Property Management IT in Monterey and Santa Cruz Counties: A 2026 Owner's Guide

Most of the property management firms I sit down with on the Central Coast did not set out to build an IT department. They started managing a few units, signed up for AppFolio or Yardi because an owner expected an online portal, added a leasing office, hired a couple of managers, and a few years later they are running a portfolio of several hundred units across a dozen properties with a back office that grew one decision at a time. The software works. The Wi-Fi mostly works. Nobody has looked at the whole picture as one system.

This post is the version of the conversation I have over coffee with a property manager or HOA management company in Monterey or Santa Cruz County. The framing I use, and the one I will use here, is six layers. You are already running most of them. The question is whether you are running them well enough to survive a vendor-banking-change fraud attempt, a phished manager account, a cyber-insurance audit, a records request under the Davis-Stirling Act, or a twelve-hour power shutoff during harvest and fire season.

Why property management IT is different from generic SMB IT

An accounting office in Monterey has eight people, eight laptops, and a printer. The whole environment fits in two rooms. A property management firm with the same eight office staff is running a leasing office and maybe a second satellite office, a handful of on-site managers working from clubhouses and converted units, leasing agents showing properties from their phones, a cloud property-management platform, an owner portal, a resident portal with online rent payments, screening services pulling credit and Social Security numbers, smart locks and cameras at the properties, resident Wi-Fi in the amenity spaces, and a bank account that sends and receives money on behalf of dozens of owners every month.

Concretely, property management IT differs from generic small-business IT in five ways:

• You are a custodian of other people's money. Rent comes in, owner distributions go out, vendors get paid, security deposits sit in trust. That money movement is exactly what business email compromise targets.
• You hold dense, regulated PII. Tenant applications carry Social Security numbers, dates of birth, bank accounts, and full credit reports. A single screening file is an identity-theft kit.
• You are multi-site by default. Leasing offices, on-site management, and agents in the field mean the "office network" is a fiction. The perimeter is identity, not a firewall.
• You run resident-facing technology. Amenity Wi-Fi, smart locks, package lockers, and cameras put untrusted devices and the public on networks that have to stay away from your accounting data.
• You operate inside real compliance frameworks. The FTC Safeguards Rule, California's CCPA and CPRA, fair-housing rules around tenant-facing technology, and the Davis-Stirling Act for HOAs all touch how you handle data.

The six IT layers a Central Coast property management firm needs

Layer 1: Multi-site connectivity and a segmented network

The leasing office needs a real firewall (not a consumer router from Costco), business-class internet with a documented SLA, and a cellular failover for when the wired link drops. But the part that matters most for property management is segmentation. Resident and amenity Wi-Fi, smart locks, security cameras, thermostats, and package lockers belong on a network that is separated from the one your accounting, screening data, and property-management platform live on. When a resident's infected laptop sits on the same flat network as the leasing PC, an attacker who lands on the resident side can pivot to the side that holds Social Security numbers.

For firms with on-site offices at multiple properties, the realistic pattern is a small managed firewall at each site, a separated guest and IoT network on its own VLAN, and a secure path back to the central systems. The network design service page covers the multi-site and segmentation approach in detail. This is also the single control a cyber-insurance underwriter is most likely to ask about and most surprised to find missing.

Layer 2: Property-management platform uptime and integration

The platform is the heart of the operation. The Central Coast firms we work with are most often on one of four:

• AppFolio — the common choice for small-to-mid residential and mixed portfolios. Strong portals, online payments, and screening built in.
• Buildium — popular with smaller residential and association managers, approachable pricing.
• Yardi (Breeze and Voyager) — scales from small portfolios to large commercial and mixed-use operations.
• Entrata, RealPage, and Rent Manager — viable depending on unit count, commercial mix, and accounting needs.

We do not resell these platforms, and the brand matters less than how you run it. The IT-side concerns are the same regardless of vendor: every user has a named account with MFA, roles are scoped so a leasing agent cannot see owner financials they should not, the integrations to your accounting and screening tools actually work instead of forcing double entry, and the data is independently backed up. A platform you pay for but configure loosely is a platform that leaks data through over-broad permissions and breaks your month-end close when one integration silently fails.

Layer 3: Tenant and owner data protection

This is the layer that turns a property manager into a target. A tenant application file holds a Social Security number, date of birth, employment and income data, bank account details, and a full credit report. Multiply that by every applicant you have ever screened and you are holding a database that is worth real money to an identity thief. Owner records add bank routing details for distributions. The protection baseline:

• MFA on every account that can reach tenant or owner data — Microsoft 365, the property-management platform, screening services, the bank, and any document storage.
• Role-based access, so people see only what their job requires. A part-time leasing agent does not need owner banking records.
• Encryption on every laptop and phone, so a device stolen from a car at a showing is a lost asset, not a breach notification.
• Endpoint detection (EDR) on every office device, not just antivirus.
• A real answer to "where does the PII live?" Screening data should stay inside the platform and the screening service, not get exported to a spreadsheet on someone's desktop or emailed to an owner.
• Monitored email security, because phishing is how attackers get the manager credentials that open all of the above.

