The amazing power and flexibility that information technology brings to the marketplace and to people’s lives come with some caveats. One of them is the risk and reality of cybercrime.
Every industry is subject to cybercrime’s potential harm, including self-storage.
The financial industry alone suffered more than half a trillion dollars in losses from cybercrime as of mid-2018, according to the Merchant Risk Council. The MRC attributed the losses and ongoing risks to constantly evolving technologies and new, elaborate methods for hacking financial systems.
In self-storage, mobile technologies, management software, access control systems, company computer networks, email, and social media are among many points of vulnerability.
Plethora Of Cyber Risks
Scott Zucker says the self-storage industry has benefitted from using computers and the internet in its business operations for the past 20 years, just as most—if not all—other industries have done.
Zucker, a partner with the Atlanta-based law firm Weissmann Zucker Euster Morochnk & Garber P.C., specializes in business litigation emphasizing real estate, landlord-tenant, and construction law. He wrote “Legal Topics in Self Storage: A Sourcebook for Owners and Managers” and is a partner in the Self Storage Legal Network, a subscription-based legal service for storage owners and managers.
“The ability to store and transmit data about self-storage tenants, the ease of managing financial transactions, and the use of social media to engage greater marketing have certainly affected how facility operators conduct their business and have enhanced their bottom-line profitability,” says Zucker.
He cites “the litany” of cyber risks in self-storage operations, including computer viruses, physical theft of computers and services, financial theft of accounts by the hacking and unauthorized use of tenants’ confidential information, and third-party cyber extortion.
“The risk of cyberattacks can occur from outsiders halfway around the world to local business partners and employees,” Zucker says.
Former employees sometimes engage in hacking to damage their employers. Financial motives sometimes prompt hacking—stealing and then selling credit card numbers and other personal information or using the information to fraudulently buy goods. Companies of all sizes can become cyber victims.
“The size of the targeted business is irrelevant,” Zucker says. “Data breaches can occur with small or large businesses. Many small businesses are targets due to the greater likelihood that their data security is not as strong as might be in place with larger companies.”
Using computers, networks, servers, and mobile devices greatly increases vulnerability to cybercrime, he says. This can include accidental release of information and purposeful, unauthorized information theft from outside hacking.
Steve Lucas, CEO and managing partnerof The Storage Group, a digital marketing agency specializing in self-storage technology products and services in Altamonte Springs, Fla., sees five main cybersecurity concerns for self-storage:
Online transactions – Online transactionshave increased “dramatically” since March 2020. Lucas says Click and Stor, the company’s flagship online rental tool, has had 200 percent to 300 percent more use in the past year than ever before.
Other similar systems have entered the marketplace “because everybody’s trying to figure out how to do things without meeting in person” and could be vulnerable to breaches of company and tenant data such as payment processing, unit numbers, and gate codes.
Cloud-based property management systems (PMS) – A cloud-based PMS is vulnerable to isolated breaches through a single account login. A cybercriminal could then steal the tenant’s gate code, account history, and other information or the facility’s login, which gives access to all current and past renters’ credit card numbers, passwords, and gate codes.
“The potential breach there could be devastating to a facility or ownership group,” Lucas says.
Software-based PMS – Self-storage facilities often use older versions of software-based PMS, which reside on computers and are “very vulnerable.” Proper workforce training in how to use and protect these systems is crucial.
Connectivity – Connectivity includes emails and is “just as risky as PMS,” Lucas says. Track who is using your email system, monitor spam emails, and learn how to identify phishing emails (fraudulent emails intended to trick users into revealing sensitive information) and what to do with them when you encounter them.
Passwords present a “huge” risk, Lucas says. Never write them down on paper; use a password protection program instead and store them on backup servers. Make them at least 12 characters long and use all types of characters allowed (lowercase and capital letters, numbers, and other symbols).
Change passwords every 30 to 60 days. Don’t use street addresses, phone numbers, family members’ or pets’ names, or other commonly used categories.
Website attacks – Website attacks pose a “pretty strong” threat, according to Lucas. There are websites that show where such attacks are happening worldwide in real time. Ask website providers how they manage and monitor their servers. You should have continuous access to them and monitor them as well.
