurity expert Jonathan Hochman (pictured below) to get his best advice for housing organizations that are looking for better ways to safeguard their systems and data. Hochman, the founder of CodeGuard, a website security company, and Hochman Consultants, a boutique search marketing agency, holds two computer science degrees from Yale University and regularly serves as an expert witness in disputes involving online reputation and other computer-related issues.
HAI Group: Thanks for talking with us today, Jonathan. Our policyholders and members are juggling multiple responsibilities on limited budgets, yet they want to make sure they’re also protecting their organizations—and their residents’ data—from cybercriminals. What advice would you give them?
Jonathan Hochman: There are five things I recommend: patch your software, secure your business email, retire your obsolete systems, make sure your data is backed up automatically, and inventory your hardware. All of these activities fall under what we call “defense in depth.” No single defense is perfect, but taken together, they work. You can think of each cybersecurity measure like a piece of Swiss cheese. If you take the pieces and layer them on top of each other, the holes won’t always align. Add enough layers and eventually, those holes will stop.
HAI Group: I like that analogy. Probably because I like cheese. OK, so let’s talk about your first recommendation. Since software companies regularly issue updates that fix security vulnerabilities, patching as a cybersecurity measure makes sense.
JH: It’s critical. Cybercriminals target known vulnerabilities. Making sure your software is up to date goes a long way toward helping keep you safe. If you have Windows, type Windows Update in the search bar (look for the magnifying glass next to the Window icon in the bottom left corner of your screen. If you use Apple products, you can learn how to update your Apple software here). Make sure to set it for automatic updates so the system will just update itself. Then keep an eye on it to make sure these updates are happening.
HAI Group: Can’t organizations just rely on antivirus programs?
JH: Antivirus programs, which try to stop the bad stuff from getting on your systems, aren’t perfect. Sometimes you’ll get something on your system called an advanced persistent threat, or APT for short. It’s software that’s just sitting on your system snooping on your network and collecting data. It’s not actually doing anything you’ll notice, but it’s gathering and sending out your data, which somebody somewhere is accumulating. Eventually, they’re going to use it against you. For this reason, it’s important to periodically scan your systems for malware. There are a variety of vendors you can use. The simplest one is called Malwarebytes, and you can download it for free. Run it and see what you’ve got.
HAI Group: Sounds easy enough. OK, so we’ll patch our software and scan for malware. What’s next? What did you mean when you said that housing organizations need to secure their business email?
JH: Email hacking is a huge problem for businesses. An easy way for cybercriminals to send you harmful attachments and links is through fake emails that look legitimate. Having everyone in your housing organization practice good password hygiene is a simple but powerful defense. You want everyone to use different passwords for different accounts, choose phrases that are easy to remember but hard for others to guess, and enable multi-factor authentication. Even better, use a password service like LastPass. There is a bunch of these types of password lockers, and they enable you to have a unique and complex password for each site you use. I have no idea what any of my passwords are; they’re like 15-character strings of gobbledygook that I couldn’t possibly remember.
HAI Group: So, password lockers like LastPass don’t get hacked?
JH: Well yeah, they could get hacked. It certainly is a worry, but the theory is to put all your eggs in one basket and watch that basket very carefully. I protect my Google account, which is where the passwords end up stored, with two-factor authentication. You should enable multi-factor authentication for all of your important accounts.
HAI Group: OK. What’s next?
JH: Alright, so another big avenue by which people are getting attacked is through obsolete systems. If you have an old computer system that is at the end of its life, replace it, because it’s not getting patched. It’s going to be exposed, and you’re going to get attacked.
HAI Group: Yikes. I didn’t think about that.
JH: It’s critical. Another thing you need to do is ensure that your important data is being backed up automatically. I use Microsoft OneDrive (a cloud service). I have two computers. With OneDrive, my computers automatically upload copies of their data files to OneDrive and then OneDrive syncs them so I can switch between computers and the files are the same. If something happens to one of my computers, it’s not a big issue because the files are stored in OneDrive (not on the computer’s hard drive), so I can restore them. Housing organizations that aren’t automatically backing up their data to the cloud should talk to their IT vendor. Tell them that you need to make sure all your systems are being backed up so that if you get hit you’re protected. Then, if you get hit, you can do what’s called the “whack and back,” which means you whack the system that’s been compromised—you just erase it—then you reinstall the software and restore your data from your backup and go on your merry way.
HAI Group: Sounds easy enough.
JH: It’s important to have those good backups. In order for that to be successful, you also need to have an IT inventory. You need to know every computer and device that’s in your organization. Every router. Every web camera. Every keyless lock. And you need to make sure that every single one of those devices is being properly backed up and patched. I’ve seen demonstrations where a simulated attacker will go into an organization and hack the web camera that’s in the office to monitor people from a security standpoint, and they’ll use the web camera to watch people working. They’ll watch someone type their password and get that password from the hacked camera. So even if you patch all your computers, if you have an old router and your old router isn’t patched, malware can get in through the router, so you need to be vigilant. In fact, that inventory of everything might be step zero. That might come before everything else. Ask your IT professional: Do we have an inventory of our assets? Do we know every system that we’ve got? Do we know all the sources of data that we have? That’s important because you’ll want to discover if someone has an ad hoc database they’ve created and maybe they’re doing something with it on the side and mishandling sensitive information. If you have that inventory you can get a handle on things.
HAI Group: Is there an easy way to find out if you have a rogue video camera or router you forgot about?
JH: That’s a job for an IT vendor. There are products you can use to scout around; I believe there are some that can even do automatic inventories and discover all the devices.
HAI Group: I didn’t know routers needed to be patched. I don’t think I’ve ever gotten any kind of notification for the one I use in my home, which I’ve had for a few years.
