Gaps in the Roster: Staffing Shortfall Exposes Leasing Firm to Cyber Risk

The Challenge

In early 2025, Summit Residential Group, a national leasing and property management firm, faced a wake-up call that exposed the consequences of prolonged cybersecurity understaffing. Over the past year, the company had aggressively expanded its digital offerings, adding online lease renewals, automated maintenance requests, and virtual property tours. However, its cybersecurity function had not scaled with these new digital touchpoints.

By February, red flags began to emerge. A frontline employee received an invoice from what appeared to be a long-time vendor. The invoice included a payment portal link. Unaware of the risks, the employee clicked the link and attempted to log in. Thankfully, an internal anomaly detection system flagged the suspicious login attempt and blocked access. While no breach occurred, the near miss forced senior leadership to examine systemic gaps.

An internal review revealed a number of weaknesses. Summit’s IT team was operating at 60 percent capacity, with key cybersecurity roles unfilled for over six months. No one had been assigned to formally coordinate incident response, and leadership had not received a cyber risk briefing in over a year. Most employees had not completed any cybersecurity training since onboarding, and there were no simulated phishing campaigns or tabletop exercises in place.

Our Solution

We were engaged to conduct a cybersecurity workforce assessment and implement immediate risk mitigation strategies. Our analysis confirmed the need to hire additional cybersecurity professionals across operations, governance, and incident response. We also delivered an interim training program for staff across departments, with role-specific simulations for property managers, leasing agents, and executive leadership.

To address long-term workforce development, we helped Summit launch an internal cyber academy with certification incentives. Cybersecurity awareness was integrated into performance reviews and promoted through quarterly metrics dashboards. To enhance understanding of digital risks, we established a rotational shadowing program that allowed non-technical staff to observe cyber operations firsthand.

The Value

Within six months, Summit filled critical roles, cut average incident response time by 40 percent, and significantly improved employee engagement in cybersecurity programs. The firm’s proactive steps were praised by partners and insurers, helping Summit secure better terms on its cyber insurance renewal. Leadership also reported greater confidence in their readiness posture, with incident response plans now regularly reviewed and tested.

Implementation Roadmap

1. Hire and onboard cybersecurity personnel across all risk domains

2. Launch staff-wide awareness and training tailored to roles

3. Create a certification and upskilling pathway through internal programs

4. Add cybersecurity metrics to quarterly performance reports

5. Establish cross-functional learning opportunities through shadowing

Info Sheet

Industry Sector: Real Estate and Rental and Leasing

Applicable Legislation:

  • PIPEDA
  • Canadian Centre for Cyber Security workforce strategy

Necessary Action Type: Cybersecurity Workforce and Awareness Planning

Steps to Be Taken:

  • Assess staffing needs against operational risk exposure
  • Launch hiring and retention program for certified cyber staff
  • Create internal career growth paths for junior analysts
  • Tie leadership KPIs to training and simulation performance
  • Roll out phishing testing and real-time awareness modules

Involved Third Parties:

  • Cybersecurity training and staffing firm
  • Internal HR and risk departments