“It’s all about collecting data because data is money,” he says—for your business and for cybercriminals.
Zach Fulleragrees that many smaller self-storage operators lack resources to build cybersecurity systems. These operators tend to use third-party security controls, or they overlook cybersecurity’s importance for their businesses. Fuller is partner and head of business operations for Phoenix-based cybersecurity company Silent Sectorand author of “Cyber Rants: Forbidden Secrets and Slightly Embellished Truths About Corporate Cybersecurity Programs, Frameworks, and Best Practices.”
But because the self-storage industry is not especially consolidated, most hacking targets larger operators, says Jon Loftin, vice president of the internet of everything (IoE) and kiosk product owner for Phoenix-based OpenTech Alliance Inc.
“Like any business that deals with credit card information and personal identifiable information, the self-storage industry can be vulnerable to hackers and other bad actors that that are looking for easy ways to obtain this type of information,” Loftin says.
An Ounce Of Cyber Prevention
Mike Schofield, president and CEO of MiniCo Insurance Agency LLC, mentions two key things in cyber risk management: Do not open emails with attachments from questionable sources, and always use updated antivirus software.
“A large portion of our industry is mom and pop, and they have cyber exposure just like any other business would have,” Schofield says.
The industry is growing and consolidating, and operations are becoming larger, Schofield adds. Sometimes small businesses are more vulnerable than bigger ones because of inadequate security procedures. But ransomware can victimize any company, regardless of size.
And Schofield says, “social engineering,” which is defined by cybersecurity company Norton as “the act of tricking someone into divulging information or taking action, usually through technology,” is a growing risk.
Cybercrime can cause big liabilities for unprepared self-storage businesses, Zucker adds. An accidental or intentional data breach can impair a facility’s use of its management software system, which controls tenants’ information and the facility’s ability to issue rent bills. This could prompt tenants to end their leases and cause facilities to suffer “staggering” loss of revenue and costs to rebuild their data notify tenants. A data breach “can simply be catastrophic for a self-storage owner and its business,” he says.
To reduce these risks, Zucker advises self-storage facilities to use proper network firewalls, periodically inspect their systems for vulnerability, change their access passwords regularly, and verify that anti-virus and spyware software systems are working properly. And businesses should also consider buying cyber insurance to protect themselves against the risks.
Michael Attanasio, senior vice president of professional liability and manager of cybersecurity for MiniCo Insurance Agency, says more brokers and insurers are becoming more comfortable with cyber insurance. “I think they and the insureds are seeing more frequently the importance of it,” he says. “We continue to see the mom and pops, not just the (big self-storage companies) getting hit with something. For smaller ones especially, it’s crucial, because they typically don’t have an IT staff.”
Per Lucas, one important precaution is to conduct “brute force” tests to discover where cybercriminals might be able to break through a company’s technology firewalls to access sensitive data.
“In coding, engineers are always trying to break their code to see what is weak, what doesn’t make sense, what could break in the environment,” Lucas says.
Facility owners should always ask PMS software providers whether they have done this kind of testing and whether they can provide documentation of having done it. And companies should not allow employees to use personal computers for work, whether in the office or at home, because doing so poses another risk.
Fuller notes that most calls the company gets are about email phishing for usernames and passwords. An email that appears to come from Microsoft, for example, arrives and invites the recipient to reset account information but takes the user to a fake website where they become victims. Therefore, he advises clients to always use multifactor authentication on company accounts, never use mobile phones for texts for this purpose because of their vulnerability to hacking, and always use password manager software to remember passwords and create them for other accounts.
Companies that take these and other steps align themselves with standards endorsed by the National Institute of Standards and Technology and the Center for Internet Security. “No need to reinvent the wheel,” says Fuller. “Cybersecurity is not a mysterious thing.”
Loftin states that companies should ensure their operations are compliant with the Payment Card Industry Data Security Standard (PCI DSS) by checking with their credit card processors. Compliance includes not storing written credit card information and using PMS that encrypts data and uses tokens when transmitting credit card information. Some older PMS or access control systems might save the unencrypted information on local computers, putting it at greater risk.
