The Other Reality of Remote Work

Cybersecurity_data_Copyright_Titima_Ongkantong_lead — Copyright: Titima Ongkantong

In the wake of COVID-19, apartment firms have transitioned quickly to having work-from-home workforces. However, wide scale remote work underscores the critical need for good cybersecurity policies and practices. Here are four areas where apartment firms should be keeping a close watch.

By Julianne Goodfellow and Daria Dudzinski

Julianne Goodfellow is the senior director of government affairs for the National Multifamily Housing Council (NMHC) in Washington, D.C. She can be reached at jgoodfellow@nmhc.org.

The COVID-19 pandemic has forced apartment firms to change the way they operate at headquarters, regional offices and in apartment communities. While some roles have proved adaptable to remote work, others have required more creative and innovative solutions.

For workers who have abruptly shifted to remote work, this transition has been made possible thanks to both business continuity planning and new technology, especially cloud-based software applications. However, this transition to a remote workforce is opening up new challenges and cyber vulnerabilities for apartment firms.

But some employees may be unfamiliar with these different technologies, and, of course, all employees are vulnerable to existing and new cyberthreats while missing on-site information security support. As apartment firms continue to navigate the effect of COVID-19 on their residents and employees, it is crucial to follow cybersecurity protocols and best practices for managing new network vulnerabilities. Here are a just a few areas to which apartment firms should be paying attention.

No. 1 Video Conferencing

As firms adjust to the new paradigm, their teams have rapidly adopted video conferencing as a means of communication and collaboration. However, recent reports show that some of the available software services may have gaps in security and privacy. For example, following complaints of video-conference hijacking, often referred to as “Zoom-bombing,” many video conferencing software providers are working to address consumer concerns with additional security measures. Additionally, news reports indicate that nefarious actors have obtained credentials for more than 500,000 Zoom accounts in recent days, so Zoom passwords now need to be changed.

Apartment firms can up their security and privacy by controlling access to meetings through simple measures like not sharing meeting links on public channels, using privacy settings including passwords and requiring registration and waiting rooms so that hosts can vet potential participants. When selecting vendors, apartment firms should ensure that they are using strong security in clouding end-to-end encryption. In addition, they need to be sure that all videoconference attendees use updated versions of remote meeting applications.

No. 2 COVID-19 Phishing

As apartment firms put COVID-19 precautions in place and transition to full-time teleworking status, malicious actors are capitalizing on these turbulent and emotional times. While implementing and maintaining business continuity plans, companies need to educate employees about the influx of COVID-19-related phishing schemes.

Bad actors are tapping into the fear surrounding the novel coronavirus to dupe victims into clicking on links and attachments that will lead them to bogus protection products, fake alerts about cases in the community, inaccurate prevention tips and illegitimate fundraisers for victims. These scams are often made to look like they come from credible sources including the World Health Organization or the Centers for Disease Control and Protection (CDC)—and even having logos or email addresses that mirror those organizations. Firms should remind their employees that phishing emails can be very sophisticated and that these organizations (along with other leading health organizations) do not require log ins for access to their information, provide grants or award prizes.

No. 3 Remote Security and Access

There are a variety of enterprise technology solutions to connect employees to the firm’s information technology network. Critical lines of defense when accessing these connections include utilizing an enterprise virtual private network (VPN) and requiring multi-factor authentication.

The U.S. Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recommends that IT staff should be “… prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery … these tasks should be documented in the configuration management policy.”

With these recommendations in mind, experts recommend training and communicating with remote staff to ensure that they are using strong passwords on their home wireless networks, changing the default password on modems/routers, as well as accessing the latest security configurations and patch updates. These recommendations should be a part of good cyber-hygiene practices, but this new environment necessitates a reminder. NMHC provides member resources on cybersecurity best practices at nmhc.org/data-privacy.

No. 4 Personal Devices

In this environment, many employees may have to rely on personal devices including tablets, cell phones and home computers while working remotely. However, if these personal devices are connected to an organization’s internal network, they can pose elevated risk because they are not typically secured at the same level as enterprise-provided devices.

For this reason, we recommend that firms develop Bring Your Own Device (BYOD) policies for personal devices that address security measures, information access and functional capabilities and communicate this with employees. The U.S. National Institute of Standard and Technology recently released a helpful Guide to Enterprise Telework, Remote Access and Bring your Own Device Security to help in any firm’s efforts. If your organization already has these measures in place, now is a great time to remind your employees of how your BYOD policy translates during this prolonged teleworking period. At a minimum, set up a separate and external wireless network strictly for BYOD device that is consistently monitored.

Another option to mitigate BYOD risk is to establish a system of tiered remote access managed by the information security team. In this system, company-owned devices may have access to the full suite of company resources, files and software. BYOD personal computers would then have limitations on that access. And finally, BYOD devices including smartphones or tablets would have limited access to the lowest risk resources such as an email account. Organizations should also consider access to collected data and sensitive personally information when creating and enforcing their tiered access system.

In addition, as work and personal lives blend, employees may use their business devices for personal work. We recommend reminding employees about existing business device use policies and communicating best practices.

Cybersecurity Best Practices Work

For many apartment firms today, remote work technology allows them to continue to provide safe and secure apartment homes for 40 million Americans. That’s why protecting cyber infrastructure needs to be at the top of mind at all levels of your enterprise. Fortunately, adhering to a long-standing cybersecurity best practices can make this time a little more navigable. These next few weeks will certainly show us just how much of our workload can be done remotely, how fast we can adjust to new technology and protocol, and what our true teleworking capabilities are.

NMHC offers a host of resources for apartment firms on COVID-19 and cybersecurity. Please visit our website at nmhc.org/COVID19 and nmhc.org/data-privacy.

Julianne Goodfellow jgoodfellow@rettc.org