Cybersecurity Archives - MGO CPA | Tax, Audit, and Consulting Services

The Manufacturer’s Guide to Building Brand Loyalty and Trust

Key Takeaways:

U.S. companies must follow data privacy rules, not only for legal compliance but to build brand trust and loyalty.

As manufacturers increasingly adopt advanced technologies like artificial intelligence (AI) and machine learning, protecting customer data becomes more essential — and more complex.

Key compliance gaps include outdated tracking technologies, third-party data sharing risks, data collection without clear consent, and challenges from emerging technologies.

U.S. companies are legally bound to follow data privacy rules and protect customer data. However, upholding data privacy standards is more than just a legal requirement; it’s imperative to building brand loyalty and trust.

As data usage continues to increase for manufacturers, protecting customer data and privacy may prove more challenging. According to BDO’s 2024 Manufacturing CFO Outlook Survey, 35% of manufacturers now use advanced analytics, including forecasting and predictive models. They are also increasing their spending on innovative technologies, such as artificial intelligence and machine learning. Additionally, 30% of manufacturers consolidate their data in a central location and share it across the organization, which can introduce security vulnerabilities.

As manufacturers continue to enhance their digital maturity through Industry 4.0 initiatives, they will need to continually refine their protection and data privacy programs.

Key Concepts to Know

Building a strong program foundation depends on two concepts: Iteration and Data Protection ‘by Design’ and ‘by Default.’

Iteration: Data privacy compliance is a journey, not a destination — it requires ongoing monitoring, testing, and improvement of the protection and data privacy programs that support it. Manufacturers should focus on developing an ongoing, overarching culture of compliance to enable the company to meet the demands of the evolving regulatory landscape.

Data Protection ‘by Design’ and ‘by Default:’ Data Protection ‘by Design’ and ‘by Default’ approaches are critical to building a strong program foundation. These approaches integrate privacy and data protection practices into the organization’s activities from the beginning, which helps mitigate risk, close compliance gaps, foster trust with users and customers, and reduce the likelihood of privacy violations.

Ready to build the right foundation for your protection and data privacy program? Read on to get started.

Have You Seen Any of These Red Flags?

Before getting started with our checklist, take a moment to think about whether your company has experienced any of the following scenarios, which may be a driver for change.

Consumers complain about a lack of transparency in the amount of personal data you collect about them, or the ways in which you handle their personal data.

Your company receives a high volume of complaints or regulatory inquiries.

Your services or products put you in the category of high-risk controllers or processors because of the amount of personal data you collect or process.

Your company experienced a decline in user engagement, and it is driving a reduction in market share or brand recognition.

Privacy activists are filing lawsuits against your company or your peers.

Your industry is on the receiving end of frequent regulatory fines.

This is often a tell-tale sign that regulators are scrutinizing companies within your industry, so your business should work to shore up data privacy compliance processes sooner than later.

Your company has incurred a regulatory fine.

Your company has experienced a data privacy breach or cyberattack.

Common Gaps in Privacy & Data Protection Programs

While identifying privacy and/or data protection red flags may be straightforward, manufacturers need to uncover and address program gaps to strengthen their compliance. Here are four common compliance gaps to look for and address within your organization:

Tracking technologies: Companies continue to struggle with tracking technology (pixels, web beacons, and cookies) compliance. We regularly see companies fined for improperly using outdated tracking technologies, writing code that leaks data, and violating regulations. Data leakage can lead to a report of a data breach with regulators.

Data collection and consent: Companies must balance their need to collect personal data with clear and informed consent. For U.S. companies, this is a challenge since not all laws have caught up with consumer expectations. However, as data usage becomes more intricate and globalized, user consent is one of the most pivotal areas of privacy compliance programs.

Third-party data sharing: Most privacy regulations require companies to determine whether their vendors adhere to the same level of privacy and data protection standards as the hiring company. Vendor assessments and an understanding of inward and outward data flows allow manufacturers to identify potential risks and stop sharing data with a third-party if needed.

Emerging technologies: Integrating innovative technologies like artificial intelligence (AI), Internet of Things (IoT), blockchain, and biometrics while maintaining privacy standards poses challenges in understanding and mitigating risks. These technologies require manufacturers to continuously reassess and update their privacy policies and practices to promote compliance and protect users’ personal data.