“I would definitely recommend reviewing the technology and software products that are being used at your property and ensuring that they are using the best practices in regards to encryption and data security,” says Loftin, who adds that the biggest risk most self-storage operators face is ransomware. Cybercriminals encrypt a local computer’s data and demand payment to remove the encryption.
After A cyber attack
What to do when a cybercriminal strikes harks back to methods of prevention: Reach for your recovery plan in your operations manual.
Your recovery plan should guide your response to a successful attack.
“What happens in a breach?” Lucas asks. “Whom do you notify? What steps should they take if they discover they have suffered a breach? The kneejerk is that it’s embarrassing. But every second, every minute that goes by is detrimental. You have to notify everybody.”
That includes all your customers, law enforcement agencies, your lawyer, and your insurance carrier. You face “significant legal ramifications” if you fail to contact law enforcement and document your communications with them. Your insurance agent and your lawyer can refer you to others who can help.
“This is a very scary realm,” Lucas says. “Some firms specialize in it. Know whether your insurance covers it. Your insurance company deals with the other insured (party) or whoever caused the damage. The majority of us don’t know about cyber issues, breaches … As a 40-year entrepreneur, I can tell you about how having the right insurance has saved my butt on many, many occasions. Just the stress part of a breach—you might have affected hundreds or thousands of people.”
If a victimized company identifies an anomaly in their networks, Fuller says that they should first isolate it. Unplug that device from the network to stop the spread. Because of malware, turning off the computer won’t eliminate the risk.
“Keep a chain of custody about who had control and access to your systems for the cybersecurity investigating company,” says Fuller. “Another thing: Whether or not (you) created a plan to follow after an incident, contact the cyber insurance provider. They’ll probably have an attorney they’ll recommend. The cyber company investigating the breach should contact the attorney, not you.”
Contact your credit card processor along with your insurance agency, Loftin says, and understand your state’s regulations that you must follow when a data breach occurs.
Prepare For Cybercrime
So, is the self-storage industry prepared for cybercrime?
“I think we’re behind the curve,” Lucas says. “That may insult some in the industry. There’s always been a technology deficit in this industry.”
Though the industry is improving with the use of some components of technology, Lucas says that many self-storage companies have websites that are not designed to be used on mobile phones and look “horrible on a phone, which 60 to 70 percent of users use to access self-storage websites.
“That gives you an indication of the technology understanding in the industry,” Lucas says.
REITs and other big operators are tech savvy and have bigger budgets to devote to cybersecurity and a desire to understand many aspects of running a business. Smaller companies can get consumed running their facilities day to day.
“I don’t say this in a negative way,” Lucas says. “You prioritize a day based on what you think is most important to get done, pleasing your customers, and paying your bills. (Cybersecurity) sits down at the bottom of the barrel, though it doesn’t belong there.”
Attanasio echoes that sentiment, saying that the self-storage industry “is probably slower” to embrace protections against cybercrime than some other industries. Loftin is unsure whether the industry is behind the cybersecurity curve, but he has not read many new articles about big data breaches in the industry. He thinks that bad actors target companies they view as more lucrative than self-storage.
But Fuller says that, overall and compared to some other industries, self-storage is not doing well with its cybersecurity efforts. Tech companies are leading the way in cybersecurity practices. Health care and financial services companies are better prepared than many others because they must meet many compliance requirements.
The self-storage industry, on the other hand, is subject to fewer compliance requirements than those and other industries. Therefore, self-storage decision-makers are less pressured to build cybersecurity systems, though some do.
Like many small businesses, smaller self-storage operators think that they have nothing cybercriminals would want, that using cloud services ensures their cybersecurity, or that they are too small to be a target. But these are myths that lead people to neglect their cybersecurity.
“I always tell people it’s not about being perfect,” Fuller says. “It’s about being a harder target than those around you. Research it; doing what you can do yourself is better than doing nothing. Start somewhere and you can improve over time. As a nation, we are failing to protect ourselves against cybercriminals.”