To The Point, A Council of Large Public Housing Authorities Podcast

How to Protect Your Housing Authority from Cyberattacks

Jeffery K. Patterson Season 2 Episode 1

Public housing authorities face the same cybersecurity threast as any large organization. H.A.I. Group CEO and cybersecurity expert Ed Malaspina joins host Jeffery K. Patterson to discuss what public housing authorities can do to protect themselves from the very real threat of cyberattacks.

Thanks for listening to To The Point, a podcast of the Council of Large Public Housing Authorities.

Jeffery K. Patterson: Welcome, welcome and welcome. My name is Jeffrey K. Patterson, and I am the chief executive officer of the Cuyahoga Metropolitan Housing Authority in Cleveland, Ohio. And I am pleased to be the president of the Council of Large Public Housing Authorities. Clappa and ladies and gentlemen, it is time for us to get to the point. Today, our guest is going to be Ed Malispina. He is the President and chief executive officer of the Hai Group and his role as CEO and president Ed is responsible for overseeing the organization's strategy. He's a 30 year affordable housing veteran and he's worked hard to be able to provide a variety of initiatives that involve security, insurance, accreditation and financial products. Ed, welcome to our show today.

Speaker Ed Malaspina: Thanks for having me.

Jeffery K. Patterson: Appreciate it. You have so much experience in so many different areas, but the one that we're going to talk to you a little bit about today is the area of cybersecurity. Being the expert that you are, just tell us how big is the cybersecurity threat in our country today?

Speaker Ed Malaspina: Well, thanks for the kind words. Cybersecurity expert is probably a term that doesn't fit me, and I really don't believe there are truly any experts when it comes to cybersecurity. It's such a dynamic field that seems to be when you find a solution, someone else found a way to get around it. So is it big? Yes, it's very big. Since COVID we've seen cyberattacks increase as much as 600%, and the vast majority, 92% of these attacks, are malicious software delivered by email. It cost businesses when they're affected by cybersecurity in excess of $100,000 to get through the incident.

Jeffery K. Patterson: Wow. That is something else. So tell me, what is at stake if housing authorities or other organizations don't prioritize cybersecurity?

Speaker Ed Malaspina: So, big and small housing authorities alike are affected on a regular basis, so don't think that you can't be a victim. You have to take it seriously. All of us have become increasingly more dependent on computer systems and data sets, and housing authorities are really no different. Think about it. You track and have and store personal tenant information. You have to do rent collections. You have your day to day operations. So the loss of this ability can be paralyzing to the housing authority and can be able to carry out their regular duties to serve their residents. Housing authorities do have limited budgets and their ability to pay these ransoms should something go wrong is very limited. The impact can be significant on their operations.

Jeffery K. Patterson: I introduced you earlier as an expert in cybersecurity and I completely understand how you explain that that's not truly the case, especially with the number of incidents and things that are out there today in this rapidly changing environment. But was it that drew you to making sure that you went on kind of an educational campaign to let people know what's going on and what they need to do to protect themselves against these types of threats.

Speaker Ed Malaspina: It's the typical news story where you see a reporter in the field interview someone that says, I never thought it can happen here. I never thought I'd ever see this. Well, the truth is it can and will be likely to happen to you, and it can happen in a number of ways. So often we think of this as a business risk, but it can also affect you personally. So don't forget you've got activities that you do at a personal level, activities that you do at a professional level. The measures that I would suggest can help you in both ways. We're all vulnerable. Look, there are wide array of municipalities that we've seen affected, including schools and police departments and even housing authorities. So anyone can be targeted. I think the particular vulnerability for housing authorities is that they think that they won't be targeted. What the criminals do is they look at businesses that think that way and say, okay, because they don't think they'll be a victim. They probably don't invest a lot of time and effort into providing a strong infrastructure and cyber defenses. So with that, you create a vulnerable environment.

Jeffery K. Patterson: So now that I understand the need to prioritize cybersecurity, and now that I understand a little bit more about why I may be a little bit more vulnerable to those threats, what can housing authorities and other organizations do to improve their cybersecurity within their organizations?

