Property Management Cybersecurity: Boosting Protection for Multifamily Operations

Yolanda Muchnik:
Today we’re chatting about the hidden cybersecurity threats you face with Amir Tarighat, founder and CEO of Agency. Agency provides enterprise level cybersecurity for individuals and growing companies. While this isn’t a topic we hear much about in day-to-day multifamily news, it’s a critical safety linchpin for you, the communities you manage and your company overall. I’m excited to have you on. Amir, welcome to the show.

Amir Tarighat:
Thanks so much for having me. It’s great to be here.

Yolanda Muchnik:
So I’m excited to go deep into this topic, but before we do, I think it might be helpful to level set a little bit for our listeners. Just make sure we’re all on the same page. So, briefly, how do you define cybersecurity? And what does it mean on a broader level for any business?

Amir Tarighat:
Yeah, so cybersecurity for me generally breaks down into two kinds of parts. The first is the security part of it, which is about protecting the systems data technology within an organization. And then the other side of it is the compliance side, which is about meeting regulatory requirements in case there’s data breaches, or what information of your customers or partners and vendors that you have to actually protect and how you have to do that.

Yolanda Muchnik:
Got it. And of course, your company works in many different industries, but for multifamily and property management companies, can you explain why it’s particularly crucial? What unique challenges do property management professionals face in this area versus other industries like healthcare technology, for instance?

Amir Tarighat:
Absolutely. Property management and real estate related companies are particularly at risk for cyber attacks for a couple of reasons. The first is that the data that they hold is actually very valuable. So there’s information about residents, there’s personally identifiable information like addresses, phone numbers, email addresses, dates of birth, Social Security numbers, there’s financial information.

And there is actually a really good opportunity for criminals to leverage that information through very unsophisticated means to steal money from either the company or the individuals that that company does business with. And most importantly, unlike some companies in other fields, like healthcare or financial technology, real estate companies and property management companies in particular don’t have the same internal resources for technology that these other organizations do.

Like healthcare has been dealing with regulated compliance with HIPAA for a long time. So that makes criminals target them more often than other organizations.

Yolanda Muchnik:
Wow, you just opened my eyes a lot. Well, is there a particular cybersecurity issue or area that you think is often overlooked but particularly critical to address when it comes to multifamily?

Amir Tarighat:
I think it really depends on the organization, because multifamily companies and property management companies are so different. They operate in different ways. Some of them use company owned traditional workstations. A lot of them run off of personally owned smartphones and computers. And so the kind of threat surface is really different for each one of them. But it’s really the basics that most aren’t doing is the truth.

Yolanda Muchnik:
Yeah, I’m just thinking about sometimes in marketing we communicate with some of our customers and prospects and stuff. I noticed they often use shared email addresses as well.

Amir Tarighat:
That’s absolutely very frowned upon. And in fact, in most of the regulated frameworks, like SOC two, ISO 270, zero one, you’re actually not allowed to use those types of email addresses for anything, anywhere in the organization. And that’s for something called repudation. Like, if somebody does something with that email address, you can’t actually zero in and say like, oh, Amir was the one that logged in here at that time and did something.

And so there’s no record when something really bad happens as how much damage was there. What was the information that was stolen? When you’re using shared inbox, that’s a very easy one to kind of implement immediately. Don’t do that anymore.

Yolanda Muchnik:
Absolutely. So you’ve discussed in interviews and articles the importance of taking a proactive approach to cybersecurity. So what does being proactive ultimately entail for you? And can you share an example where a proactive measure mitigated a cyber threat in a multifamily setting? Maybe it’s a story of a multifamily company being hit with a cyberattack that could have been mitigated with a proactive measure.

Something to that effect.

Amir Tarighat:
Yeah. So what I mean by being proactive, when people think about like, hey, let’s do cybersecurity, the thing that usually comes to mind is like buying software or stuff like that, or changing passwords, and those things are important and you have to do them. But when you think about what is the cybersecurity in a large company, it’s not just the preventative stuff, it’s not the stuff you do so you don’t get attacked.

It’s actually mostly how you deal with things as they happen. What’s the plan to stop the damage if this happens? Do we have an insurance policy? Who’s the person we call? Who’s the person that’s going to be the person that’s going to fix this or notify customers, any of that stuff? So what I think about being proactive, it’s really about like somebody in the organization needs to be responsible. First off, pick somebody.

I will take responsibility for this. I will make the plan once a month or once every few months. I’m going to actually look and make sure, hey, we bought this software. Is it actually installed on all of these computers? Is it still running that sort of thing and making that part of the routine? Because that’s the security. It’s not the buying antivirus and forgetting about it. I have lots of examples of instances that that happens where that comes into play, and it’s pretty much whenever there’s an issue. I mean, the top threat to property management companies is generally email based phishing or what’s called business email compromise.

