Security Matters
With such liability at stake, it is imperative that multifamily firms take reasonable measures to protect sensitive data. First, “set specific security policies and enforce them,” advises Delgado. Such guidelines should apply to individual properties as well as the corporate office. “A remote property has to play by our IT rules,” notes Post Properties’ Acker. The same goes for private apartment firms. At ERC Properties in Fort Smith, Ark., Greg Hardt, information systems coordinator at ERC Properties, is putting considerable effort into drawing up policies and procedures that apply to individual properties as well as setting a corporate security policy.
On the must-do list is requiring passwords for all users, which is a common practice. But where companies fall lax is in keeping user information current– a huge issue for multifamily firms with their extraordinarily high on-site turnover rates. What works? Have users change their passwords every 30 days, advises Mike Feldman, president of Data-Rite Systems, a database and application development company in New York City.
Equally important is eradicating the access rights of recently fired employees. Hardt of ERC Properties maintains that management should notify IT of terminations earlier. “When someone is going to be terminated we should know before the person is terminated,” says Hardt of ERC Properties.
There are a few technical best practices that firms also can adopt to better protect data. Authentication of users on the network– especially if more than one type of authentication is used– can provide added safeguards as can data encryption and firewall use. “Almost all of our data is behind firewalls. We don’t run VPNs (virtual private networks), and our Web site is internal,” says Hardt, who also notes that “your security is only as good as your encryption or your darkest secret.”
Encrypting the most sensitive data, too, is key, although Hardt contends controlling the spread of information is equally important. “You don’t want any data going out to be too sensitive,” he explains.
ERC Properties is also curbing its wireless initiative in an attempt to secure its data, Hardt says. The company once encouraged wireless access points so that traveling executives could log in via a laptop at any property without co-opting a manager’s on-site computer, but it has backed away from that approach.
Since many multifamily firms deal with third parties that have access to a portion of their data, they also must ensure in their contracts that those firms abide by strict standards for handling data. Dan Haefner, CIO at Lane Co., explains that the company that handles some of the Atlanta multifamily firm’s applications and sensitive data has passed the proper certifications and is “contractually” bound to safeguard data. Lane also subjects the company to annual reviews to ensure that such standards are in place.
ERC Properties is trying to limit what Hardt sees as a “potential” data security threat when it turns a revamp of its Web site over to a third-party contractor by controlling the “data that will be going in and out” andcontractually requiring the company to protect data and ensure its confidentiality, he says.
Finally, companies must take care in the way that they destroy sensitive data, which obviously doesn’t mean filing it in the circular cabinet. Shred it. Burn it. Wipe disks and servers clean. If you don’t feel up to the task, there are companies that will come and do it for you. Some quite literally drive up, load your documents onto a truck and, to minimize vulnerability, destroy your information before they even haul it away.
– Teri Robinson is a freelance writer in New York City.