Cyber thief phishing keys from shocked property managers struggling with tenant issues and shared passwords.

School’s Out. The Gaps Don’t Hide Anymore.

July 07, 2026

School's Out. The Gaps Don't Hide Anymore.

If you're running operations at a property management firm right now, your day isn't slower.

It's louder.

Tenant issues stack. Owners want answers. Vendors need direction. Systems don't always reconcile cleanly. Your inbox fills faster than it empties, and most decisions happen in the middle of everything—not in focused time.

That's where your security actually lives.

Not in policies.
Not in training.

Right in the middle of your busiest moments.

And that's why problems don't start from negligence.

They start from normal work under pressure.

The Risk Isn't the Click. It's What the Click Unlocks.

A phishing email is just the entry point.

The real risk is what that access connects to:

Email
Lease documents
Owner financials
Vendor portals
Remote access systems

In property management, those systems are tightly connected. One compromised account rarely stays contained.

So the real question isn't "Will someone click?"

It's "What does that click open?"

Where This Breaks Most Often

In most environments, the same patterns show up:

MFA is enabled on email, but not in accounting or property systems
Shared credentials exist across vendor or maintenance portals
Email filtering exists, but login behavior isn't restricted

None of these feel like major failures.

But together, they remove containment.

What This Costs When It Breaks

When access spreads, the impact shows up in operations—not IT.

Here's what it actually looks like:

Owner distributions get delayed while accounts are reviewed
Tenant payment flows are disrupted or questioned
Vendor payment details get changed or intercepted
Internal teams spend hours reconciling what happened
Communication trust breaks when email access is compromised

This isn't a technical inconvenience.

It's lost time, stressed teams, and a week you don't get back.

A Real Example

A property manager opens what looks like a routine vendor document.

Nothing unusual. Just a busy day.

The same password is used in a vendor portal.
That system doesn't require MFA.

Within hours, access expands from email into vendor systems.

No alerts trigger.
Nothing looks suspicious.

Because everything appears to be a valid login.

The problem wasn't the click.

It was everything connected to it.

The Property Management Exposure Check

Use this as a quick internal audit. Not everything carries equal weight.

Tier 1 — Containment (Do First)

MFA across every critical system

✅ Yes
⚠️ Partial
❌ No

Risk if broken: one password becomes immediate access everywhere

No shared credentials anywhere

✅ Yes
⚠️ Partial
❌ No

Risk if broken: access spreads quickly and can't be traced cleanly

Tier 2 — Control Movement

Conditional Access (how logins happen)

✅ Yes
⚠️ Partial
❌ No

What this should include:

Limiting logins by location
Requiring approved or company-managed devices
Blocking outdated authentication methods

Risk if broken: attackers log in without resistance

Role-based permissions

✅ Yes
⚠️ Partial
❌ No

Risk if broken: one account reaches systems it shouldn't

Tier 3 — Detection

Monitoring and alerts

✅ Yes
⚠️ Partial
❌ No

Risk if broken: issues stay invisible until they affect operations

If Tier 1 is incomplete, nothing else matters yet.

What This Means in Your Actual Systems

This is where strategy becomes real.

In Microsoft 365, it means controlling how users sign in—not just turning on MFA.

In AppFolio or Buildium, it means:

Every user has their own login
MFA is enforced for all users
Accounting and vendor access are never shared
Permissions match actual job roles

In most environments, these controls exist.

They're just inconsistent.

And inconsistency is where problems spread.

What Good Actually Looks Like

Weak environments are easy to recognize:

MFA only on email
Shared credentials still exist
No control over login location or device
Permissions layered over time without cleanup

Strong environments are controlled:

MFA everywhere it matters
Login behavior clearly defined and enforced
No shared access
Permissions tied tightly to roles
Clear separation between property systems, accounting, and CRM tools

The difference isn't more tools.

It's tighter control of access.

Next Week Action

Pick one system.

Start here:

Email
Then accounting
Then remote access

Fully enforce MFA.

Then confirm:

Every user is enrolled
No temporary exclusions exist
Backup access methods are defined
Emergency accounts are separated and secured

One system done right reduces your risk immediately.

If Someone Clicks: First 15 Minutes

This should already be clear before it ever happens.

Reset credentials
Revoke active sessions
Check recent login activity
Review inbox rules and forwarding
Confirm access to vendor and financial systems
Lock access down before investigating deeper

Containment first. Explanation second.

The Real Question

If someone on your team opens the wrong file this afternoon, does it stay contained?

Or does it move into the systems that run your business?

Run your environment through the exposure check and write down your answers.

Schedule your 10 minute discovery call with 911 IT.
This confirms exactly what a single compromised account can actually reach.
It only takes 10 minutes to see whether your risk stays small or spreads.