Building the Baseline Program

This first checklist serves as part one of a three-part series to help your company develop a privacy & data protection roadmap and prepare for enhanced regulator and stakeholder scrutiny — especially for manufacturers in the business-to-consumer category.

The items below represent baseline best practices for privacy and data protection compliance programs. This comprehensive list, while not inclusive of every possible tactic, provides a starting point to build the foundation prior to tackling more complex activities.

Do you have buy-in to build or rebuild your privacy and data protection program? Privacy programs require a plan, budget, and buy-in at the highest levels of the organization. Build your business case, identify an executive sponsor, and get board approval to invest in consumer data protection.

Do you know where your personal data resides and who has access to it? Organizing and knowing where personal data resides and who can access it or when it is shared is a hallmark of a foundational, compliant data privacy program. To start, develop a comprehensive data inventory and identify personal or sensitive data. Key steps to take include:
- Identify data sources
- Categorize data into personal, sensitive, and other categories to evaluate its privacy significance
- Map the data flow
- Determine who owns each data category and is responsible for proper handling
- Assess data flow, transfer, and other risks associated with each category
- Record how data is collected, stored, processed, and shared
- Identify current organizational data practices to align with privacy regulations
- Define retention periods
- Understand and update access controls
- Establish a timeline to continually review and update the inventory

Is data protection a priority at the top? To build a strong privacy program, data protection must be viewed as a priority. It is also important to educate the board and executive teams to ensure they understand the differences between privacy and security. Privacy and security standards and processes are both related to protection best practices but are inherently different.

Security protects data from unauthorized access, breaches, and cyberattacks. It allows an organization to safeguard personal data and information from internal and external threats.

Privacy, on the other hand, focuses on the appropriate handling and use of personal data. Privacy measures focus on minimizing the collection of sensitive and personal data, obtaining consent to use that data, and ensuring that data is used for its intended purposes.

Is the board engaged in privacy and data protection discussions? The commitment of the board is essential to drive reputation and trust. The board’s oversight of privacy practices helps maintain the company’s brand and credibility, reduce the risk of data breaches and their fiscal impact, and drive employee engagement in data privacy best practices.

Is privacy and data protection part of your corporate strategy? Privacy considerations can influence strategic decisions about product development, partnerships, and data sharing practices. Building internal and external support channels to evaluate ways to promote privacy and data protection as a differentiator helps to build the program’s business case. Treating privacy and data protection as part of the organization’s strategy demonstrates to users and consumers that the company is serious about protecting their data.

Are you transparent and do you share data practices with the public? Your policies around data collection and processing should be highly transparent. This means proactively sharing those polices and privacy notices with customers. Studies have shown that companies that are transparent with the public about how data is collected, processed, and shared are held in higher regard by customers and regulators.

Do you destroy outdated and unnecessary data? Data retention is a critical component of every privacy program because it demonstrates that you are trying to reduce the risk of data leaks and unauthorized use. Establish retention schedules and policies to determine how long distinct categories should be retained and when they should be destroyed.

Has your company established a breach response program and evaluated it? Data breach and incident response programs are required under every privacy law regardless of your location. Manufacturers must abide by regulations that dictate how to craft a data breach response program, from the detection of a potential breach to when the organization must notify board members, employees, and customers after one has occurred.

Have you appointed a Data Protection Officer (DPO)? It is likely that a DPO is required in regions where you sell or operate. Review regulations to determine locations where you are required to have a DPO and identify regional or local in-country appointments. A common approach our clients find useful is to appoint a Global DPO with in-country or regional appointments to offset time zone, language, and cultural challenges.

Are employees required to complete privacy, security, and data protection training at regular intervals? At this stage, it is critical that companies establish data privacy awareness and training for employees. Guarding customer data is the responsibility of everyone at the organization so it should be part of regular training, awareness campaigns, and individual goals.

Going Beyond the Groundwork

This checklist can help you build the foundation for a privacy and data protection program that helps restore trust with your stakeholders, employees, and customers.

In our next checklist, we’ll provide guidance on how to evolve the steps from the foundational stage, looking at tactics such as establishing a Data Protection Committee and finetuning employee training programs.

How MGO Can Help

The manufacturing and distribution industry is marked by dynamic complexity and evolving opportunities. With these opportunities come challenges surrounding customer privacy.

To maintain brand loyalty through data security, MGO offers tailored solutions through cross-functional teams to help you navigate the data protection issues of today and position your company for lifelong customer loyalty. We can work with you to strengthen your network security, guide your employee education and training, establish compliance programs tailored to your industry, assist with enhancing the security of your manufacturing equipment and infrastructure, and more.

