Cybersecurity for HOAs 101: What Your Association Needs to Know - Part 2

| 8 min. read

In part one of this post, Cybersecurity For HOAs 101: What Your Association Needs To Know - Part 1, we examined the top HOA cybersecurity risks, including from common misconceptions that hurt associations' security, to the biggest threats that demand our attention. In this post, we lay out a step-by-step HOA cybersecurity plan for each component of your association. Have a notebook and pen handy—you'll want to take notes.

How to Protect Your HOA from Security Breaches

#1: Formalize Your Cybersecurity Policies & Emergency Plans

As you read through the following sections, each of which delves into bolstering your HOA cybersecurity in a specific area, keep the following questions in mind:

  • How will your HOA cybersecurity policies be enforced, and by who?
  • How will potential security breaches be dealt with?
  • Who should employees and board members contact with questions and concerns?
  • How will current and future employees and board members be trained?

#2: Improve Your Password Practices

Step 1: Create Stronger Passwords

You may have heard the term "passphrase." This is a lengthy password that may consist of a short, memorable sentence (including spaces) instead of a single word. An example would be "i love chocolate cake."

You should also incorporate as many letters, numbers, and symbols as each site or app allows. This way, "i love chocolate cake" becomes "1 l0v3 ch0c0l@73 c4k3!" Don't use any dictionary words or names unless they're part of a lengthy passphrase. Use a mix of capital and lowercase letters, "1 L0v3 Ch0c0l@73 C4k3!"

Be sure that you're not using one of these common passwords. Check out the article, How I'd Hack Your Weak Passwords for tips on common or predictable passwords to avoid. Keep in mind that hackers are using password cracking software to run through thousands of possible passwords each second.

Step 2: Don't Reuse Passwords

This is a step that everyone knows, but few people heed. We know it's tedious, but it's also the single most important step you can take in protecting your data. As we discussed above, when hackers gain access to one of your passwords, they have software that allows them to test it across all of your accounts, potentially enabling them to gain access to all of your information in one fell swoop.

Step 3: Use Password Management Software

This is the key to using different passwords across all sites and apps. A good password manager (our security expert recommends 1Password) will help you to create incredibly secure passwords and store them for use across all of your accounts, along with usernames, account numbers, and other pertinent information.

Step 4: Create & Enforce a Password Policy

Train all employees and board members on how to create strong passwords. Make it perfectly clear that your HOA cybersecurity (and, consequently, its financial standing and reputation) could be compromised by one person's negligence. Passwords are the first line of defense when it comes to HOA cybersecurity, so be sure that your employees and board members understand that your security is in their hands. Here's a sample password protection policy from SANS Institute you may adapt.

#3: Bolster Your Software Security

Step 1: Perform Software Updates ASAP

Update your software regularly across all devices that you, your employees, and your board members own. It can be tempting to put off updates when you're busy, but keep in mind that new software versions often patch holes in their security. By saying "remind me later," you're choosing to continue using a weaker version, creating vulnerabilities in your HOA cybersecurity. This applies across your laptop, phone, tablet, and even your router.

Step 2: Invest in an Anti-Virus Solution

There are free antivirus solutions like AVAST and AVG for home use, but our security expert recommends investing in a full security suite for data breach prevention within your business. Recommendations include TrendMicro, BitDefender, Sophos, Symantec, and McAfee.

#4: Lock Down Your Data

Step 1:

Decide who gets access to sensitive data, and who should be given administrative privileges. Our security expert's advice is to grant access to as few people as possible, and to have a plan in place to remove those privileges the moment someone leaves their job or the board.

Step 2: Guard Sensitive Data

Restrict access to sensitive data (such as lease agreements, rental applications, and tax records) to as few people as possible.

Step 3: Don't Hold on to Records

Don't hold on to records any longer than you're legally required to. This significantly minimizes what could be stolen in the event of a breach.

Step 4: Encrypt Digital Data

Encrypt all digital data, and never share files containing personally identifiable information via unencrypted email.

