Tech

Explore the latest insights that can reshape your business’s approach to cybersecurity disclosure and gain a deeper understanding of how the evolving landscape of cybersecurity disclosure impacts privately owned businesses.

1. Identify Gaps in SEC’s Proposed Disclosure Requirements

• First, analyze the differences between what the SEC is suggesting for disclosures and what your company currently does.
• Assign responsibility for making the necessary improvements.

2. Integrate Disclosure Processes

• Avoid the mistake of creating a new, complex process. Instead, figure out how your cybersecurity practices can be seamlessly incorporated into your existing disclosure procedures.
• Identify the people who need to be involved, including legal experts.

3. Update Incident Management Process

• Adapt your incident management procedures to account for factors like the significance of the event and continuous reporting and monitoring.
• Ensure consistency in how you determine what is significant and how you disclose cybersecurity incidents, similar to how you handle operational or financial issues.

4. Engage Board of Directors Early

• Start a dialogue with your board of directors about the new disclosure requirements.
• Collaborate to identify any changes in governance that may be necessary.

5. Leverage Technology

• Invest in the right technology tools that can help streamline your disclosure processes and communication.
• This could be a single, all-in-one solution or a combination of individual tools that work together effectively.

Companies must take cybersecurity more seriously than ever before after a new rule passed by the SEC.

Have questions? Reach out today!

Public companies must prepare to meet higher standards for cybersecurity.

The SEC recently issued a rule requiring public companies to disclose when they fall victim to a material cyber attack. Companies will also have to file annual disclosures about their cybersecurity risk profile.

As cyber attacks become more common and costly, it’s important for businesses to be forthcoming about their cyber risk. This fact along with inconsistent public company reporting of cyber events compelled the SEC to mandate public companies to disclose material attacks in Form 8-K filings within 4 days of the incident being discovered along with a better appreciation of the company’s cyber risk environment.

What Requirements are in the New Rule?

The requirements fall into two categories:

• Incident Disclosure – Within 4 days of a cybersecurity incident being discovered that has a “material” impact, companies must report what happened, when/how it was discovered, who was affected and how, and what remediation is underway, among other details. All this information enters the public record.
• Yearly Reporting – Once a year, companies must file a Form 10-K report outlining their cybersecurity risk assessment program, highlighting how it aligns with strategy and planning, and what third party experts it includes.

What Does This Mean for Public Companies?

Many companies already disclose breaches and report on their security environment but not to the level the SEC expects for proper investor evaluation.

The new SEC rule will require all companies to act quickly in the wake of a cyber incident. Gathering the required information within a four-day window means starting immediately after discovery and working methodically from there. Companies will need to assess whether they have the staff and tools to understand incidents in a matter of days. Investing the time now in developing a cyber incident policy is paramount.

Closely related, companies will need to review their entire approach to cyber risk before, during, and after an attack. Reporting on cybersecurity activities will be the easy part. Much harder will be managing cyber risk effectively, month after month, even as new threats and vulnerabilities emerge.

The new SEC rule means new compliance and reporting requirements which require immediate attention.

How Do You Become Compliant?

The first step will be to perform a gap analysis between current practices and those required by the SEC. That will, in most cases, be followed by a systematic effort to close gaps. Otherwise, companies expose themselves to compliance penalties, legal action, and reputational damage—not to mention increased exposure to cyber attacks.

Public registrants will need to comply with the new annual disclosures for fiscal years ending after December 15, 2023, excluding small reporting companies that have until fiscal years ending after December 15, 2024. Incident reporting will be effective 90 days after the date of publication in the Federal Register or December 18, 2023 (later of). For small reporting companies 270 days after publication in the Federal Register or June 15, 2024 (later of).

Beyond just boosting cybersecurity, companies will need to rethink how cyber risk affects every facet of the organization. The team at Dean Dorton, with expertise spanning from cybersecurity to board oversight, is your resource for getting the new SEC rule right.

The deadline for compliance is fast approaching. Contact Dean Dorton to put a plan in place.

What is Juice Jacking?

Juice jacking is when bad actors place a corrupted USB port in a public location, such as an airport or coffee shop with the goal of an unknowing person plugging their cable into it to charge their phone. The port is then used to install malware on the device and steal personal information. In terms of implementation, this type of attack is fairly easy to execute.

