Tech

Article Dean Dorton

Explore the latest insights that can reshape your business’s approach to cybersecurity disclosure and gain a deeper understanding of how the evolving landscape of cybersecurity disclosure impacts privately owned businesses.

1. Identify Gaps in SEC’s Proposed Disclosure Requirements

  • First, analyze the differences between what the SEC is suggesting for disclosures and what your company currently does.
  • Assign responsibility for making the necessary improvements.

2. Integrate Disclosure Processes

  • Avoid the mistake of creating a new, complex process. Instead, figure out how your cybersecurity practices can be seamlessly incorporated into your existing disclosure procedures.
  • Identify the people who need to be involved, including legal experts.

3. Update Incident Management Process

  • Adapt your incident management procedures to account for factors like the significance of the event and continuous reporting and monitoring.
  • Ensure consistency in how you determine what is significant and how you disclose cybersecurity incidents, similar to how you handle operational or financial issues.

4. Engage Board of Directors Early

  • Start a dialogue with your board of directors about the new disclosure requirements.
  • Collaborate to identify any changes in governance that may be necessary.

5. Leverage Technology

  • Invest in the right technology tools that can help streamline your disclosure processes and communication.
  • This could be a single, all-in-one solution or a combination of individual tools that work together effectively.

Companies must take cybersecurity more seriously than ever before after a new rule passed by the SEC.

Have questions? Reach out today!

Article Dean Dorton

Public companies must prepare to meet higher standards for cybersecurity.

The SEC recently issued a rule requiring public companies to disclose when they fall victim to a material cyber attack. Companies will also have to file annual disclosures about their cybersecurity risk profile.

As cyber attacks become more common and costly, it’s important for businesses to be forthcoming about their cyber risk. This fact along with inconsistent public company reporting of cyber events compelled the SEC to mandate public companies to disclose material attacks in Form 8-K filings within 4 days of the incident being discovered along with a better appreciation of the company’s cyber risk environment.

What Requirements are in the New Rule?

The requirements fall into two categories:

  • Incident Disclosure – Within 4 days of a cybersecurity incident being discovered that has a “material” impact, companies must report what happened, when/how it was discovered, who was affected and how, and what remediation is underway, among other details. All this information enters the public record.
  • Yearly Reporting – Once a year, companies must file a Form 10-K report outlining their cybersecurity risk assessment program, highlighting how it aligns with strategy and planning, and what third party experts it includes.

What Does This Mean for Public Companies?

Many companies already disclose breaches and report on their security environment but not to the level the SEC expects for proper investor evaluation.

The new SEC rule will require all companies to act quickly in the wake of a cyber incident. Gathering the required information within a four-day window means starting immediately after discovery and working methodically from there. Companies will need to assess whether they have the staff and tools to understand incidents in a matter of days. Investing the time now in developing a cyber incident policy is paramount.

Closely related, companies will need to review their entire approach to cyber risk before, during, and after an attack. Reporting on cybersecurity activities will be the easy part. Much harder will be managing cyber risk effectively, month after month, even as new threats and vulnerabilities emerge.

The new SEC rule means new compliance and reporting requirements which require immediate attention.

How Do You Become Compliant?

The first step will be to perform a gap analysis between current practices and those required by the SEC. That will, in most cases, be followed by a systematic effort to close gaps. Otherwise, companies expose themselves to compliance penalties, legal action, and reputational damage—not to mention increased exposure to cyber attacks.

Public registrants will need to comply with the new annual disclosures for fiscal years ending after December 15, 2023, excluding small reporting companies that have until fiscal years ending after December 15, 2024. Incident reporting will be effective 90 days after the date of publication in the Federal Register or December 18, 2023 (later of). For small reporting companies 270 days after publication in the Federal Register or June 15, 2024 (later of).

Beyond just boosting cybersecurity, companies will need to rethink how cyber risk affects every facet of the organization. The team at Dean Dorton, with expertise spanning from cybersecurity to board oversight, is your resource for getting the new SEC rule right.

The deadline for compliance is fast approaching. Contact Dean Dorton to put a plan in place.

Article Dean Dorton

What is Juice Jacking?

Juice jacking is when bad actors place a corrupted USB port in a public location, such as an airport or coffee shop with the goal of an unknowing person plugging their cable into it to charge their phone. The port is then used to install malware on the device and steal personal information. In terms of implementation, this type of attack is fairly easy to execute.

Charging kiosks in the era of smartphones have become commonplace in public locations. This is another prime example of hacker using legitimate, everyday technology for nefarious intent. While the attacks thus far have not been common, it is anticipated that these sorts of attacks will increase over the next few years.

How to Protect Yourself

Situational awareness is imperative in cases such as this.

If public USB ports are your only option, be sure to inspect the port prior to plugging in a cable. If it appears off, do not use it. The Federal Communications Commission also said, “If you plug your device into a USB port and a prompt appears asking you to select ‘share data’ or ‘trust this computer’ or ‘charge only,’ [you should] always select ‘charge only.'” Experts also recommend using a USB write blocker. This prevents threat actors from passing any data over USB.