That’s where really unsophisticated criminals take personal information off of the dark web or from data breaches that have happened. So, like, let’s say I downloaded some app five years ago, and that company got breached, and then all my data is on the Internet. We get notifications for this every day. They take that information and they assemble it with, like, oh, they know who my spouse’s name is or my kid’s name or what my parents address is. And they use that to message people in the organization, like coworkers, like, hey, I’m at this place right now, or can you send this to that? And they use that information to actually gain credentials and steal data or steal money or trick you into wiring money.

What happens is that when there’s somebody that’s responsible for this within the organization, there’s somebody to go to. Hopefully, software stops that. Hopefully, like removing your information from the dark web makes that happen less frequently. But if you have someone to go to, you’re preventing that attack, which people, unfortunately, across every industry are falling for every single day. We deal with it every day here.

Yolanda Muchnik:
So you just talked about the importance of having some protocols, having a designated person to go to. So maybe the answer to this question is simply go to the designated person. But I’m curious, what are some immediate steps a property should take upon realizing they’re the victim of a cyberattack if and when it happens?

Amir Tarighat:
Yeah. So one of the things that I’m a big advocate of is buying cyber insurance. So, cyber insurance is a separate insurance policy, just like you’d buy general liability or any other business insurance. It covers the types of costs, both first party and third party, like what you’d have to pay to your residents if you got a data breach, but also the cost you would incur in fixing your systems. And that’s something I recommend all companies have, if you buy a cyber insurance policy, they generally want to put some basic requirements on security for your organization. Like they’ll tell you you have to have multifactor authentication, you have to have antivirus and some basic stuff.

And so that’s really good just to have. But then once something happens, you can go to the insurance company and they generally will have somebody to help you immediately remediate those things or deal with disclosures, because that stuff is not something that an average person could do. There are legal requirements around disclosure. There are legal requirements about, and you might be fined beyond the lawsuits that you have from the individual’s data that you’ve caused to be breached, but the government might find you.

That’s typically what happens to healthcare companies because of HIPAA, but it really depends on the size of your organization. If you’re a 20 plus employee company, you probably need to hire at least some, and you may already have one, like an IT company that’s managing your Internet, managing your other services to actually provide some security for you. And usually those kinds of organizations will have kind of be the point of contact if something happens.

Yolanda Muchnik:
Very helpful advice. Thanks for that. One aspect you’ve mentioned in the past is the importance of customer education. In this case would be resident education. What methods have you seen employed in other industries, like healthcare, for instance, as you just mentioned, that might be adapted in multifamily to improve cybersecurity awareness amongst residents without causing unnecessary concern?

Amir Tarighat:
Yeah, that’s a great question. I think the industry to learn from is banking and finance. And the reason is that if you think about fraud charges on your credit cards and stuff like that, the reason that the bank does all the things that it does to make sure you’re safe when you log in and all that stuff is because if there’s fraud, it’s actually the bank’s fault. Like by law, they’re the ones that are eating that cost. So they’re incentivized to make sure you’re safe when you log in or how you use your credit card online and all that stuff.

So some of the things that they do is they include disclosures in their emails that are just there in the footer. Like, don’t send us your, please don’t send us your Social Security number or your payment information via email or an attachment or something. And that’s like constantly there. Or they’ll say things like, we’ll never ask you to send us this information via email or over the phone. Things like that will go a long way.

The other thing is that if you’re using any services, you want to make sure that whatever standards you have that the services that you’re using also have some sort of at least similar security standards.

Yolanda Muchnik:
Got it? Yeah, I’ve definitely every text message I get from my bank, we will never call you and ask. I see that. I didn’t realize that that was to protect themselves as well. So you’ve also mentioned publicly the importance of not over relying on SOC two certifications and startups. So for multifamily property professionals, what are some practical ways that they can heed your advice here really quickly for our listeners? SOC two is a cybersecurity compliance framework that has a purpose of ensuring third party service providers store and process client data securely.

So, going back to my question, any thoughts there?

Amir Tarighat:
Yeah, absolutely. So the reason that companies get frameworks like SOC two is generally because the companies they do business with require them to have some kind of third party audited security. What a lot of companies do as a first step, or maybe they don’t need a full audited framework like sock two, is that they prepare a page on their website or a policy that lists out all the things they’re doing internally.

And it’s a great marketing tool. Like if you’re doing business with serious people and serious companies, that’s something they would want to know. And pretty much every company now does that. But you don’t need to wait for an audited framework or spend a lot of money doing that to put together a web page to list out all the things you’re doing. And all the things you could be doing are buying business grade security tools and using password managers and using VPNs and know all sorts of security policies within your company and just sharing that and publicly kind of attesting that you’re doing this.

