Cybersecurity threats are all too real for housing organizations and take many forms, including phishing, ransomware, and business email compromise.
Globally, cyberattacks increased by 38 percent in 2022, compared to 2021. In 2022, the average cost of a data breach in the U.S. was $9.4 million. Data breach costs have increased annually since 2013 when the average cost was $5.4 million.
While cybercriminals have multiple attack vectors at their disposal, many cyberattacks on housing organizations start with what looks like an innocent email. Researchers recently analyzed 55.5 million business emails and found that roughly one in every 99 emails is a phishing attack. Of those attacks, 25 percent bypassed default email security measures. Phishing emails typically include a link or attachment that, when clicked, allows cybercriminals to access sensitive data and install ransomware—malicious software that prevents users from accessing their computer files, systems, or networks.
So, what can your housing organization do to secure itself in the face of advanced cybersecurity threats?
Treat these threats like any risk your organization faces—with proactive and reactive measures, including insurance coverage for an added layer of protection.
Cyber insurance is designed to mitigate losses from cyber incidents, including data destruction, damage to software and hardware, ransom payments, business interruptions, breach incident response and crisis management, and legal claims.
Angel Fear, a regional manager with HAI Group's Account Services team, has worked directly with several housing organizations that have experienced ransomware attacks. She's seen the behind-the-scenes costs of these attacks (e.g., ongoing vendor and legal fees, ransom payments, software and hardware updates, additional staff, etc.) add up to millions of dollars in six months or less. Without a cyber insurance policy, your organization would likely be required to pay most of these costs out-of-pocket. Standard property and general liability insurance policies don't cover most aspects of a cyberattack.
"If you're a public or affordable housing organization, you're going to want cyber insurance coverage," Fear said.
Due to the frequency and severity of losses related to cyberattacks, most cyber insurance carriers require that housing organizations have baseline cyber protections in place. For example, security practices like multi-factor authentication were once optional and often meant a premium discount. Now, it's a baseline requirement for coverage.
"Cyber insurance providers want to ensure your organization is taking proactive steps to avoid a cyber incident," Fear said.
Five key security measures to increase your cyber insurability
Cyber insurance providers frequently require multi-factor authentication, secure backups, regular software updates, cybersecurity awareness training, and endpoint detection and response.
"Carriers might not necessarily require them all, but these are what they're looking for in general," Fear said. "If you need to have just one of these, it's multi-factor authentication."
We've put together a brief explanation of each security measure below. Visit HAI Group's Cybersecurity Center for additional free resources.
1. Multi-factor authentication (MFA)
MFA is a security measure that requires anyone logging into an account to complete a two-step process to verify their identity. This security feature is often referred to as two-factor authentication or two-step authentication.
Fear said that most cyber insurance providers require that housing organizatons have MFA in place before issuing a policy.
If you use banking or social media apps on your phone, you've probably used MFA before. Still, there needs to be more awareness around MFA. A survey of 3,000 adults in the U.S., U.K., and Canada conducted by the National Cybersecurity Alliance found 43 percent of respondents had never heard of MFA.
MFA verification steps can include but aren't limited to, an extra PIN, security questions, an emailed or texted code, facial recognition or a fingerprint, or a unique number generated by an authenticator app.
"Any place online that is storing your personal information (especially financial information), or any account that can be compromised and used to trick or defraud someone else should be protected with MFA," NCA states on its website. "So, basically everything. Simply put, use MFA everywhere."
2. Secure backups
If cybercriminals breach your system, all isn't necessarily lost as long as you have a secure backup system. System backups provide the ability to recover data you need in the state you need it in.
For example, if your organization's systems are infected with ransomware or another type of malware, you can wipe the system and restore everything from the secure backup. While you should never rely on backups alone for cybersecurity, they're a must-have.
It's crucial to ensure your backup is secure. After Denver Housing Authority experienced a ransomware attack in 2021, the organization couldn't boot up its backup system because the backup password file was on a server that malicious actors locked out.
Denver Housing Authority Deputy CFO Jim DiPaolo said if his organization hadn't had its password file stored on the same system locked out by cybercriminals, "we wouldn't have had to pay the ransom,"
"We would have been able to get into our backup system, use the backup tape, and gone forward, so it was a good lesson learned," he said.