However, the safest option is to avoid public USB ports altogether. If you are anticipating that your device will need to be charged, bring your own charger and plug it in directly to a power outlet or portable charger.

Further Steps

To learn more about cyber threats facing your organization, contact Dean Dorton today.

And for more information on juice jacking, here are some helpful articles:

Traveling? This $7 gadget protects your phone from treacherous USB charging ports

FBI office warns against using public phone charging stations at airports or malls citing malware risk

Article Dean Dorton

For a long time, multi-factor authentication (MFA) has been considered one of the best ways to protect an organization’s assets. So much so that in 2019, Microsoft released an article stating that MFA would prevent 99.9% of attacks on accounts.

Nowadays, while MFA is still a key aspect of cybersecurity for business as well as personal use, it is the not the cure-all that it once was. Bad actors have adapted their tactics and found ways to work around MFA security measures.

Why is MFA not Enough Anymore?

Multi-factor authentication uses a combination of multiple factors to assist with proving you are who you say you are. These factors include:

  1. Something you know – This is usually a password.
  2. Something you have – This can be using your phone to receive an SMS text, an authenticator app, etc.
  3. Something you are – This is usually a physical characteristic like a palm scan or a retina scan.

To have true multi-factor authentication, there must be at least two separate factors used in conjunction. For example, this might look like using a password alongside an authenticator app. In this scenario, a user would sign into their account with their username and password and then receive a prompt to either accept a push notification or enter a code to access the desired resources.

Recently, however, threat actors have adapted their tactics to work around the MFA workflow, meaning these standard MFA practices are no longer enough to protect users and their data.

What are Threat Actors Doing?

One of the tactics threat actors have been using is an AiTM framework, or an attacker-in-the-middle framework. Under this approach, the attacker inserts a fake landing page in between the user and the legitimate application. For example, they will pass a fake landing page to the end user for Office365 utilizing a phishing email. When the user enters their credentials and accepts the push or enters the MFA code, the attacker obtains both pieces of key information and can hijack the session.

Another tactic threat actors utilize is stealing session cookies from your browser. If you are authenticated to your email or other sensitive sites, the threat actor can use malware to steal your sessions and gain access to your personal data. SIM-swapping attacks are also common and take place when a threat actor social engineers your mobile carrier to allow them to swap their controlled SIM card with yours. From there, they can gain access to your number to steal any sort of MFA codes that may be sent via text message.

One of the more frequent attacks that Dean Dorton’s Cybersecurity team has observed among major corporations is “MFA fatigue”. This is when a threat actor gains access to your credentials either through phishing or other means (data breaches, password guessing, etc.) and then sends MFA pushes to your device until you are bothered enough that you accept it.

What Can We Do?

There are a few approaches you can take to further secure your MFA.

  1. Utilize more phish-resistant MFA methods. This could be by utilizing a hardware token, such as a YubiKey, or using additional challenges along with the push notification based off risk. An example of this would be Microsoft’s Number Challenges for high-risk sign-ins in which before the authentication is established, the user must provide a number populated on their screen to their device to sign in.
  2. Avoid using text messages as an additional factor if possible. SIM swapping attacks can occur rather easily and text messages are not an ideal and secure method for MFA codes.
  3. Ensure all devices are protected with endpoint security software to avoid malware-based attacks.
  4. If experiencing excessive MFA requests that you did not initiate, continue to deny them, change your password immediately and if there is an option in your authenticator software, report the attempts as fraudulent.

If you have further questions and need assistance with evaluating your current MFA solution, please reach out to Dean Dorton’s Cybersecurity Experts today.

Article Dean Dorton

The budgeting process is an important time to carefully analyze the value new technology solutions can provide while balancing long and short-term cost mitigation with bottom line opportunity costs. The advantages far outweigh the risk or pain of technology upgrades, but only if you take time to understand your options, what suits your business size, industry, and functions best. Working with an experienced partner, like Dean Dorton Technology, provides the expertise to deliver the meaningful insights and recommendations that can help guide well-founded decisions.

Below are our recommended considerations for budgeting for collaborative technology in 2021.

Collaborative Meeting Solutions

Using collaborative meeting solutions for workers in meeting spaces, at their desks or when mobile, with integrated voice, video, messaging and content sharing can increase your efficiency dramatically. Is your chosen collaborative meeting solution working for you? Have you discovered things you like or don’t like? Are you not sure how to fix the problems or how to make your solution function best?

Now is the ideal time to take a look at the functionality of all your systems. Is it easy and effective for team members or customers to use? Do you have access to recordings? Is the quality of audio, visual, and screen sharing up-to-par for your standards? Will your solution integrate seamlessly with your technology inside the office? Will it fit into your budget?