Speaker Ed Malaspina: Okay, being in the housing business, we're very used to acronyms and letters. So here are a few letters for you to take down. MSIs. So that's Multistate Information Sharing and Analysis center. What is that? That's a government entity that provides free tools to help you identify potential gaps in your programs. That's where I would say you start. We have a link on our website in our cybersecurity Center@haigroup.com. If you go there, we have the resource page available to you for free that will include that link and other resources to use. But I look back.

Jeffery K. Patterson: Did you want to listen?

Speaker Ed Malaspina: Sure.

Jeffery K. Patterson: Could you repeat that link one more time for listeners?

Speaker Ed Malaspina: Okay. Haigroup.com and go to the Cybersecurity Center on that website. There are a number of resources there you can use to get you started that's free for everyone. We're going to start with the Msisac link that's available on that page. But there are a number of things that I would suggest you invest in. The first is training. And when it comes to training, I think the most vulnerable thing we all have is our employees. So how do you protect your infrastructure but maintain your employees? Well, you got to create a human firewall so that's critical. Training is the element of creating that human firewall. Your employees can sometimes be your weakest link and strengthen this element, and you should strengthen this element so that you protect your organization. So the people part of it is critical. The next is your endpoint detection. So sometimes organizations don't realize that they've been affected. So you need to continuously monitor, detect and analyze and respond to the malware and ransomware that may be affecting your systems because often you'll hear someone's been affected and they didn't realize it for a period of time. The more significant that period of time, the more likely they are to have been able to get into more of your systems. The next thing, and this is very simple, so enabling your multifactor authentication, and I hope everyone's heard of what that is, so that's a critical step. Relatively low cost to implement provides a huge bang for the buck when prioritizing your spending. That's basically saying there are two steps to getting into your systems. Next will be a regular cadence of patching and backups. So regularly update your software and systems. Make sure you're cutting edge on all your protective systems. And it's not just your OS level your operating system patching, but make sure you're patching applications like Chrome Suite, Office, Adobe Acrobat and all the others. The last thing I would say is your protection from other parties. So who else can help you out here? So that could be your insurance company. So seek cyber insurance if you can get it. It's a wonderful thing. The process can be challenging. The application is not usually very simple and that's because the insurer has to really get a good look at what they're insuring and what level of protection currently exists in your system. Oftentimes these applications will include things like tests in which they will actually try to get into your system as part of their application process. Now that's good and bad. So if you fail that front end test, you may be able to get from them some easy fixes or tips on how to improve your security. The flip side is if you do really well with that, you may be able to acquire insurance right then and there.

Jeffery K. Patterson: Wow, those are some very, I think, strong points and I really do appreciate you taking the time to be able to explain those things to us. Do you have any examples of housing authorities that are leading the industry of cybersecurity?

Speaker Ed Malaspina: So we have had to deal with housing authorities that have had experience in this area. And while I don't have a list of names for you, I can tell you those that I think are doing a great job are probably doing it because they've had to experience the other side of it, which is they've had to deal with being attacked and now they've built really strong systems. So I guess my example for the best ones are the ones that have followed the recommendations that we've previously discussed and I would kind of double back to our resource page, which is free@haigroup.com, and go to that cybersecurity center and use those resources to get yourself in a better position.

Jeffery K. Patterson: Well, Ed, I thank you for taking the time to speak with us today. It's always a good thing when you not only get good information verbally communicated to you through this type of process, but also when you get the opportunity to be directed to websites and other information that you could use. That is, I think, very important. So as we wrap up, is there anything, just in general, that you'd like to share with us about the Housing Authority insurance group?

Speaker Ed Malaspina: Yeah, I mean, we provide a number of resources of different types of insurance. We try to help you out, even if it's not something that we do in house. But I'd also like to share my experience. So here we do all of those recommendations that I provided in this presentation and more so, we require monthly training for every single person, including myself. I'm subject to the same risks as everyone else. I get my monthly training just like everyone else. It's important that you don't become complacent and think that you can pick off a fake email because they're so frequent now and they're so clever that it can get you. So I would say vigilant and stay focused on the fact that you could be vulnerable and continue with your training.

Jeffery K. Patterson: Words to live by. Again, I thank you for your time today and all the work that you're doing in the housing industry to make us all safe. So please take care and keep up the good work.

Speaker Ed Malaspina: Thanks for having me.

People on this episode