Multifamily operators are evolving their cybersecurity strategies—going from an IT function to a layered approach focused on risk.
“Cybersecurity has evolved from a largely reactive function into a continuous, risk-based discipline that requires both anticipation and rapid response,” says Roman Paylian, director of IT for RPM Living. “As threat actors become more sophisticated, RPM must balance internal expertise with scalable external capabilities to stay ahead.”
Paylian says RPM has intentionally streamlined its cybersecurity strategy by shifting to an integrated partnership model. As part of that, it has engaged an expert managed security provider capable of not only monitoring and triaging events but also engaging with corporate and property operations teams.
“This integration dramatically improved our incident response times to under 15 minutes, while improving coordination and accountability during active incidents,” he says.
Vibha Gore, chief technology officer at Southern Land Co., says its cybersecurity has matured from basic perimeter defenses to a layered, zero-trust-inspired approach focused on identity, endpoint protection, patching, resilient backups, and ongoing employee awareness.
“We standardize controls where possible and design for resilience so business operations can continue even when incidents occur,” she says. “Security is treated as an enterprise risk discipline alongside continuity planning.”
Tim Berger, senior vice president of information technology at Fogelman, also says the firm has moved away from thinking about security as something you do just at the network edge.
“With more SaaS solutions, remote work, and third-party apps, the real ‘perimeter’ is the user and their identity. As a result, we’ve put a lot of energy into tightening identity and access leveraging, enforcing multi-factor authentication (MFA), conditional access, and making sure people only have the access they truly need,” he says.
According to Berger, the conversation around cybersecurity has become more about business risk than IT.
“Today, we spend as much time on visibility and response, including continuous monitoring and strong detection, as we do on prevention,” he notes. “The concept is straightforward: While we continue to focus on preventing problems before they occur, we’re also developing the skills required to respond effectively and recover rapidly when an issue does arise.”
Multifamily Risks
Multifamily has a lot of moving parts, making it more vulnerable to cyber risks.
“Each community operates like a small business, but it’s still reliant on core centralized systems. That combination creates a big attack surface, and it’s tough to make sure every location is consistently protected,” Berger says. “On top of that, properties often deal with turnover, seasonal hiring, and a wide range of comfort levels with technology, which can make social engineering easier. The steady flow of payments, refunds, move-ins, and move-outs give attackers lots of opportunity to exploit our associates.”
Savas Karas, chief operating officer and chief transformation officer at CAPREIT, echoes the significant volume of sensitive data that multifamily companies manage.
“What makes us vulnerable is our commitment to providing an enjoyable living experience for our residents. There is a significant amount of data that is collected and goes into providing somebody with an enjoyable living experience, and having accurate, meaningful, and timely data is important for the experience we look to deliver to our residents,” he says.
Paylian agrees, saying many of the most frequently targeted users are frontline associates who interact daily with a high volume of unfamiliar individuals.
“Every inbound email or message presents a potential threat, and it is often difficult for associates to distinguish legitimate communication from a well-crafted attack,” he says. “That risk is further amplified by the interconnected nature of multifamily operations. A compromise does not need to originate within the organization to cause impact. An attack that begins on the resident or applicant side can easily propagate into leasing, community management, accounting, or vendor workflows.”
Ransomware, business email compromises, and vendor breaches are today’s top concerns weighing on operators.
“The other thing that I worry about is making sure that our staff is adequately trained to understand what is a threat, to understand phishing, to understand what to do when they have something that seems suspicious, or what to do if someone does fall victim to it,” notes Karas. “We don’t blame our staff when something happens. We work with them to rectify it and then train them. But a lot of bad actors are very sophisticated. We’re all working on tight deadlines, and it is very easy to fall prey to some of these complex cyber scams that are out there. We focus on minimizing the impact of issues, recovering quickly and providing support for our staff.”
Berger agrees, saying Fogelman is seeing polished email scams that exploit trust and urgency—especially around invoices, wire changes, and “quick payment” requests.
“Because they target people and processes, not just technology, they can slip past traditional defenses if teams aren’t careful,” he adds.
Gore adds that artificial intelligence (AI) also is making scams more convincing and increase the chance of accidental data exposure. “We manage this with clear usage expectations, extra verification for sensitive requests, and careful handling of what information is shared with AI tools,” she says, adding that it’s important to verify unusual requests, keep sensitive data out of AI prompts unless a governed tool is used, and apply standard controls to AI-enabled workflows.
Preventive Measures
RPM Living’s Paylian says there is no single control that can fully prevent cyber compromise. But he, along with the other technology executives, say if there is one baseline measure every operator should implement immediately, it is MFA for all associates.
“In today’s threat environment, organizations without comprehensive MFA are already at a significant disadvantage in terms of their overall security posture,” Paylian says. “Despite being widely recognized as a best practice, it is still surprising how many operators have not fully adopted MFA across day-to-day operations.”
However, Berger shares not all MFA is created equal.
“We are discouraging or eliminating SMS-based MFA, which remains vulnerable to SIM-swapping and social-engineering attacks. Instead, organizations should prioritize phishing-resistant methods such as authenticator apps, biometrics, or hardware-backed authentication,” he says. “Most modern cyber incidents still begin with stolen credentials, and strong, non-SMS MFA dramatically reduces the effectiveness of those attacks across email, cloud applications, and vendor access. In a world where identity is the new perimeter, enforcing modern MFA is one of the fastest and highest ROI steps leaders can take to materially reduce risk.”
Berger adds that even a basic MFA rollout reduces risk fast, and operators can build from there. “Pair it with a little user education and some monitoring, and you’ve got a strong foundation for everything else you want to do,” he says. “If you’re looking for a high-impact starting point, hardware or device-bound credentials are it.”
Beyond MFA, Paylian says the next most impactful investment is a mature, actively managed detection and response or extended detection and response platform, which is a unified cybersecurity approach to neutralize attacks rapidly.
“These solutions provide continuous visibility, advanced threat detection, and real-time response capabilities that go well beyond traditional monitoring,” he notes. “When properly managed, they enable faster containment and remediation while reducing reliance on internal teams to manually sift through alerts. Together, MFA and managed detection and response form a strong foundation for reducing risk in an increasingly complex and fast-moving threat landscape.”
Cybersecurity awareness training also is critical for managing risk.
“Beyond baseline training, we reinforce learning through ongoing simulated phishing and social engineering campaigns. These exercises target different roles, departments, and use cases to reflect the variety of situations associates encounter in their day-to-day work,” says Paylian. “The goal is not simply to test employees but to build muscle memory and confidence in identifying suspicious activities.”
Failed simulations will trigger targeted follow-up training to close specific gaps.
Fogelman also tries to keep training practical through regular awareness touchpoints and phishing simulations as well as an annual security awareness assessment. In addition to training, Berger adds it’s also just as important to make reporting a potential issue feel easy and safe.
“We’d rather someone flag something that turns out to be harmless than stay quiet and let a real issue grow. When people know they won’t be blamed from asking questions, you get faster reporting, quicker response, and better outcomes overall,” he says.