Property management companies are increasingly becoming prime targets for cybercrime, not because of the sensitive data they handle, but because their cyber defences are less sophisticated than those of larger organizations, making them easier to penetrate. Property management companies need to take proactive steps now to protect themselves, their team and their customers from becoming victims of cybercrime to minimize their risk exposure and protect themselves from the bait.

Case Study

What occurs following a ransomware attack? What should management companies do? What can management companies do to protect their team from taking the bait? The following case study, which is based on a real attack that occurred in 2019, answers these questions and raises some others.

The company at issue was a large personal services company with offices nationwide. One morning, an employee from the Toronto office flew to Montreal to meet with a potential client.

1. Around noon, the employee's managing partner received "an urgent email from the employee who had forgotten their journal containing their VPN login credentials, thereby preventing them from logging in remotely." The managing partner forwarded the email to their assistant and instructed their assistant to retrieve the login credentials requested and respond to the email by providing the same. Business then continued as usual.
2. Two months later, shortly after midnight, ransomware encrypted the company's servers, and the attackers demanded 150 Bitcoins as ransom. The company contacted its cyber insurance broker, and a call was held between the company, the insurer's selected data privacy lawyer and the insurer's selected digital forensics firm ("Forensics Team").
3. Twenty-four hours after the attack, the Forensics Team successfully negotiated the ransomware down to 80 Bitcoins and received confirmation from the perpetrators that the encrypted data could be decrypted. The Forensics Team also started securing the company's servers.
4. Forty-eight hours after the attack, the Forensics Team facilitated the ransom payment and received the decryption key from the perpetrators. The Forensics Team immediately started the decryption process.
5. Within two weeks of the attack, the Forensics Team successfully decrypted most of the data, and the company notified clients whose personal information was compromised. The company also offers these clients identity theft and credit monitoring services for two years thereafter.

In the case study discussed above, the ransom was paid, and most of the issues, aside from the business disruption and the harm to the company's reputation that the attack caused, were resolved. However, it is important to note that paying the ransom demanded does not always guarantee the restoration of encrypted data or compromised servers. In fact, in some cases, the attackers may compromise another server and demand additional ransom. Deciding whether to pay or not to pay the ransom demanded is a difficult business decision, which should only be made after consulting legal counsel and digital forensics experts.

Managing Risk Exposure

There is no way to prevent a ransomware attack single-handedly. However, property management companies can significantly reduce their risk of exposure by implementing and maintaining a robust cybersecurity platform consisting of a combination of the following measures:

1. Plan Ahead
2. Backup & Recovery Plans: All property management companies should create and implement backup and recovery plans, which should be tested no less than once annually. In addition to backing up data, property management companies should ensure they are backing up essential infrastructure components such as proprietary applications and databases that would be difficult to replace.
3. Dedicated Response Team and Framework: Taking proactive action to establish a response team and framework in advance is critical. An incident response plan ensures a structured approach to handling all types of cybersecurity events, details the image actions to be taken following an attack and can reduce the extent of the damage.
4. Cybersecurity Awareness Training: Since ransomware is often delivered via phishing emails, it is important to educate all team members on identifying and reporting suspicious messages. Many cyber insurers provide their clients with complimentary cybersecurity training that can be accessed online.
5. Software Updates: Property management companies must ensure that all operating systems, applications, and security tools are updated with the latest patches, as outdated software can be a common entry point for cybercriminals.
6. Limited Access: Property management companies can improve security by enforcing stronger passwords, using separate administrator accounts, and ensuring that regular users do not have local admin rights.
7. Third-Party Cybersecurity: When selecting a third-party IT provider, management companies should ensure that the chosen provider holds a recognized security certification, such as SOC 2 or ISO 27001, demonstrating that the provider has implemented strong cybersecurity practices and controls.

As illustrated in the case study, a single phishing email can trigger a cascade of costly consequences along with irreparable damage to a company's reputation. It is inexcusable for you to wait until a team member takes the bait. The time to act is now. You must invest in your team's cyber awareness and training, fortify your company's infrastructure, and ensure your company is prepared today, not just to respond but to prevent the bait from being taken in the first place.

Ashley Winberg is one of the leading condominium lawyers in Ontario and the Head of Corporate Practice at Pulver on Condos, which is a boutique condominium law firm that provides specialized legal services to condominium corporations and unit owners throughout Ontario. Ashley can be reached at ashley@pulveroncondos.com.

View PDF View Flipbook Back to Latest Issue