3. Regular software updates (patching)
Software updates, also known as patches, fix known problems and provide new security measures to protect against ever-evolving cyber threats.
"Cybercriminals target known vulnerabilities," said Jonathan Hochman, founder of CodeGuard, a website security company, and Hochman Consultants, a boutique search marketing agency. "Making sure your software is up to date goes a long way toward helping keep you safe."
Your organization's IT team would typically manage software update processes. If you don't have an I.T. department, consider hiring an I.T. consultant to help maintain your network's security.
You can also handle some software updates on your own, Hochman said.
"If you have Windows, type Windows Update in the search bar," he explained. "Look for the magnifying glass next to the Window icon in the bottom left corner of your screen. Make sure to set it for automatic updates so the system will just update itself. Then keep an eye on it to make sure these updates are happening."
If you use Apple products, you can learn how to update your Apple software here.
4. Cybersecurity awareness training
Humans are prone to mistakes because, after all, we're only human. Cybercriminals use social engineering to prey on our imperfections.
"Social engineering is a discipline in social science that refers to efforts to influence particular attitudes and social behaviors on a large scale, whether by governments, media, or private groups, to produce desired characteristics in a target population," said Richard Moore, CEO and founder of CyberSix, a cybersecurity company. "Social engineers use the scientific method to analyze and understand social systems so they can design the appropriate methods to achieve the desired results in human subjects."
In the context of cyberattacks, social engineering often involves phishing emails and text messages which appear to be from a person or business you know and trust.
Training your employees to identify these phishing emails and use the appropriate level of caution before clicking on suspicious links and attachments creates a human firewall that serves as your organization's last and most vital line of cybersecurity defense.
Your IT team can serve as a training resource for employees. You should also consider a third-party training service, of which there are plenty on the market. We've negotiated a deal with KnowBe4, a trusted cybersecurity training firm, to provide exclusive discounts for HAI Group members for a limited time only. We also offer eight free cybersecurity training courses through our HAI Group Online Training platform for managers and employees.
5. Endpoint detection and response (EDR)
EDR is akin to the next generation of antivirus technology. These systems are designed to continuously monitor your organization's computers and electronic devices (commonly referred to as endpoints) to detect and respond to the latest cyber threats.
EDR systems collect technical data from endpoints and transmit it back to a server or vendor to search for suspicious patterns and threats, according to the Center for Internet Security (CIS).
If a threat is detected, the EDR system can block it and generate an alert. EDR systems still incorporate traditional antivirus functionality, CIS notes, but they take security a step further and are also designed to simplify security management by consolidating several common functions into a single platform.
Next steps for securing cyber insurance coverage
If this all seems overwhelming, we understand. But make no mistake, cybersecurity should be a priority for your organization, and the security measures outlined in this article can help your organization find a cyber insurance policy that offers the protection you need.
|Multi-factor authentication||Always required|
|Secure backups||Often required|
|Regular software updates (patching)||Often required|
|Cybersecurity awareness training||Highly recommended|
|Endpoint detection and response||
Luckily, there's cybersecurity help available, and it comes at no cost to public housing organizations. The Multi-State Information Sharing & Analysis Center (MS-ISAC)–operated by the Center for Internet Security and recommended by the U.S. Department of Homeland Security—provides various free cybersecurity services to U.S. state, local, tribal, and territorial government entities, including public housing organizations.
HAI Group no longer offers a master cyber liability policy to its members and doesn't sell cyber insurance directly. Still, a member of our Account Services team can assist you in finding a standalone policy.
Fear said that if you're an HAI Group policyholder interested in a cyber insurance policy, set up a call with your HAI Group account executive and include your organization's executive director and IT team member in the meeting. Your HAI Group account executive can talk through the application process and coverage scenarios and answer any questions you might have.
"We offer a single cyber insurance application that we can send to multiple cyber carrier partners on your behalf," Fear said. "As long as you have multi-factor authentication in place or are working on it, you're eligible to apply for coverage."
Includes copyrighted material from a company under the HAI Group family, with its permission. This post is for informational purposes only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.