Cybersecurity Playbook for Multifamily Housing IT Enterprises

Abacode Jeremy-Rasmussen headshot
By: Jeremy Rasmussen

The U.S. multifamily property management industry is a massive industry that encompasses 40 million multifamily units valued at $3 trillion. With the industry growing, there is a requirement for an additional 4 million units by 2030 to keep up with demand. The industry employs more than 800,000 people, with tech and service vendor companies employing hundreds of thousands more. (Source:

If you are one of those hundreds of thousands of people who have been given the reins of an I.T. infrastructure in multifamily housing property management and don’t know where to start from a cybersecurity perspective, don’t worry. In this article, we’ll take you through six easy steps to get started.

Step 1: Identify Critical Data

The first step is to identify critical data and determine where it is located. Critical data could be on-premises, in the cloud, with a software-as-a-service (SaaS) provider, or elsewhere. Data could be hosted with Microsoft Exchange Server, Microsoft 365 online, Google Workspace, or hosted with Dropbox, among other places. It’s crucial to have centralized I.T. visibility and control of all these places where the data is located.

Step 2: Identity and Access Management (IAM)

The second step is to lock down all critical financial data, personally identifiable information (PII), and intellectual property (IP) with a single sign-on (SSO) solution that includes multi-factor authentication (MFA) and automated provisioning/de-provisioning. This will simplify your Identity and Access Management (IAM) and give you a handle on it. Some options to consider include Okta, Duo, and Microsoft AD.

Step 3: Continuous Monitoring

The most important thing you can do for security is to implement a Security Information and Event Management (SIEM) and/or Detection/Response for Endpoints/Network/Cloud (XDR) solution with 24/7 eyes-on-glass monitoring and incident response. This will allow you to keep tabs on all traffic traversing corporate firewalls, as well as events from the network infrastructure, servers, endpoints, and cloud. Security Operations Center (SOC) analysts will monitor the SIEM/XDR, and initiate an incident response immediately when something anomalous is happening. Assume someone is already inside your enterprise and keep them from getting to anything critical via segmentation, IAM, and continuous monitoring.

Step 4: Vulnerability Management

Regular scanning for security vulnerabilities, researching emerging threats, downloading patches, regression testing, and deploying to all systems is critical to maintaining a compliant program. Vulnerability scanning identifies and forms an inventory of all systems connected to a network, including servers, endpoints, printers, switches, firewalls, containers, virtual machines, and remote access software. Scanning also helps keep track of operating systems, software versions, user accounts, and open ports.

Step 5: Governance, Risk, and Compliance (GRC)

To ensure everything you’re doing aligns with industry cybersecurity best practices, perform a gap analysis versus a framework, such as the CIS Controls Version 8NIST Cyber Security Framework for Critical Infrastructure Protection, or the ISO/IEC 27001 Information Security Management. Collect evidence from your deployment efforts to prove that you are compliant and maintain all of this with a compliance portal or reporting tool that will serve as your central repository for artifacts and will provide visual management and dashboarding of your progress.

Step 6: Ongoing Controls

Regular penetration testing from a qualified “red team” that provides probing externally, internally, and testing custom-developed web and mobile applications is necessary. Also, ensure that you have cybersecurity awareness training for all employees, including videos or interactive environments that provide tutorial information and simulated phishing campaigns to make users aware of the tactics of threat actors.

This is not a complete list, but it is a great starting place for cybersecurity practitioners in multifamily. Any program you implement should include an aspect of continuous improvement. After any security incident is encountered, perform a lessons-learned analysis to improve your posture for the future. Always evaluate and mature your program (people, processes, and tools) because threat actors are constantly improving their methods, and so must you.

Executive leadership may find it difficult to comprehend or fund a proper program of best practices. To justify a monthly Opex budget, show them that you are aligning with objective industry standards and consider outsourcing this work to experts who can help you with all aspects of governance, risk, and compliance (GRC), professional engineering services, and cybersecurity operations. Justifying a monthly Opex budget might be more palatable than trying to hire several full-time staff members, who are difficult to find and expensive. According to Computer Security Magazine, “83% of IT leaders are looking to outsource security to MSPs in 2023.”

In conclusion, multifamily property management is a critical industry that requires a robust cybersecurity program to safeguard sensitive financial data, PII, and intellectual property. Follow these six easy steps to implement a cybersecurity program that aligns with industry best practices and remember to continuously evaluate and mature your program to keep up with evolving threat landscapes.