November 15, 2021
How Armada Hoffler Properties Protects its Data Security Base
Anthony “TJ” Masters is Armada Hoffler Properties’ Director of IT. His team is responsible for the development and implementation of IT plans and managing tech security. With his leadership and support, we are able to maintain our company’s online presence and the protection of our IT data.
Check out our interview with TJ below!
Q: What cyberthreats does Armada Hoffler specifically face?
A: Almost all of them…. the threat landscape is vast, and most threats are not designed to be target-specific, but rather target agnostic. Aside from nation-state threats specifically designed for a particular target audience, generally, threats are blasted out to as many recipients as possible to scam anyone who isn’t well enough trained or who isn’t paying attention.
Armada Hoffler, like everyone else, is a potential target for any Ransomware, Trojans, Worms, or any other general cyber-attack malware that exists in ‘the wild’. That is why we act with a defense in layers approach and diligently train our employees to identify attack attempts and to respond appropriately.
Q: What are the impacts of a potential breach?
A: As the news has shown, impacts of a breach can range anywhere from minor inconvenience to significant monetary loss, to significant brand damage and any degree in between.
Armada Hoffler uses a lot of resources to ensure our defense perimeter is set up to negate as many of these potentials as possible, and to ensure that in the unlikely event we are exposed to a breach, we have a quick, tested method to eradicate it, minimize the effect, and to recover efficiently and effectively with minimal impact to our business continuity.
Q: How can the average employee reduce the risk of cyber attacks on your company?
A: By being cautious and approaching all technology-originated communications with a zero-trust mentality, the average employee can thwart a vast majority of attack attempts. Armada Hoffler ensures employees are familiar with and adhere to IT policies, which are crafted to minimize employee risk. We take IT security training lessons seriously and realize the significant impact each and every person’s actions can have on the company as a whole. Our employees are trained to question everything that comes in the form of an email, text message, or phone call, especially if it meets any of the red-flag categories.
Q: As information becomes more digitally delivered and accessible, are threats higher than they would be if the information was delivered through paper documents?
A: Not necessarily. It is almost impossible to be more secure than to write something on paper and personally hand-deliver it to the person you want to have it. As that is not generally feasible, at some point there is reliance on a ‘trust-point’ in the middle – be that the Post Office, Fed-Ex or a digital equivalent.
The key is to find a solution that best meets the CIA Triad of Confidentially, Integrity, and Availability; that is, make sure only the party meant to see it can, make sure it is free from unauthorized changes, and make sure the data is accessible when needed.
Q: How can you detect a potential breach and what is done in response to it?
A: We use multiple methods to accomplish this, from manual monitoring of systems and log analysis to cue on any ‘out of norm’ operations to AI systems that analyze user and system activity to detect anomalies, like a user logging in at 3 a.m. and deleting 100 files. We also have alerting processes set up for criteria that we consider ‘out of band’.
Some of our response mechanisms are manual such as forcing a user password change, some are dictated to 3rd party monitoring agencies to respond a particular way if certain criteria are met, and yet others still are automated using AI-based on predetermined response parameter settings.
Q: How can employees be appropriately trained to ensure data security?
A: We use a training platform that not only delivers and tracks the completion of training sessions we determine are most important for our employees, but also allows us to deliver a variety of simulated attacks via multiple vectors. If an employee is tricked by one of these simulations, we provide additional training sessions for them to help them better identify flags that can aid in identifying a received item as an attack attempt.