Charging kiosks in the era of smartphones have become commonplace in public locations. This is another prime example of hacker using legitimate, everyday technology for nefarious intent. While the attacks thus far have not been common, it is anticipated that these sorts of attacks will increase over the next few years.

How to Protect Yourself

Situational awareness is imperative in cases such as this.

If public USB ports are your only option, be sure to inspect the port prior to plugging in a cable. If it appears off, do not use it. The Federal Communications Commission also said, “If you plug your device into a USB port and a prompt appears asking you to select ‘share data’ or ‘trust this computer’ or ‘charge only,’ [you should] always select ‘charge only.'” Experts also recommend using a USB write blocker. This prevents threat actors from passing any data over USB.

However, the safest option is to avoid public USB ports altogether. If you are anticipating that your device will need to be charged, bring your own charger and plug it in directly to a power outlet or portable charger.

Further Steps

To learn more about cyber threats facing your organization, contact Dean Dorton today.

And for more information on juice jacking, here are some helpful articles:

Traveling? This $7 gadget protects your phone from treacherous USB charging ports

FBI office warns against using public phone charging stations at airports or malls citing malware risk

For a long time, multi-factor authentication (MFA) has been considered one of the best ways to protect an organization’s assets. So much so that in 2019, Microsoft released an article stating that MFA would prevent 99.9% of attacks on accounts.

Nowadays, while MFA is still a key aspect of cybersecurity for business as well as personal use, it is the not the cure-all that it once was. Bad actors have adapted their tactics and found ways to work around MFA security measures.

Why is MFA not Enough Anymore?

Multi-factor authentication uses a combination of multiple factors to assist with proving you are who you say you are. These factors include:

1. Something you know – This is usually a password.
2. Something you have – This can be using your phone to receive an SMS text, an authenticator app, etc.
3. Something you are – This is usually a physical characteristic like a palm scan or a retina scan.

To have true multi-factor authentication, there must be at least two separate factors used in conjunction. For example, this might look like using a password alongside an authenticator app. In this scenario, a user would sign into their account with their username and password and then receive a prompt to either accept a push notification or enter a code to access the desired resources.

Recently, however, threat actors have adapted their tactics to work around the MFA workflow, meaning these standard MFA practices are no longer enough to protect users and their data.

What are Threat Actors Doing?

One of the tactics threat actors have been using is an AiTM framework, or an attacker-in-the-middle framework. Under this approach, the attacker inserts a fake landing page in between the user and the legitimate application. For example, they will pass a fake landing page to the end user for Office365 utilizing a phishing email. When the user enters their credentials and accepts the push or enters the MFA code, the attacker obtains both pieces of key information and can hijack the session.

Another tactic threat actors utilize is stealing session cookies from your browser. If you are authenticated to your email or other sensitive sites, the threat actor can use malware to steal your sessions and gain access to your personal data. SIM-swapping attacks are also common and take place when a threat actor social engineers your mobile carrier to allow them to swap their controlled SIM card with yours. From there, they can gain access to your number to steal any sort of MFA codes that may be sent via text message.

One of the more frequent attacks that Dean Dorton’s Cybersecurity team has observed among major corporations is “MFA fatigue”. This is when a threat actor gains access to your credentials either through phishing or other means (data breaches, password guessing, etc.) and then sends MFA pushes to your device until you are bothered enough that you accept it.

What Can We Do?

There are a few approaches you can take to further secure your MFA.

1. Utilize more phish-resistant MFA methods. This could be by utilizing a hardware token, such as a YubiKey, or using additional challenges along with the push notification based off risk. An example of this would be Microsoft’s Number Challenges for high-risk sign-ins in which before the authentication is established, the user must provide a number populated on their screen to their device to sign in.
2. Avoid using text messages as an additional factor if possible. SIM swapping attacks can occur rather easily and text messages are not an ideal and secure method for MFA codes.
3. Ensure all devices are protected with endpoint security software to avoid malware-based attacks.
4. If experiencing excessive MFA requests that you did not initiate, continue to deny them, change your password immediately and if there is an option in your authenticator software, report the attempts as fraudulent.

If you have further questions and need assistance with evaluating your current MFA solution, please reach out to Dean Dorton’s Cybersecurity Experts today.