The staff at Denver Housing Authority (DHA) weren't blind to the possibility of a cyberattack.
In fact, staff had taken steps in 2021 to address the organization's cybersecurity vulnerabilities, said Jim DiPaolo, DHA's deputy CFO. But in September 2021, disaster struck—DHA was completely locked out of the files and systems it relies on due to a ransomware attack.
"We had a fairly good business continuity plan," DiPaolo said during a June 2022 interview with HAI Group. "We were backing up our systems, and felt that we had a fairly strong [cybersecurity] program that wasn't going to be open to this type of threat."
DiPaolo (pictured below), with over 41 years of experience in the housing industry and three decades overseeing risk management, has first-hand experience with just about every public housing risk you can imagine. But he said cyberattacks—often relegated to 'it can't happen to us' status amongst public housing leaders—are "probably the leading threat to housing organizations in terms of a threat an organization can control."
"While you can't control the weather, with cybersecurity, you can be proactive and limit that liability," DiPaolo said.
Nearly half of all U.S. businesses have suffered a cyberattack in the last year, according to the 2022 Hiscox Cyber Readiness Report. Attacks are also becoming more costly. In 2021, the median cost of a cyberattack was $10K, the report notes. In 2022, the median cost jumped to $18K.
While larger companies are investing more in cybersecurity, smaller companies aren't because they don't perceive themselves as worthwhile targets. But in reality, they are—cybercriminals are actually more likely to attack smaller, easier targets.
If cyberattacks are already on your radar, the following true story serves to validate your concerns and provide real-life lessons on how to respond to a breach.
If you're a cynic and think your organization isn't a target and that cybersecurity isn't worth the investment, we hope this story helps change your mind and motivates you to take, at a minimum, the most basic actions to prevent an unauthorized system breach.
'They just couldn't get in'
DHA employees were enjoying their Labor Day weekend in early September 2021, unaware that a cybercriminal was busy looking for ways to access the organization's system.
Federal authorities say cybercriminals are more active during holidays and weekends when offices are closed. In fact, just days before the successful breach of DHA, the FBI issued a warning about the potential for "increasingly impactful attacks against U.S. entities on or around holiday weekends."
"In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time," the warning stated.
DiPaolo said the actual penetration of DHA's system occurred on Saturday evening.
"We didn't know about it until mid-morning [Sunday] when some staff tried to get into the system to work,'" he said. "They just couldn't get in."
The entire system was down. A digital ransom left behind for DHA's IT staff demanded a ransom payment of a Bitcoin (worth about $46K at the time) in return for the key that would unlock the system. The note said if the organization tried to work around the lock-out, its data would be destroyed or leaked, DiPaolo said.
DHA staff could continue doing physical maintenance work but were locked out of administrative tasks such as cutting checks, verifying income, and updating the system. While business continuity was a concern, DiPaolo said, the prospect of a data leak was the biggest threat.
"While you can't control the weather, with cybersecurity, you can be proactive and limit that liability."
Colorado law requires that entities experiencing a data breach provide detailed notification to any affected state residents.
"That right there was our biggest concern when we got locked out," DiPaolo said. "Did they get into our sensitive, confidential personal data , and if so, will that become a big issue?"
Luckily, an analysis found that wasn't the case.
"We were fortunate that the threat actors...didn't get into the systems that had secured personal data," he said. "If that had occurred, we'd still probably be working on this issue."
'Take it or leave it'
DHA's system was down for five days when leadership felt there was no choice but to pay the ransom.
The FBI advises against paying ransom to cybercriminals, but DHA was in a predicament. A cybersecurity best practice is to have a system backup in place. That way, in case of a ransomware attack, a business can just switch to the backup system and continue as usual.
DHA had a backup system, DiPaolo said, but the password file that included the backup system's credentials was on a server that IT staff were locked out of, preventing them from booting up the backup system.
"It's difficult to go and say pay ransom; it just doesn't feel right to reward bad actors," DiPaolo said. "But if we didn't pay the ransom, we'd have been down for months."
After considering the cost of purchasing a new server, replacement system, and data backups, the organization felt it was better to pay the ransom, he added. The organization attempted to negotiate a lower ransom payment.