The cybersecurity service page covers the engineering side, and the identity hardening post walks the Microsoft 365 baseline that most of this rests on.

Layer 4: Vendor-payment and wire-fraud defense

If you remember one section from this post, make it this one. Property managers move money on behalf of other people, and that makes them a premium target for business email compromise. Real estate and rental transactions are consistently among the most-targeted categories in the FBI's reporting on wire fraud, and the attacks are not technically sophisticated — they are patient and convincing. We cover the specific patterns in the next section, but the defenses belong in the core stack:

• No payment change from email, ever. Vendor bank changes, owner distribution changes, and wire instructions get verified by phone on a number you already had, not one from the message.
• Two-person approval for any change to where money is sent and for any wire over a set threshold.
• MFA and monitored email on every mailbox, because the strongest version of this fraud comes from inside a mailbox the attacker has actually compromised.
• Banking alerts on every account, with a human reviewing them, not a folder rule that hides them.

The vCIO and IT consulting engagement is where we usually write these payment-control procedures down with a client, because the fix is half technology and half a process that everyone actually follows.

Layer 5: Identity, access, and offboarding

Property management has high staff turnover and seasonal leasing help, and managers accumulate access to a lot of buildings. The departing-manager problem is the one I get called about most: someone leaves, and three weeks later the owner asks whether that person can still get into the systems for the twelve properties they ran. With named accounts and an access map, the answer is "no, we closed it the day they left." Without them, it is a week of anxious guessing.

• Named accounts only. No "frontdesk" login shared by three people. Shared logins destroy your audit trail and your offboarding control in one move.
• Conditional Access that blocks legacy authentication and can require compliant, managed devices for sensitive access.
• Mobile device management (MDM). Leasing agents work from phones; a lost phone with no MDM is a lost phone you cannot wipe. Intune or an equivalent makes the company apps and data remotely removable.
• A documented offboarding checklist that runs the day access ends: disable Microsoft 365, revoke the platform login, remove portal access, rotate shared passwords, and update smart-lock and access-control codes for the buildings the person managed.

The MFA fatigue post is worth a read here too, because turning MFA on is step one and choosing phishing-resistant MFA is the step that actually holds up against the social-engineering attacks aimed at your managers.

Layer 6: Backup and continuity

The records that have to survive a bad day: your accounting, the property-management database, signed leases and renewals, owner agreements, tenant ledgers and screening records, HOA governing documents and meeting minutes, and your email. Independent backup of Microsoft 365 (Outlook, OneDrive, SharePoint) and a documented export or backup path for the property-management platform are both needed. SaaS vendors back up their platform for their own resilience, not for your accidental deletion or your compromised admin account. If a manager deletes a property in AppFolio on Tuesday and you notice on Friday, you want your own backup, not a support ticket.

Continuity also means PG&E. The Central Coast sits under the Public Safety Power Shutoff program, and the 101 corridor has lost power for 12 to 72 hours in recent fire seasons. A leasing office that goes dark loses its phones, its payment processing, its cameras, and its access control. The fix is some combination of a UPS for the network gear, a documented runbook for failing over to a hotspot or a manager's home office, and a generator for offices in high-risk areas. The PSPS continuity plan post covers the playbook, and the backup and disaster recovery service page covers tested restores, immutable copies, and a written RTO and RPO your underwriter will accept.

The fraud patterns hitting property managers right now

This is the section that catches the most owners by surprise. Property management has its own fraud ecosystem, separate from generic ransomware, and it targets the money you move for other people. Four patterns we see often in 2026:

Vendor banking-change fraud

An attacker, often from inside a mailbox they have already phished, emails your AP person as a known vendor — a landscaper, a plumber, a roofing contractor — with "updated" ACH or banking details for future payments. The email looks right because it frequently comes from a real, compromised account or a near-perfect lookalike domain. The next vendor payment goes to the attacker. The defense is procedural: no banking change is ever accepted from an email, every change is verified by phone against a number already on file, and a second person signs off before the change is made.

Owner-distribution redirect

The same play, aimed at the other side of the ledger. The attacker poses as a property owner and asks you to send their monthly distribution to a new account. The money leaves your trust account and lands with the thief, and now you have a fiduciary problem with a real client on top of the loss. Same defense: verify the change with the owner directly, on a known number, with documented approval.

Acquisition and closing wire fraud

When your firm or an owner buys a property, the closing involves a wire. Attackers watch for these transactions and send spoofed "updated wire instructions" timed to the closing. Real estate wire fraud is one of the most damaging categories of business email compromise precisely because the dollar amounts are large and the money is gone the moment it lands. Treat every wire instruction as fraud until verified by phone with the title or escrow company on a number you looked up independently.