Hybrid Workplace Solutions

While it’s exciting that innovative collaboration experiences are changing the way business is done, your main focus is keeping productivity high. Integrating your technology systems together to provide powerful easy-to-use customer experiences can take your team and your organization to new heights. Consider how artificial intelligence will continue to impact the way you work and lay the foundation for the next-gen workplace. Considerations:

  • Do your current systems allow for a consistent experience no matter where you are?
  • Can you effortlessly move between your virtual and physical worlds?
  • Does your technology allow for suppression of background noises?
  • Are your systems secure through encryption and authentication methods?
  • Are you able to take notes and “whiteboard” out ideas in the meeting spaces and have them saved for access anytime for those on the team?

Questions about benefits/cost analysis, budget, best-in-class tools, average costs, timing, or implementation?

David Rice
Senior Infrastructure Engineer
drice@ddaftech.com • 859.425.7735

Article Dean Dorton

By: Crissy Fiscus

ITT Technical Institute is the latest school to close its doors after significant sanctions were placed upon the institution by the Department of Education (ED). ITT received a letter from the Department of Education on August 25, 2016 that outlined the sanctions including:

  • Increasing the line of credit to 40% Title IV funds received by the institution during its most recently completed fiscal year
  • Changing the method of payment to Heightened Cash Monitoring 2 (HCM2)
  • Notification and communication with the ED within 10 days of specifically identified financial and oversight events
  • Additional reporting requirements that required the school to provide information about operations, finances, and future plans
  • Additional operational requirements, which included that the school could not enroll new students that may receive federal student financial aid funds.

On September 5, 2016, just 11 days later, ITT announced that it would close its doors.

In reading the August 25, 2016 letter from the ED to ITT, I noticed that the very first sentence referenced prior communications from the ED from more than two years ago. In August 2014 ITT was cited by the ED for it late submission of annual compliance audited financial statements. As a result of this financial responsibility failure, ITT was permitted to continue participating in the Title IV program under a Provisional Program Participation Agreement for three award years. The letter went on to say that since August 2014 the ED had been actively monitoring ITT’s ongoing operations and finances.

Then in April 2016, the ED received notice from the Accrediting Council for Independent Colleges and Schools (ACICS) that ACICS had issued a directive to ITT asking the institution to prove why its accreditation should not be withdrawn. According to the ACICS Accreditation Criteria, this type of directive is issued when the Council determines that an institution is not in compliance, and is unlikely to become in compliance with the accreditation criteria. After much communication, including a hearing, another directive was issued by ACICS in August 2016, which continued to question ITT’s compliance with several accreditation standards:

  • Minimum eligibility requirements for compliance with all applicable laws and regulations
  • Requirements for student achievement, as measured by retention, placement, and licensure passage rate
  • Institutional integrity, a manifest in the efficiency and effectiveness of its overall administration of the institution
  • Financial stability, including having adequate revenues and assets to meet its responsibilities
  • Administrative capability, including overall management and record-keeping
  • ACICS admissions and recruitment standards
  • Federal and state student financial aid administration requirements

You will notice that I have bolded/highlighted several words throughout this article. Those words have very important meaning in the world of student financial aid, as they are the most common reasons the ED may place a school on a method of payment known as HCM1 or HCM2 (Heightened Cash Monitoring 1 or 2).

HCM1 requires the schools to make disbursements to students from its own funds, submit disbursement records to the Common Origination and Disbursement System, and then draw down the SFA funds. HCM1 is much less restrictive than HCM2.

HCM2 requires the school to disburse the money to the students and then submit a request for disbursement to the ED. The ED must approve the request before the funds will be disbursed to the school. Once on HCM2, very few schools survive – the cash flow squeeze is simply too much for them to overcome. I recently examined the list of schools which have been placed on HCM1 or HCM2 by the ED – 428 schools are on HCM1 and 65 schools are on HCM2. I also summarized the main reasons that schools were placed on HCM1 and HCM2:

Summary of top reasons schools are on HCM1:

  • Administrative capability – 17
  • Financial responsibility – 309
  • Audit late/missing – 84
  • Program review – severe findings – 1
  • Accreditation problems – 1
  • Other (CIO problems, eligibility) – 13

Summary of top reasons schools are on HCM2:

  • Administrative capability – 11
  • Financial responsibility – 6
  • Audit late/missing – 8
  • Program review – severe findings – 16
  • Accreditation problems – 12
  • Other (CIO problems, eligibility) –12

Go back and look at those bolded/highlighted words and compare them to the list of the top reasons that schools are placed on HCM1 or HCM2. As you can, see ITT had many of these issues for a period of years – beginning back in 2014, when the late audit captured the attention of the ED.

ITT is clearly not the first school that has closed due to being placed on HCM2 – honestly, very few schools survive that type of cash flow crunch. Compliance with the Department of Education’s requirements is not up to interpretation – it is absolutely required and the rules must be respected by those that wish to continue to award Title IV funds to their students. Understand the rules and create systems to make sure that they are followed. We make it our business to understand these rules and help schools to develop the policies and procedures to stay in compliance.

If your institution is interested in helping the ITT Tech students, the ED posted an electronic announcement with guidance, links, websites, and contact information surrounding the recent ITT closures.

If you would like to discuss further, contact your Dean Dorton advisor or Crissy Fiscus at cfiscus@deandorton.com.