Originally featured in Multifamily Insiders on July 7, 2020
Zombie accounts are real, and they may be ready to attack your multifamily business.
While Hollywood tends to depict zombies as clumsy and mindless, zombie accounts – the still active accounts of former employees – pose the risk of more insidious infiltrations.
Zombie account horror stories include former associates accessing and depleting corporate bank accounts, internal smear campaigns against management or ownership, and efforts to alienate customers. More common results of zombie attacks, such as intellectual property breaches and data leaks, can still cause substantial and lasting damage.
So, what are the risks and how can they be avoided? We’ll take a look at a few solutions and best practices to avoid a zombie invasion.
Hackers Love a Good Zombie Account
Do your associates set their own passwords? What are the odds that they use that same password for their social media or personal email accounts?
The threat of a zombie account isn’t merely posed by disgruntled former associates. If an ex-employee’s personal device or personal accounts are hacked, it may not require much effort to compromise their apps or corporate accounts, as well. And because most associates never attempt to revisit the systems they used with past employers, they likely won’t even be aware that their old login credentials are still active or realize that their former account is being used.
It’s imperative that property management companies equip themselves with the ability to disable accounts and system privileges without requiring direct access to the device.
Don’t Let Human Error Create Zombies
Another common issue is the fact that the IT managers responsible for manually discontinuing a former associate’s system access may not have an accurate account of the platforms to which that associate was assigned access.
IT teams must be informed of the service providers being used at the site level. While it may have been acceptable in the past to have individual property and regional managers select their own local solutions, in today’s environment each of those individual systems brings increased risk to organizations who are experiencing more sophisticated phishing and cyber-attacks.
We know of property managers who had upwards of 22 different usernames and passwords to remember. How confident would you be that your IT team can identify and deactivate each of those individual access points when that manager leaves the company?
Also, closing out zombie accounts might not be at the top of an IT manager’s to-do list. Yet, even a delay of one day creates a window of opportunity for risk.
Check Your Tech, Reduce Risk with Single Sign-On
The proliferation of zombie accounts can be directly tied to the number of systems to which a former associate had access rights. Depending on how many different apps or platforms are in use, the simple deletion of a corporate email account may only be the tip of the iceberg.
If a property uses various systems for leasing, customer relationship management and maintenance service, that’s already four potential zombie accounts. If sister properties are using different sets of suppliers or tools, you can see how the total accounts to monitor can become unwieldy.
Platforms with single sign-on (SSO) account capabilities go a long way toward preventing potential account proliferation.
Verify that the solutions you’ve selected are truly capable of working in an SSO environment with auto-provisioning and deprovisioning capabilities. Seamless SCIM and SAML integrations for added functionality and SSO account management are features almost always found in best-of-breed software.
Also look for hybrid models that allow operators to set time limits and establish parameters for vendor access to the software.
Let’s Not Forget the Cost…Savings
Remember, like made-for-TV zombies, zombie accounts are also hungry, they are looking to eat-up your operational and IT budgets. Many platforms – whether multifamily-specific or meeting platforms like Zoom – leverage the user number to gauge its monthly fee, and that user number doesn’t have to be active users. Over an entire portfolio, these zombie accounts could create a costly meal for operators.
Implementing automated employee account closures, remote access controls and consolidating your corporate-wide providers are relatively easy steps to help stave off the nightmare situations that zombie accounts can create. Rather than scrambling to react to a zombie apocalypse when it arrives, be the hero of your own zombie account story, and take steps now to protect yourself.