"They came back with $40K, take it or leave it, and so we took it," he said. "We thought that was fairly inexpensive compared to what they could have asked for."
After DHA received the key to unlocking their system, a cyber forensics team hired by the organization swept the system to ensure there weren't any lingering issues. DHA had ongoing calls with the forensics team for months after the cyberattack "to make sure everything was clean," DiPaolo said.
'They found a hole'
How was DHA exploited? At the time of the breach, the organization was implementing a new email system in stages. The old and new email systems ran simultaneously as part of the transition.
"That's where the threat actors were able to find an area to penetrate," DiPaolo said. "They found a hole because we were running both email systems."
"It's difficult to go and say pay ransom, it just doesn't feel right to reward bad actors. But if we didn't pay the ransom, we'd have been down for months."
At the time, DHA didn't have multi-factor authentication (MFA) set up for email users. MFA, commonly referred to as two-factor authentication, enhances online security by supplementing the typical username/password required by most login procedures with additional credentials that only the user can access.
DiPaolo said implementing MFA should be a priority for public housing organizations.
"Don't wait; you need to start getting more active with MFA immediately," he added.
'Uptick in awareness'
After the cyberattack, DHA took several steps to improve cybersecurity in the short- and long-term. The organization's new email system was fully implemented, with a full suite of security measures that scans incoming emails for viruses before they reach employees' inboxes.
"More messages are showing up in the junk folder instead of the main inbox," DiPaolo said. "Generally, if it's in junk or spam folder, you want to be more cautious about opening it. Even if you know the person, it's important to say, 'this doesn't look right,' and IT will double-check the email and let you know if it's OK to open it or not."
"Employees are questioning things. They're learning about not clicking on attachments or links that might otherwise spread viruses."
Remote employees must log into a virtual private network (VPN), establishing a protected network connection. Before the cyberattack, this wasn't a requirement.
"We've put things in place to protect access to data," DiPaolo said.
Employee training since the cyberattack has also increased awareness around social engineering schemes used by cybercriminals, such as phishing.
"Employees are questioning things," DiPaolo said. "They're learning about not clicking on attachments or links that might otherwise spread viruses. There is an uptick in awareness of that aspect, the phishing schemes that go on."
Since the cyberattack, DHA hired an additional IT employee to keep computers updated. Regular system updates can reduce the risk of a successful cyberattack. DHA also added an IT employee dedicated to cybersecurity.
"In terms of IT, part of what's critical is making sure software updates are pushed through on all machines," DiPaolo said. "We have a staff of around 350, and previously, we only had one IT support person addressing [computer updates], but now we have two people."
'We probably would have been floundering'
In total, DHA accrued around $240K in incident response expenses, DiPaolo said, but since the organization had a cyber insurance policy, it was only responsible for a $10K deductible.
Still, the organization amassed additional costs related to shoring up security to help prevent future breaches. Aside from salaries and benefits for two new IT employees, DHA invested between $25K-$30K in software to help detect and prevent cyberattacks.
"That's an annual cost," he said of the software.
DiPaolo said if DHA didn't have a cyber insurance policy in place at the time of the attack, "we would have been floundering" trying to determine how to respond. Aside from covering losses from the breach, the policy quickly connected DHA with a cyber forensics firm to help investigate the extent of the breach.
DHA didn't have a standalone cyber insurance policy with HAI Group. Instead, Angel Fear, a regional manager with HAI Group's Account Services department, worked on DHA's behalf to find a policy with a carrier specializing in cyber insurance.
Every HAI Group account executive is a licensed agent that can go out to a robust network of partners to place coverages that aren't written internally.
"Because we had the [cyber insurance] policy and support in HAI [Group], it really helped in getting us to respond quicker than we normally would have," DiPaolo said.
'A stepped up process'
Once an organization experiences a cyberattack, it's typically more difficult to renew its cyber insurance policy or find replacement coverage. That was the case for DHA, DiPaolo said.
"There was a lot of help from HAI Group to get a coverage that actually replaced the previous cyber policy and included ransomware coverage."
