1. Individual user logins
As an owner, you need to set the right tone from the start.
It may seem over-the-top but, as tempting as it is to allow staff to use one of their colleagues’ usernames and passwords, it sets a very bad precedent. If it’s OK to use someone else’s credentials to edit a mobile number, maybe it’s OK to do the same for bank account details?
By letting staff share login details you immediately lose sight of who’s doing what on your systems and open the potential for landlord and tenant details to be copied or in the worst case used to carry out identity theft.
If you need 100 user accounts, sign up for 100 user accounts.
Software providers recommend changing your password every 60-90 days. We know it’s impossible to set and remember strong, unique passwords for every different system in your life, which is why we recommend using a password manager.
A password manager stores all of your passwords, and you only need to remember one to gain access. It also helps you generate new, random secure passwords – so no more ‘lettings123’ !
If anyone writes down their password on a post-it and sticks it to their monitor, let them know, in no uncertain terms, that this is unacceptable!
Regular password updating
Tie the task down to a date in the calendar (maybe the first day of every quarter) so people get into the habit of doing it cyclically.
3. Keeping offline documents secure
Despite all this paperless technology, you will probably need to keep certain client information in hard copy. If you have photocopies of passports, utility bills, bank statements, or anything else that could theoretically be pieced together to steal someone’s identity, you must make sure these documents are stored somewhere safe and secure and never left out on a desk. When you no longer have a legitimate reason to hold on to documents then return originals and securely shred copies.
4. Offboarding policy
When a member of staff leaves, whether it’s a planned exit or one that comes out of the blue, it’s essential to update your systems as quickly as possible. Keeping a record of who has access to what it makes this an easy process when the time comes.
In the case of a staff member working out their notice, it’s probably worth limiting their access to certain confidential information, as long as it doesn’t affect the ability to do their job while they’re still with you.
As well as logins to bank accounts, the software system and credit referencing portals, this process may also need to stretch across various other things connected to the individual. The higher the staff turnover levels in your company, the more important this process becomes.
Research shows* that at least 82% of cyber security attacks have been caused by human error, particularly through phishing scams. For example, cybercriminals pretending to be from a business’s IT department will get an employee to hand over all sorts of security information under the pretext of fixing an error on their pc.
Another phishing method is to send an email from what looks like a reputable or recognised company to trick the recipient into installing malware by clicking on a malicious link or opening an unknown attachment. Examples include emails with quotes attached or with a link to an unknown website.
Ultimately the most valuable defence against phishing and other cyber-attacks that prey on human error is training. Make sure your staff are aware of the dangers and who to contact if they have any doubts about a caller or an email.
Human error is unavoidable, but there’s no excuse for bad processes or a lack of contingency plans. No individual should have more control than they need over certain areas of your business records. Always have at least a basic backup plan in case someone is unavailable or decides to leave.
* source: 2022 Verizon Data Breach Investigations Report
If you would like to know more about The Letting Partnership, please get in touch at email@example.com or call 01903 477 900.
* Gill Waller is the Marketing and Development Manager for The Letting Partnership.