Cyber Security and Community Associations

By: April Ahrendsen is a Vice President with CIT, a division of First Citizens Bank

Are community associations at risk of a cyber-attack? The short answer is yes, but let me list out all the main reasons why:
 

• Community associations typically have a large amount of operating and reserve funds
• Community associations are overseen by people that are usually not cyber security experts
• Community associations keep lots of sensitive data on computer software programs

 
Those reasons are enough of a motive for a criminal to target a community association for a cyber-attack. If a 21-year-old was able to use an unprotected router to hack one of the largest wireless carriers in the United States, then it is clearly possible for a community association to get hacked as well. The criminal who stole data on 50 million wireless customers said, “their security is awful.” Many of us may have likely had our personal information compromised through cyber-attacks and data breaches, but what would that look like for a community association? Imagine staff computers not working because they have been hacked. Bookkeepers who cannot log into online banking because their passwords have already been changed. Wire transfers showing HOA reserve funds that have already left the bank. Homeowner names, addresses, and bank account numbers all for sale on the dark web. I want to intentionally paint a scary picture because a cyber-attack is a scary situation, and if it can happen to one community association then it can happen to a lot more. It is nearly impossible to be 100% bullet proof from a cyber-attack, but my goal is to make you a smaller target through these strategies.

Emails: The most common method of a cyber-attack is through email so be very cautious of opening any emails, attachments, and links from someone you do not know.
They can take over your email, intercept emails, and write requests on your behalf. If you have signed forms and emailed them, they now have your signature. The same can happen to your board members and business partners. Anything to do with money is worth a phone call. Do not call the number on email call a known number.
 
Spam filter: Work with your IT professional to setup a spam filter to potentially catch emails that may contain a virus or malware.
 
Personal use: Limit the personal use being done on company computers because those computers contain sensitive data and need to be kept secure.
 
Social media: Be cautious of the information you share on social media because viruses can easily be downloaded through social media platforms.
 
Passwords: Incorporate a mix of capital letters, lowercase letters, numbers, and symbols when creating a password. Change passwords regularly and don’t use the same password for every login.
 
Wi-Fi access: Limit who has the Wi-Fi password to the office or clubhouse. If the community offers public Wi-Fi, make sure visitors are connected to a separate network.
 
Website data: Be aware of what type of information, such as reserve dollar amounts, that is listed on your website that could lead to a cyber-attack.
 
Records: Do not hold onto records longer than required and consider transferring that data to a different offsite server to minimize what could be potentially compromised.
 
Server: Work with your IT professional to regularly perform server backups. If you are considering a cloud solution, be sure to ask the provider about cloud security.
 
Updates: Regularly update your computer operating system and accounting software as they are released and consider upgrading to a stronger antivirus software.
 
Online banking: Decide which individuals need online banking access to HOA bank accounts and ask the bank if they provide another layer of security beyond the username and password.
 
Wire transfer: Find out if the bank requires a phone call verification before any wire transfer request is sent out. Anytime your asked to send a wire call the requester via a known number not the number on email. Do not let an urgent request deter you from making the call.
 
Stay vigilant: Remember that a bank will never ask for sensitive data such as a bank account number or a social security number through email.
 
Training: Annual education for board members and management company employees on the importance of cyber security is crucial, especially when personnel turnover happens.
 
Insurance: Work with your insurance professional to better understand cyber liability insurance and what is, and what is not covered after a cyber-attack.
 
Culture: Promote an office environment that emphasizes the importance of cyber security. If an employee senses something is wrong, they need to feel comfortable enough to speak up.
 
Procedures: Have a clear policy or plan in the event of a cyber-attack and how to immediately communicate with all employees, IT professionals, and the bank.
 
We must all be aware that there are criminals always looking for new ways to hack into our computers to access our data. If one computer is compromised, then it is possible that every computer on that same network is compromised too. Remember that there is no way of being completely safe from a cyber-attack because of all the technology and devices we use, so we must continually stay proactive at making ourselves and our community associations a smaller target
 
For any matters concerning your specific needs and objectives, you should seek the professional advice of your own independent legal counsel, insurance advisors or other consultants. The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of CIT, a division of First Citizens Bank.