"It was a really stepped up process," he said of the renewal process with the organization's cyber insurance carrier. "They wanted to know what we've done since the incident to prevent [a cyberattack] from happening again and validation of the steps we have we taken to do that."
The renewal led to DHA's premium rate increase by about 60 percent and the exclusion of ransomware coverage, meaning if another ransomware incident occurred, DHA would pay out of pocket.
"It's still coverage that we needed, so we went in and renewed," DiPaolo said.
Due to coverage concerns, Fear worked with DiPaolo and DHA to find a replacement cyber insurance policy.
"Part of that process was verifying with prospective insurance carriers that our security systems are stronger, and therefore, we're worth the risk," DiPaolo said. "But even then, the premium was still up there."
DiPaolo noted that Fear, working as DHA's agent, helped make the case to carriers that the organization was less of a risk compared to before the cyberattack.
"There was a lot of help from HAI Group to get a coverage that actually replaced the previous cyber policy and included ransomware coverage," he said.
Lessons learned
If DHA—a large housing organization with a cyber insurance policy and some cybersecurity protections in place—was held hostage by a cybercriminal, smaller organizations with fewer resources are certainly at risk. DiPaolo shared lessons from the September 2021 cyberattack that housing organizations of any size should consider.
"More and more, small businesses and small [housing] authorities are going to become the targets [of cyberattacks], because generally, that's where there's a lot more vulnerability," he said.
1. Buy cyber insurance
While cyber insurance can be expensive, DiPaolo said housing organizations need to "find a way to get it."
As noted earlier, cyber insurance can help dampen the blow of a cyberattack by covering expenses related to the incident. Every policy is different, but many carriers also offer penetration testing, crisis management, and cyber forensics services as part of their coverage.
2. Store password files in a secure, offline location
DiPaolo said if DHA hadn't had its password file stored on the same system locked out by a cybercriminal, "we wouldn't have had to pay the ransom,"
"We would have been able to get into our backup system, use the backup tape, and gone forward, so it was a good lesson learned," he said.
3. Proactively partner with a cyber forensics firm
DHA was connected with a cyber forensics firm through its cyber insurance carrier immediately after the cyberattack was discovered. While the effort was quick, getting a contract in place with the firm still took time, which is of the essence after a cyberattack. Having a firm on retainer allows the investigation and remediation to begin earlier.
"Get some of that work done ahead of time and have a contract already negotiated that's just on contingency, so if something were to happen, you can bring [the cyber forensics firm] in immediately without losing time while you're trying to get a contract in place," DiPaolo said.
He also suggested that housing organizations find a firm to proactively review their system and identify potential vulnerabilities.
3. Beef up internal IT operations or partner with an IT consultant
Smaller housing organizations tend to have shorthanded IT teams or don't have an IT department. DiPaolo suggested working with an IT consulting firm "that can serve in the role as an IT employee, and maybe provide some efficiencies for your organization."
It's not always easy to recruit an IT employee with the skills required for the job.
"For some smaller agencies, it might be better to contract IT services out to a third party," DiPaolo said.
'The threat actors are ever-evolving'
While DiPaolo can't say with confidence that DHA will never experience a cyberattack again, the organization has made investments to help prevent a future breach.
Unfortunately, it's often not until after a cyberattack that a business invests in cybersecurity measures, notes the Hiscox Cyber Readiness Report cited earlier.
Over 5,000 professionals were surveyed as part of the report, and the results showed that only 36 percent of non-victims consider cybersecurity a high-risk issue.
"The threat actors are ever-evolving and getting more clever, and it's an ongoing thing," DiPaolo said. We've done a lot of things to help strengthen [cybersecurity], but I can't say it will never happen again."
Ready to start your journey to becoming a more cyber-resilient housing organization? Contact a member of our Account Services team to explore cyber insurance options or set up a custom cyber assessment.
Interested in learning more about cybersecurity? Visit our Cybersecurity Center to access free cyber tools, training, and educational resources designed for housing organizations.
Includes copyrighted material from a company under the HAI Group family, with its permission. this post is for informational purposed only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.