Yolanda Muchnik:
Got it. A few weeks ago, I read a story out of Singapore where an employee in accounting had a Zoom call with a CFO and ended up transferring some funds. I don’t know if you’ve seen this, and it turned out that the Zoom call was actually with an AI deepfake of their CFO and that the money was actually transferred to scammers. I’m sure you’ve heard other stories like this too. I bet. Considering the rapid pace of technological advancements in this area, what are some current or potentially emerging cybersecurity threats that multifamily properties should be aware of?

Amir Tarighat:
Yeah, that’s a really interesting story. I hadn’t heard that one, but I’ve heard many others. I’ve heard some with like voice phone calls where they mimic people that you’ve known voice and stuff like that. The biggest threat by far in all of cybersecurity for the last couple of years is that people are being targeted in their personal lives, trying to get information about their company. So if we think about how businesses are run today versus like 20 years ago, you don’t have a local server in your office.

Everything is SaaS, everything is Gmail. So they’re handling the security, those third parties are handling the security for your infrastructure. So where attackers focus is the weakest point, which is know Amir’s personal phone, not his work computer, not his work email. So you’ll get text messages that are seemingly just like spam and phishing or to my email or to any sort of personal thing. But in reality, that’s somebody sitting there looking at like, oh, here’s the 20 people that work at this company.

Let me attack all of them on their personal phones. Let me email them. They’re not just emailing me because I’m an individual, they’re actually trying to get at the company. So what that means for organizations is that you have to talk to your employees about personal security. It is equally your responsibility to tell them, like, hey, if you get phishing emails on your phone, don’t click those buttons, don’t give out information, because it’s not just going to come on the work email that’s the biggest threat. So it’s awareness training is the only way to do that unless you’re going to provide security for employees in their personal lives.

Yolanda Muchnik:
Right. And I guess to add to that, what tools or best practices do you think might be critical for the multifamily sector in the next five years? How should or can property professionals prepare for these kinds of threats and challenges now?

Amir Tarighat:
I think the advice or what has to be done is kind of the same for everybody. It’s nothing magical or secret. It’s really the basics and enforcing them and making sure that they happen all the time. It’s requiring strong passwords for all the services that you use, making sure that multifactor authentication is being used on every. Requiring it in your email, requiring it in all the tools you use, making sure that the devices that are company owned and people are doing work on are continuously updated.

The last thing you want is somebody hasn’t upgraded to the new OS for three months. That’s where malware comes into play. And so there’s no magic bullet. It’s worked like somebody in the organization has to take responsibility for. I’m going to make sure this is always happening. So those are kind of like the things that actually matter.

Yolanda Muchnik:
Okay, and last question for our listeners here. Following up on what you just said, I’m curious, what are the first say, three steps our listeners should take after listening to our discussion to enhance their cybersecurity situation and to go along with these steps, can you recommend any resources that our listeners can tap into and explore after this episode airs?

Amir Tarighat:
Yeah, absolutely. So the one thing that I think would be interesting to listeners is there’s a website called Have I been pwned? And that website is a repository for personal information that’s been breached on the dark web. So you can go there, you can type in your email address, you can put your work email, you can put your personal email. It’s free. And it will show you everything that’s on the dark web that’s related to that email address.

And it really shocks people the first time they put it in, they’ll see like, oh, there’s 18 different separate breaches that my information is out there on. And it’ll show you down to the information type, like date of birth is here, Social Security number is here. So if you’re waiting for a reason to start caring about this, visit that website and check your personal information.

Yolanda Muchnik:
You’re getting to it. Okay, go for it.

Amir Tarighat:
Unfortunately, once it’s on the dark web, you can’t remove it that’s there. And so this is why changing passwords or strong passwords are important. Because let’s say I used a password on some stupid website ten years ago and that website got breached. That password is now associated with me everywhere. So what do hackers. This is how people’s social media accounts get stolen. They find that password and they try it on everything.

They try every email address associated with Amir and that password and they see if they can log in. So once you see that, start using strong passwords. Turn on multifactor authentication in your personal life, everywhere you can. So all your social media accounts, your bank account, your personal email, make sure you’re updating your devices so they’re always on the latest operating system. Really important.

And then another thing to consider if you think you’re like high profile for these sort of attacks is there are services that will remove your information from data brokers. So this isn’t the dark web. This is like companies that actually resell personal information. There’s like 200 of them. But you can pay people a couple of have you removed, and that’s where they get the rest of the information that attackers use.

From a business perspective, it’s really about enforcing passwords. So the difference between consumer kind of password managers and the ones you’d use in a business are that as an administrator who’s responsible for security, I can make sure that all 20 of my employees are using the password manager. All 20 of my employees have the antivirus installed on their devices. So that’s what I would start with. If you don’t have that sort of stuff in the company.

Yolanda Muchnik:
Awesome. Well, Amir, I think this is the perfect place to end this, although I have about 25 other questions I could ask you after that website comment. Thank you so much for taking the time to chat with us about cybersecurity today. And I’m very excited for our listeners to hear this episode.

Amir Tarighat:
Absolutely. It was my pleasure.