Article from Volume 13, Issue Number 2, 2025
View Article PDF Back to Latest Issue
The weakest link in cybersecurity? Usually humans Let's remove that vulnerability
By Duane Rohne | Other articles by Duane Rohne | Feature
If you're even a moderately active consumer of news, you’ll have seen reports of cyberattacks on both public and private interests. Media headlines are filled with cyberattack stories. Here are links to some of them:
- Most Manitoba schools hit in cyberattack
- Hackers put price of $1.6M on student data
- Multiple government websites down across Canada, cyberattacks blamed
- Real estate firm Mainstreet Equities latest victim of cyberattack
- University of Winnipeg cyberattack
Cybercrime refers to any activity that uses computers, email or the internet to steal money, access private information or disrupt operations. Common examples include:
- Ransomware, which involves criminals encrypting data and demanding payment to restore access.
- Malware, which involves insertion of malicious software designed to damage or disable systems.
- Phishing, which involves fraudulent emails or texts impersonating trusted sources to steal personal information.
It’s easy to think cybercrime affects only large organizations. But every condo corporation holds valuable data — owner information, financial records and legal documents — that are attractive targets. Under Section 131 of the Manitoba Condominium Act, condo corporations must collect and maintain a variety of records, including:
- Meeting records, including minutes and voting outcomes
- Lists of directors, owners and lease agreements
- Financial records, including budgets, audits, tax filings and bank records
- Governing documents, including declarations, bylaws and rules
- Legal and insurance records, including deeds, licences, insurance and court rulings
- Communication records, including emails, letters and reports
Just as we once protected physical records from theft or damage, digital records must now be safeguarded from cyberattacks. Knowing where your data is stored and who can access it are essential.
Several Winnipeg condo directors offered these examples of data protection practices:
- Data is fully backed up every 14 to 30 days to encrypted offline drives stored in fireproof safes
- Cloud backups (e.g., using Dropbox or Google Drive) are conducted monthly
- Commercial security suites with firewalls are installed
- Operating system software is regularly updated for all devices used to maintain records
- Strong, unique passwords are stored with password managers
- Two-factor authentication is used for sensitive data access
As condo corporations move toward fully digitized recordkeeping, directors must assess the risks and responsibilities that come with managing personal and corporate data. Cybersecurity is now as important as protection from fire, flood and theft.
Here are a few good resources to help strengthen your cybersecurity:
- Canadian Centre for Cybersecurity
- Public Safety Canada
- Communications Security Establishment (CSE)
- Royal Canadian Mounted Police (RCMP)
If you rely on an IT service provider or management company, ask about its cybersecurity practices, response plans and insurance coverage. A proactive conversation is a critical first step.
Even with the best safeguards, mistakes and breaches can occur. If your condo corporation becomes a victim — losing access to data or discovering a breach — immediate action is essential.
In Canada, there's no universal legal obligation to report all cyberattacks, but individuals and organizations are strongly encouraged to report them. Reporting is crucial for law enforcement and the Canadian Centre for Cyber Security to effectively combat cybercrime.
An assessment tool to help determine risk is provided by the Office of the Privacy Commissioner of Canada. Depending on the severity of the attack and the data stolen or accessed, further reporting might be required. If personal information has been accessed or stolen, the record holder might have to report the breach to the Office of the Privacy Commissioner of Canada. Reporting requirements can be found here.
The RCMP recommends reporting a breach to your local police within 24 hours of the discovery of the attack. Guidance and recommendations are also at the RCMP national website.
After reporting the attack, call your insurance provider to determine your level of insurance coverage. We understand the need for fire, theft and damage insurance, but do we now need cybersecurity insurance? If you haven’t had an in-depth discussion with your management company or insurance provider about data security and cybersecurity insurance, it's time to add it to your next board meeting agenda.
It’s essential to consider:
- Does your corporation have cybersecurity insurance protection?
-
If you employ a management company and the breach was caused not by the management firm but by a board director, employee or contractor, would your corporation be covered by your management company's policy?
-
If you're a self-managed corporation, do you have crime insurance coverage to rebuild your database or recover stolen funds?
You should talk to your insurance broker and your property manager (if you have one) about cybersecurity. The recovery costs after a cyberattack can be significant. Expert guidance and assistance can make all the difference in pre- and post-attack planning.
If your condo corporation isn’t protected against cybercrime, it’s time to take the first steps toward stronger cybersecurity. Just as with fire or flood, cyberattacks are real risks and preparation is key.
Be smart: Have a plan. Know whom to call. Be ready.
Duane Rohne is a former director of CCI Manitoba who continues to volunteer as chair of the Government Relations and Advocacy Committee. Duane is a condominium owner and board member of his condominium corporation.
Go Back | Next Article |
From Issue

Vol. 13, Issue 2, April 2025
View PDF