In an age where technology interfaces with many business operations, attention to potential cybersecurity threats is becoming a paramount concern.

Community associations are not immune to these risks and are recognizing how technological breaches can rob them of vital intangible assets and affect their security.

According to Kevin Davis, president of Kevin Davis Insurance Services, an Amwins Company, cyberthreats and security breaches continue to make headlines week after week. While attacks on well-known businesses are widely recognized and acknowledged, the risks to community associations tends to be overlooked.

Community associations are vulnerable to cyberattacks because of the personal data stored in their databases, including member names and addresses, social security numbers, bank accounts and credit card numbers. This sensitive and confidential information is what hackers search for when committing cybertheft.

“These groups are prime targets for cybercriminals due to their low-tech systems housing sensitive information,” Davis said.

Specifically, cybercriminals want to gain access to the association’s network so they can steal funds, like the assessments, the reserve account or vendor payments, or personal information about association members.

Also, community association managers are usually not proficient in IT security protocols, and often they don’t have a “go-to” person qualified to handle cybersecurity issues.

“Many do not have a risk assessment plan to identify system vulnerabilities, nor do they have a documented security-incident response plan,” Davis said.

“Once criminals get inside the community association system, they have easy access to social security numbers, banking information, email addresses, client information, anything that will create serious problems for the association.”

Historically, community association boards have operated as if they were running a business, including tasks like annual budgeting, community rule enforcement and property maintenance. Now, they must also care for the health, safety and welfare of the community members.

“This increase in responsibility has made cyber concerns front and center, making community associations an easy target for cybercriminals,” Davis says.

Top 5 Cyber Risk Trends Threatening Community Associations

Because community associations are often ill-prepared to protect themselves from cyberattacks, they are particularly vulnerable to the top issues threatening cybersecurity today. Davis said these include:

Kevin Davis, president, Kevin Davis Insurance Services, an Amwins Company

1) Social Engineering Threats

Social engineering uses phone calls and emails to trick people into handing over an organization’s sensitive information. As Davis explained, social engineers tend to use phishing attacks to gain information. They do this by masquerading as someone in authority who requests the information, and many feel obligated to release the information.

“One of the most common types of social engineering scams in recent years is when fraudsters impersonate the U.S. Social Security Administration (SSA),” Davis said.

Real-world example: A board member received an email from someone impersonating the association’s insurance agent who requested a wire payment for the renewal premiums. The board member wired $75,000 to the account of the impersonator.

2) Ransomware

Ransomware is a form of malware that encrypts a victim’s files. Many hackers send fraudulent emails and when the link is clicked, the malware is downloaded onto the victim’s computer.

According to Davis, once the computer is frozen, the hacker demands a ransom be paid to “free” the files.

Real-world example: A board member’s computer files were seized after the member clicked on a phony email attachment. The entire system shut down to the point where key fobs to enter the building were locked, preventing homeowners who lived there from accessing their property. Ultimately, the association paid the ransom, and the owners were able to get back into their homes.

“One interesting aspect to this specific incident is the association did have a cyber policy but failed to purchase the appropriate ransomware coverage,” Davis said.

3) Lost or Stolen Laptop

Laptops used for community association work tend to have little or no security protocols.

Real-world example: A property manager’s laptop was stolen after he left it in his car. Because the passcode was weak and easily duplicated, the homeowners’ protected personal information (PPI) was put at risk, and the incident resulted in a data breach lawsuit.

4) Email Hacking

Email hacking is a form of social engineering where the hacker gains access to a board member’s email account and sends emails posing as the board member.

Real-world example: A board member’s email was hacked, and the hacker sent an email asking the board treasurer to cut a check for $10,000 to buy a painting for the lobby of the condo association.

5) Remote Working

With so many employees working remotely during the pandemic, cybercriminals are taking advantage of less-secure home networks and a general lack of oversight.

“Employee mistakes are common, and a simple mistake by an employee, volunteer or management company can create a major problem for the association,” Davis said.

For example, by selecting ‘reply all’ on an email or just sending information incorrectly to the wrong individuals, these potentially create major problems for the association as a whole.  It can be as simple as the monthly board packets being sent to everyone in the complex and not just the key association board members.

“Accidentally downloading a virus, which is then sent to an employee’s contact list is another common problem,” Davis said. “When working from home, friends, family other employees or volunteers sometimes have unsupervised access to an association employee’s work computer, which may cause serious issues.”

Real-world example: A community association treasurer’s home computer was compromised by a malware program. The invasive software allowed the hacker to access and capture homeowners’ PPI – the very definition of a data breach.

Protective Measures

As pointed out, many community associations simply aren’t set up to handle cybersecurity breaches, so what can these associations do to protect themselves?

Create and implement security protocols. “Board members need to implement security procedures consistently and develop cybersecurity training and written guidelines for all board members,” Davis said. Require all new and current board members go through cybersecurity training each year.

Implement password security. As noted, password theft is big business for cybercriminals. Secure passwords are imperative for data safety.

“It is a good idea for community associations to incorporate longer passwords (8 to 12 characters) and make them complex with a combination of details including uppercase and lowercase letters, numbers and special characters,” Davis said.

Use multi-factor authentication. Verifying identity is essential to protect community association data. Multi-factor authentication steps prevent access by outside entities into operating systems.

“Many businesses use a two-factor process that requires two pieces of information to confirm identity before entering a system,” Davis said. “This process repeats at every sign-in. Community associations can choose if they want additional factors to prove identity.”

Develop data-access policies. Data policies are effective in managing the retrieval of data. Community association leaders must know who is accessing their systems.

Written policies set forth guidelines for system use and security. However, Davis pointed out that data-access rules are only effective when understood by employees and enforced by the association.

“Training individuals and updating policies must occur consistently, especially as new cyberthreats arise,” Davis said.

Host to a cloud server. A cloud server may provide community associations with the best data security option. Encryption of data on in-house servers can be expensive and complicated.

“Cloud hosting has advanced security measures that are continually updated,” Davis said. “There is also the advantage of having a backup if files are accidentally deleted.”

Evaluate insurance policy coverage options on a regular basis. It is good to review community association insurance coverage options with incoming and outgoing association management teams.

“With cyberattacks on the rise, insurance coverage should include data breaches and cybertheft,” Davis said. “The best defense against cybercrimes is a comprehensive approach to security.” &