Step 5: Store Your Data Off-Site

Back up your data to an offsite location or in the cloud in case your network is compromised. Keep in mind that if you back it up to the cloud, you need to take cloud security into consideration, utilizing the suggestions for vendor contracts that we include toward the end of this post.

#5: Secure Your Networks

93% of the time, attackers take just minutes (or less) to compromise a system, and intruders are in your network for an average of 200 days before they're noticed. This makes it critically important to follow these steps as part of your data breach prevention strategy:

Step 1: Restrict Wireless Network Access

Limit the number of people who know your office's Wi-Fi password. Visitors should be restricted to a separate guest network.

Step 2: Decide Which Sites Employees can Access

This restricts their ability to visit risky or inappropriate sites while on the network or work-issued devices.

Step 3: Change the Default Password on Your Router

Change the default password on your router. This is a surprisingly common oversight, but it's incredibly dangerous. You're essentially letting anyone access your network who bothers to test it.

Step 4: Have an Emergency Plan

In the event of a breach, be prepared to shut down your networks immediately to keep an intrusion from spreading.

#6: Manage Mobile Devices

Will you allow employees and board members to use their personal smartphones, tablets, and laptops for association business? Should they acquire a second set of devices strictly for business use? Here are the considerations:

Pros of Bring Your Own Device (BYOD)

On one hand, using personal devices can increase productivity by allowing employees and board members to bring work and communication tools with them everywhere they go. In addition, it saves you the expense of buying a second set of devices.

Cons of BYOD

On the other hand, allowing sensitive data to live alongside personal files and apps is a significant risk. Employees and board members will have to use their devices in a certain way, such as always using a six-digit passcode to unlock their phones.

#7: Defend Your Email

Don't get caught up in the common misconception that your inbox doesn't contain anything sensitive. As we discussed in Cybersecurity For HOAs 101: What Your Association Needs To Know - Part 1, personally identifiable information (PII) like email addresses, full names, and billing addresses are extremely attractive to hackers. Here are the steps that you need to take to protect your messages from cybercriminals:

Step 1: Require Extra-Strong Passwords Among Employees & Board Members

According to our security expert, your email tends to be the center of all of your accounts. If it's breached, the rest of your accounts are at risk. Use the password tips that we recommended in the previous section to the max.

Step 2: Recognize Phishing Scams

Learn how to recognize and avoid phishing scams:

  • Never click on a link or open a file in an unsolicited email from an unknown sender.
  • Be suspicious of emails that end in a foreign extension (e.g. "") rather than .com or .gov.
  • Don't open files that end in .exe, .bat, or .pif unless you're expecting the file from someone that you know. Keep in mind that even files from people that you know could be viruses if their device has been compromised, so always check with them before opening unexpected files.
  • Hover over any links before clicking on them to see where they will actually direct you.
  • Be skeptical of links that don't begin with "https." Sites that start "https" signify that the site has been authenticated and is encrypted to protect your data. If it begins with just "http," it is not as secure.
  • Be suspicious of odd grammatical mistakes, poor graphic quality, or offers that seem too good to be true.
  • Don't trust emails that say, "Your account will be suspended unless you log in now." Don't click on that link or enter any account information. Go directly to the company's website instead.
  • If you do open a suspicious link by accident, shut down the device immediately.

Step 3: Educate Your Employees & Board Members

A number of companies (including Duo and Proofpoint Security Awareness Training) now enable you to send simulated phishing emails to groups of employees to see how they respond, then train them accordingly. It's particularly critical to train anyone involved in your finances: They'll be the most common targets of these attacks, as cybercriminals aim to hijack your financial information and gain access to your funds.

#8: Bring in Experts

Hire IT & security staff, whether full-time or as contractors. They'll review any existing HOA cybersecurity measures that you have in place, make recommendations for how to improve your standing, and make any necessary upgrades that you can't take care of yourself. It's important to admit where your expertise may fall short when it comes to HOA cybersecurity. Investing in cybersecurity efforts costs far less in the long-term than crossing your fingers and hoping for the best.

Our security expert recommends forming a co-op with other associations or small businesses and jointly hiring a staff of experts to attend to your issues. In addition, your association manager can likely make helpful recommendations and referrals.

