This WA article is about risks to the strata industry from system hacks.
One of the most important tasks we are asked to perform in the strata management industry is to look after the books and records of our owners, and the business details of our suppliers and contractors. This includes names, addresses, phone numbers, email addresses, bank account details, ABNs, licences, insurance certificates and then there are all the documents that relate to the buildings and schemes themselves.
For most progressive management businesses, document storage is now 99% digital, thus, our document management and IT systems need to be robust and our clients want to be reassured their data is safe and ultimately, stored in a vault that cannot be corrupted or hacked.
Recently, I tendered the IT Support, Cyber Security and Telecommunications Services for my businesses (B Strata & B Complex) and feel we were in a good space, but it is certainly getting scary out there and it is very complicated.
After interviewing three companies who each did a high-level analysis of our IT services and security protocols, the reports came back that we have adopted ‘good’ security measures.
We have two factor authentication, up-to-date anti-virus software, spam filtering, DarkWeb monitoring, phishing awareness training and monthly health checks, along with a couple of other security and password platforms to enhance the data protection for our clients, but there is still more that we can do; Really!?
Following the attack on Ukraine, there is a heightened cyber threat environment globally, and the risk of cyber-attacks on Australian networks, either directly or inadvertently has increased.
On 23rd February 2022, the Australian Cyber Security Centre (ACSC) raised the alert status to ‘High” and encouraged Australian organisations to urgently adopt an enhanced cyber security posture.
The additional protections that were missing from my businesses, included WhiteListing and a more enhanced Privileged Access Management (PAM) system.
Is it just a salesman’s pitch, or do did we actually need to implement these added systems? So, I did my research.
A report released by IBM identified that as businesses incorporate cloud-based platforms to help simplify IT infrastructure and management that enables remote access from effectively anywhere in the world, we are making our businesses more exposed to cyber-attacks. This migration to the cloud has been fast-tracked due to Covid.
Data breaches are almost always the result of compromised end users (staff) and privileged credentials i.e. staff’s permission settings. That’s why monitoring and protection of account settings has become crucial. Implementing least-privilege security for staff is critical, given local administrator rights are prime targets for cybercriminals.
This is where PAM can assist, but only if you know exactly who your administration team are, who is accessing your data and more importantly, that your staff understand the importance of keeping their usernames and passwords confidential.
WhiteListing is a list of things allowed when everything else is denied by default. It is the opposite of a blacklist which is a list of things denied when everything else is allowed. Implementing WhiteListing is a great security measure used against two different kinds of security threats:
- the most obvious is malware: malicious software payloads like keyloggers or ransomware won’t be able to execute if they’re not on the WhiteList.
- but that’s not the only benefit, it can also be used as a tool to fight ‘shadow IT’. End users or external departments may try to install programs on their computers that are insecure or aren’t properly licensed. If those apps aren’t Whitelisted, the rogue departments are stopped in their tracks, and management will be informed about the attempt.
The problem is that WhiteListing can be implemented at different levels and can be quite inconvenient and frustrating for staff. This is because they can only use their computer for business approved software and it requires careful implementation, with proper ongoing administration.
The benefit we have are that we were a small family business, with clearly defined business practices, we know exactly which programs we are operating, we engage an IT support company, and we do not use offshore processing.
Given we have confidence in the management of our systems and our practices, we have also opted to subscribe to the Privacy Act 1988 which provides our clients the reassurance that if we have a breach, we will advise our clients accordingly.
When undertaking your due diligence, this should be the first question you ask your strata manager – What systems have you adopted to ensure the safety of our information?
Scott Bellerby B Strata E: scott.bellerby@bstratawa.com.au P: 08 9382 7700
This post appears in Strata News #578.
Have a question or something to add to the article? Leave a comment below.
EmbedRead next:
- WA: Strata Industry at Risk – Workplace Safety
- WA: Rising popularity of strata ‘leading to demand for more managers, staff’
This article is not intended to be personal advice and you should not rely on it as a substitute for any form of advice.
Visit Strata Managers OR Strata Information WA.
Looking for strata information concerning your state? For state-specific strata information, take a look here.
After a free PDF of this article? Log into your existing LookUpStrata Account to download the printable file. Not a member? Simple – join for free on our Registration page.