Tenant-payment phishing and account takeover

Residents pay rent online, and attackers know it. Two variants: a phishing page that mimics your resident portal to harvest tenant logins and payment details, and a compromised manager account used to message tenants with new "where to send rent" instructions. The defenses are MFA on staff accounts, monitored email security, a resident portal kept current and clearly branded, and a standing message to residents that you will never change payment instructions by email or text. The 2026 ransomware post walks the broader attacker playbook that sits behind these account-takeover attempts.

Compliance frameworks property managers operate inside

None of these require you to become a compliance lawyer. They do require the same handful of controls, documented. The property management IT service page maps each one to the IT work behind it; the short version:

• FTC Safeguards Rule. Because tenant screening and rent collection involve consumer financial information, the rule can treat a property manager as a financial institution. In practice that means a written information-security program, access controls, encryption, MFA, monitoring, and an incident-response plan.
• CCPA and CPRA. California's privacy laws apply to businesses that meet the statutory thresholds, and tenant, applicant, and employee data are all personal information. You need to know what you collect, secure it, and be able to respond to access and deletion requests.
• Fair housing and tenant-facing technology. Screening criteria, advertising, and any automated decision tools have to be applied consistently and without discriminatory effect. The IT angle is auditability: consistent, logged processes you can show.
• Davis-Stirling Act (HOAs). California's HOA law governs how association records are maintained and produced to members. That is a records-retention, secure-storage, and controlled-access problem — exactly the kind of thing a managed backup and document system is built for.
• Cyber-insurance underwriting. Not a law, but the questionnaire is its own framework. MFA everywhere, EDR, backups, email security, and segmentation are the controls that get you covered and keep a claim from being denied.

Office IT for a Central Coast property management back office

The leasing office and back office are where most of the dollars land. The baseline we recommend for an 8-to-15 person property management office:

• Microsoft 365 Business Premium per user. Includes Outlook, the Office apps, OneDrive, SharePoint, Teams, Defender for Business (EDR), Intune (MDM), and Entra ID P1 (identity hardening). At roughly $22 per user per month it is the most leveraged dollar in the stack. The Microsoft 365 settings post covers what to turn on first.
• Business-class internet with a documented SLA and an LTE or 5G failover, at every office.
• A real firewall (Fortinet, Sophos, Palo Alto, or a managed Meraki) with separated resident, guest, and IoT networks.
• VoIP for the leasing line so calls can ring through to mobile after hours and the main number is never tied to a personal cell.
• MDM on every phone and tablet the leasing agents and managers use in the field.
• UPS on the network closet and a documented power-loss runbook for PSPS season.

The full program lives on the managed IT services page, and the firms that want a strategic plan rather than just support use our vCIO service to budget and sequence it.

What we steer property managers away from

The patterns we see at firms that have not had a fresh set of eyes on their IT, and that we move clients off of:

• Resident Wi-Fi bridged to the office network. The fastest path from a stranger in the clubhouse to your tenant screening data.
• Shared logins. A "frontoffice" account three people use has no audit trail, no offboarding control, and no real MFA story. It is also a cyber-insurance and FTC Safeguards problem.
• Tenant or owner documents in a personal Gmail or a personal Dropbox. Outside your control, outside your audit trail, and outside any policy a regulator or underwriter will accept.
• Approving vendor or owner banking changes by email. This is the single most expensive habit in the industry. Every change gets a phone call.
• Leasing agents' phones with no MDM. A lost phone becomes a data-loss event you cannot remediate.
• No independent backup of the property-management platform or Microsoft 365. "The vendor backs us up" is not a backup you control.
• Skipping cyber insurance because "we're small." A small firm that moves owner money is a perfect target, and the premium is a fraction of a single fraudulent wire.

A realistic budget for a small property management firm

Numbers for a representative Central Coast firm with 10 office users across two offices, managing several hundred units and a handful of HOAs, running Microsoft 365 Business Premium and a cloud property-management platform. Monthly, all-in, and excluding the property-management software itself (which you already pay per unit):

• Microsoft 365 Business Premium: 10 users × $22 = $220
• MDR / managed security: 10 users × $25 = $250
• Managed IT (help desk, patching, backup, identity hardening): 10 users × $150–$200 = $1,500–$2,000
• VoIP for the leasing lines: 10 users × $25 = $250
• Office internet + failover, two sites: $400–$700
• Managed firewalls and segmentation, two sites: $300–$500
• Independent backup (Microsoft 365 + platform export): $100–$200

Total monthly IT spend lands roughly between $3,000 and $4,500 per month at ten office users across two offices, before hardware. The biggest mover is the per-user managed IT line, which scales with headcount, not unit count, so a firm that doubles its doors without adding much office staff sees the per-unit IT cost fall.