#9: Iron Out Your Vendor Service Level Agreements (SLAs)

What happens if a vendor that you work with has a security breach and your association's data is involved?

As a vital part of your HOA cybersecurity efforts, you should update all of your third party contracts to specify who's responsible for protecting your association's data. Just because a supplier is directly handling or storing your data does not mean that you're off the hook in the event of a breach. You're the one who chose to place your owners' and employees' data in their hands, so they'll go straight to you with their complaints.

Have these tough conversations about HOA cybersecurity before you sign on the dotted line. Have a lawyer review all contracts—those that you've already signed, as well as those that you're considering. Have each supplier's security practices audited to make sure that they're actually following the protocol that your contract lays out. You're not being nosy or accusatory—you're protecting your association. If they don't have strict cybersecurity measures in place, you should absolutely reconsider your relationship with them. After all, even if you're not held liable for a data breach on their end, it's your association whose name will be dragged through the mud.

Multifamily Executive advises:

"Contractual provisions that detail how your suppliers protect sensitive information and address data breaches should be strongly negotiated by both parties to ensure the agreements reflect the realities of today's challenging cyber landscape. [...] This can be achieved through a data security questionnaire or a formal [request for proposal] process that requires suppliers to provide specific information on these issues. Clients may also ask for any assessments the suppliers have conducted (and the results and mitigation plan) or certifications they may have. [...] Firms should establish an internal review process to ensure that adequate protections are included in all supplier contracts that have the potential to deal with sensitive information. [...] Your contract provisions should have explicit details on the following:

  • Data use approval and sharing obligations
  • Data security and privacy standards
  • Accountability and liability
  • Breach notification obligations and disclosures
  • Investigation cooperation expectations
  • Indemnification
  • Compliance audits
  • Cyber insurance requirements"

#10: Consider Cyber Liability Insurance

This is an area of insurance that is rapidly evolving to cover the risks of doing business in our hyper-connected world. Insurance companies can't adapt to changing technologies at the pace that they need to, but some coverage in this area is likely better than nothing. General liability insurance typically won't cover the impacts of a data breach on your association. The closest that standard policies come to covering these events is providing business interruption insurance, which still comes up short.

HOA cybersecurity is a topic worth discussing with your insurance provider. Experts advise that if the subject has never come up, it's safe to say that you're not covered for anything.

#11: Fight Data Breach Fatigue

We've all been inundated with headlines about cyberattacks in recent years, and it's simultaneously made us paranoid and complacent about our own security. There's a phenomenon known as "breach fatigue" that describes the way that our reactions to data breaches shift over time, gradually devolving from outright panic to apathy. We all have to consciously fight this instinct, because, as Consumer Affairs reminds us:

"Such an attitude only benefits the hackers. It's one thing to deal with breach fatigue by deciding 'To heck with these hackable credit cards, I'll just use cash,' but another matter entirely to deal with it by deciding 'I'll continue using credit cards, but I can't be bothered to check whether they've been breached or not.' Various forms of 'can't be bothered' fatigue is exactly what certain types of scammers count on to make their dishonest profits. [...] Yes, you're tired of all those reminders to inspect your credit card statements and look for fraudulent charges and change your account numbers and passwords every time a hacker might've seen the old ones. But hackers and scammers want you to feel this way. Their intention is to spy on or steal from you, and if you give in to breach fatigue, you'll only make it easier for them to succeed."

Landlord or Property Manager?

Landlords and property managers, there's a version of this post for you: Cybersecurity 101: What Landlords Need To Know - Part 2 as well as Cybersecurity 101: What Landlords Need To Know - Part 1.

Robin Young
Robin Young is the Senior Content Writer and Managing Editor for the All Property Management Blog and Buildium Blog. She cut her teeth as a marketing copywriter at Wayfair and TechTarget, and she spends her free time perfecting her lifestyle blog, Feather & Flint. She holds degrees in psychology, sociology, and songwriting.
Get your property managed today
Tell us what you're looking for and we'll connect you with our network of property managers in minutes.