JH: Yes, routers get patches, they get firmware upgrades, they have problems and if you patch them then you have less trouble.
HAI Group: Good to know. What other advice would you give housing professionals who want to protect themselves from cybercriminals?
JH: Practice good hygiene with your accounts. A lot of businesses still have old accounts and access credentials for employees who left the organization because they never canceled their accounts. That’s a problem because it can be a vector for a criminal to get in. So, you need to maintain hygiene not only with regard to your active employees’ passwords, but you also need to make sure you remove inactive user accounts from your systems. Another thing to do when you take that inventory is to make sure that any devices like your routers, cameras, internet locks on doors—whatever you’ve got, make sure that none of those things still have the default password that came with the device.
HAI Group: Everything you’re describing seems pretty simple. Is it?
JH: Yeah, I think so. Every bit helps, OK. Like if we just tell people, make sure you patch your systems. Make sure you replace your end-of-life systems. That’s good. Doing automatic backups is good. You can spend a little money now to secure everything. Or you can spend a lot of money later to try to clean up. If you don’t prepare now, inevitably, you will get hit. And it’s much cheaper to prepare than to clean up.
HAI Group: Public and affordable housing organizations typically don’t have big IT budgets, though.
JH: You don’t need to do anything too fancy. I don’t want people to go out and buy super expensive contracts. All this stuff should be done relatively cheap. You need a simple solution. You don’t need the fanciest, greatest solution, you need the basics.
I recommend that housing organizations shop around and get a good, solid basic solution from a known vendor. When anybody is spending a lot of time and effort to sell you something it probably means the product is overpriced. I’m not talking about huge corporations. For them, it’s worth it to send a salesperson, but if you’re a small operation you should be able to go out and shop and pull something fairly simple off the shelf, which is going to take care of your needs. Or go to your local IT vendor, where you know the person. Local vendors should be able to provide the services I’ve described and they shouldn’t be super expensive.
HAI Group: When you talk about cleaning things up after the fact, how much money are we talking? Is there an average cost per crime per industry or business size?
JH: We have some statistics, but data breaches are expensive. And they can be very expensive if you lose your residents’ or tenants’ personally identifiable information. If you end up with payment fraud, where someone gets ahold of bank account information and commits fraud, that can be very, very expensive. The average breach I think is in the million-dollar range in terms of total costs and liability. Obviously, that includes some larger enterprises so that’s why these averages are not that meaningful. But it can be very expensive. Surprisingly expensive.
HAI Group: Anything else affordable housing organizations should know about cybersecurity?
JH: Again, they need to patch their systems and they need to have backups. You have to understand that you’re going to be attacked, so you may as well just practice so you know how you’re going to restore your systems when it happens. If you’re using Microsoft software, just get OneDrive and use it to back up all your files for each computer. That will give you a definite leg up. Housing organizations might also consider buying cyber coverage.
HAI Group: We offer cyber coverage to our members, but it has caps, so we encourage them, and all other policyholders, to discuss their needs with their account representative since they most likely need additional coverage.
JH: It’s hard because businesses have to put resources into cybersecurity. I know affordable housing organizations don’t always have the resources they need, but if they don’t invest in cybersecurity, worse things are going to happen that is going to cost them even more.
HAI Group: I would imagine the firms that help you with the public relations angle aren’t cheap either.
JH: None of it is cheap. You’ve got a PR problem. You’ve got a legal problem. You’ve got potential lawsuits. You’ve got, potentially, government fines. It’s a huge cascading problem that you want to avoid.
HAI Group: What about training your staff not to click on bad links or download attachments that look legitimate?
JH: You do need to train people, and there are people who do it, but housing authorities might not be able to afford that type of training. Plus, training people not to click on bad links is a very hard thing to do. There’s always a message that’s a little bit more seductive and people will forget to use caution. They’re in a hurry. There’s not a whole lot you can do on the human factor.
HAI Group: We’ve all heard a story from a colleague or friend who clicked on an email with a highly charged message, even though they had cybersecurity training.
JH: Oh yeah, I know, because these criminals will send you a message that is emotionally charged and you get the adrenaline rush, and once that sets in, your IQ drops by like 50 points. And there’s nothing you can do about it. That’s just the way it is for all of us. People will always get phished. You really need to have your system patched because then you’re less vulnerable to phishing. And if you have a backup, you’re able to restore yourself better. Another thing you can do is make sure your email provider has good spam filtering because the more spam you can eliminate, the better. A great, yet inexpensive, solution for this is Google’s email suite. For, I don’t know, under $100 a month or so for 10 users you get a nice business email system that has filtering and safety built-in (the system can scale up).
HAI Group: If a housing organization has an IT department, does it typically take care of cybersecurity?
JH: IT should set up these measures but they may be overwhelmed. These are good questions for the executive director of the housing authority to ask their IT person—not to put them on the spot but to offer support. Ask them: How are we doing on all these measures? What can we do to make sure that these things are being taken care of? Ask them if they’re encountering any difficulties and whether they need additional resources or support.
HAI Group: What if they don’t have an IT expert on staff?
JH: If they don’t have an expert maybe they’re affiliated with an organization or government entity that does have one who would be willing to informally lend a hand.
HAI Group. That’s a great idea.
JH: Yeah, just ask for help. Go to the town and say we’re concerned about cybersecurity. Could you help us? We’re doing good things in the community and you want us to succeed, and this is what we need. It’s a good idea to ask for help. It’s a good idea to ask for advice and not to be too proud.
HAI Group: Thanks, Jonathan.
JH: My pleasure
Contact our Risk Control and Consulting team for more resources and answers to your housing organization’s risk-related questions.
Interested in Working With HAI Group? Our Account Services team is ready to assist you.
Includes copyrighted material from a company under the HAI Group family, with its permission. This post is for informational purposes only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.