For comparison: a single successful vendor-banking-change or owner-distribution fraud we have seen attempted on Central Coast firms runs from $25,000 into six figures, and the money is usually unrecoverable and may not be covered if the basic controls were not in place. A ransomware event that takes down the office and the platform connection lands higher once you count downtime, recovery, and client notification. The IT budget pays for itself in a single avoided incident.

Where this fits

This post sits alongside several other pieces in the Ghosxt industry and security cluster:

• The property management and HOA IT service page, which covers the full Ghosxt program for property managers.
• The cybersecurity service page, for the underlying security stack.
• The network design service page, for the multi-site and resident-segmentation work.
• The managed IT services page, for the help desk and platform layer.
• The backup and disaster recovery service page, for the continuity layer.
• The IT consulting and vCIO page, for budgeting and writing down the payment controls.
• The professional services IT page, for the broader office-and-compliance pattern this shares.
• The 2026 ransomware post, for the attacker side of the security layer.
• The identity hardening post, for the MFA and Conditional Access baseline.
• The PSPS continuity plan, for fire-season power loss.

We support property management firms and HOAs across Monterey, Santa Cruz, Salinas, Watsonville, and Carmel, and the rest of the Central Coast.

FAQs about IT for property management companies

We use AppFolio (or Yardi). Doesn't that mean our data is already secure?

Your platform vendor secures the platform. They do not secure your user accounts, your staff laptops and phones, your email, or the way your team logs in from home and from on-site offices. This is the shared-responsibility model, and the tenant side of the line is where almost every property-management breach we see actually happens: a phished manager account, a laptop with no encryption or endpoint protection, an inbox with no MFA. Yardi and AppFolio give you the tools to be secure — MFA, role-based access, audit logs — but turning them on, monitoring them, and backing up the data are still yours to own.

A vendor emailed us new banking details for ACH. How do we know it's real?

Assume it is fraud until you have proven otherwise out of band. Vendor banking-change fraud is the single most common attack we see hitting Central Coast property managers, and it almost always arrives as a believable email from a real-looking address. Never update payment details from an email. Call the vendor back on a phone number you already had on file, not a number from the email, confirm the change with a person you know, and require a documented two-person approval for any change to where money is sent. The same rule applies to owner distribution changes and to wire instructions during an acquisition. One verification phone call is cheaper than a five-figure loss that the bank usually cannot claw back.

Our resident Wi-Fi and our office network share the same internet connection. Is that a problem?

Yes, and it is one of the most common findings we have at property management firms and on-site leasing offices. Resident and amenity Wi-Fi, smart locks, cameras, package lockers, and thermostats should live on a network that is physically or logically separated from the network where your accounting, tenant screening data, and property-management platform live. If a resident's malware-infected laptop sits on the same flat network as the leasing office PC, an attacker who lands on the resident side can reach the side that holds Social Security numbers and bank details. Segmentation is inexpensive and it is exactly what a cyber-insurance underwriter expects to see.

A property manager just left who had access to twelve buildings' systems. What should we do?

Run a documented offboarding checklist the same day their access ends, not the following week. The checklist disables the Microsoft 365 account, revokes the property-management platform login, removes them from owner and vendor portals, rotates any shared passwords they knew, and updates smart-lock and access-control codes for the buildings they managed. The reason this is a fire drill at most firms is shared logins and undocumented access. If every manager has a named account and you keep a simple access map of who can reach what, offboarding becomes a fifteen-minute task instead of a week of worry about a former employee with keys to twelve buildings' data.

Do California privacy rules and the FTC Safeguards Rule really apply to a small property manager?

Often, yes, and the right move is to assume they might and ask rather than assume they do not. The FTC Safeguards Rule can reach property managers that handle consumer financial information through tenant screening and rent collection, because that activity can make a business a financial institution under the rule. California's CCPA and CPRA apply to businesses that meet the statute's thresholds, and tenant, applicant, and employee data all count as personal information. HOAs in California also operate under the Davis-Stirling Act, which governs how association records are kept and produced to members. You do not need to become a compliance lawyer, but you do need named accounts, MFA, encryption, access logging, a written incident-response plan, and a backup story, because that is what every one of these frameworks — and your cyber-insurance underwriter — expects.

Is our office firewall enough security for a property management company?

No, and it has not been for years. The firewall protects the leasing office. It does not see your manager's laptop at a property, your leasing agent's phone, your bookkeeper working from home, your AppFolio or Yardi tenant in the cloud, or your Microsoft 365 mailboxes, and those are where the attacks land. Modern property-management IT is identity-first: MFA on every account, endpoint detection on every device, monitored email security on every mailbox, network segmentation between residents and the office, and a verified backup. The firewall is one of about ten controls, not the control.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.