Maintain the integrity of your customers’ data and keep your operations running smoothly. Reach out to MGO today for support.

10 Critical Questions for Reducing Information Technology Risk in Tribal Gaming

Key Takeaways:

IT operational assessments help Tribal nations and gaming enterprises by enhancing efficiency, security, compliance, and overall business performance.

Tribal nations can use this 10-question checklist to evaluate current IT practices; identify areas to improve security, compliance, and risk management; and guide future strategic planning and decision-making.

Your Tribal nation and its gaming enterprises demand robust and secure information technology (IT) systems. IT operational assessments can significantly contribute to the overall success and sustainability of your property — helping you identify vulnerabilities, optimize systems, verify compliance, and enhance guest experiences.

Checklist: 10 Key IT Questions You Should Be Asking

Understanding the importance of IT assessments for your Tribal nation and gaming entities begins with asking these questions:

1. How can we identify potential vulnerabilities in our technology?

Conducting thorough evaluations of your systems, networks, applications, and data assets helps to pinpoint security weaknesses and potential risk within your systems before they can be exploited. Regular assessments help improve defenses against cyberattacks, fraud, and data breaches.

2. What steps should we take to enhance our security posture?

By evaluating the current IT infrastructure, you can identify outdated or inefficient systems and processes that need upgrading or replacement. Streamlining processes through better technology integration can lead to more efficient operations, reducing downtime and increasing productivity. By enhancing your cybersecurity, you safeguard critical data and increase stakeholder confidence.

3. How can we achieve regulatory compliance in our Tribal gaming and business operations?

Maintaining compliance with industry standards and regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), and other relevant security frameworks, can provide a roadmap to identify risk while upgrading and optimizing IT systems.

4. What strategies should we use to manage risks effectively?

Prioritizing risks based on their potential impact is essential for effective risk management. Allocating resources efficiently to address the most critical threats allows for a comprehensive risk management strategy tailored to the unique needs of your Tribal nation and its gaming entities. This proactive approach helps mitigate potential risks before they become significant issues.

5. How can we support a disaster recovery and business continuity plan?

Continuous gaming and business activities play a pivotal role in the success and reputation of your Tribal entity. Preserving the integrity and availability of your IT systems is indispensable in shielding your operations from potential disruptions. By building a plan, your organization will be able to handle IT incidents efficiently and recover swiftly when challenges arise.

6. What methods can we use to review and update our IT policies and procedures effectively?

Evaluating your current IT policies and procedures for comprehensiveness and relevance keeps them effective. Updating your policies to reflect the latest industry standards and regulatory changes keeps them applicable. And facilitating enforcement and adherence minimizes the risk of IT-related incidents and enhances your overall security.

7. How can we prevent unauthorized access to sensitive data and systems?

Reviewing user access rights, privileges, and authentication mechanisms is essential for preventing unauthorized access to sensitive data and systems. Also, by implementing a robust third-party vendor evaluation process and access controls, you can help mitigate the risk of data breaches and protect valuable information. This process is critical for maintaining the security of your Tribal nation operations and gaming entities.

8. What actions are necessary to secure our network architecture?

To identify vulnerabilities in firewalls, intrusion detection and prevention systems (IDPSs), virtual private networks (VPNs), and network segmentation practices, a thorough evaluation of your network architecture, configuration, and security controls is necessary. Addressing these weaknesses enhances your network security and prevents potential points of compromise. A secure network architecture serves as the foundation for a resilient IT infrastructure.

9. How can we protect our data assets?

Maintaining data protection measures such as encryption, data loss prevention (DLP) controls, and backup procedures is vital for the confidentiality, integrity, and availability of sensitive information. By protecting data against unauthorized access, disclosure, or alteration, your organization can safeguard its critical assets and keep your IT systems secure.

10. What measures should we take to prepare for incident response and maintain effective IT operations?

Establishing efficient incident detection, reporting mechanisms, and escalation processes helps minimize damage and reduce recovery time during IT incidents. Being ready for incidents allows your Tribal nation and gaming entities to respond quickly and effectively to any disruptions.

Strengthening Your Tribal Nation with IT Assessments

Regular IT assessments are not just a regulatory requirement but a strategic necessity for your Tribal nation and its gaming entities. By investing in IT assessments, your organization can protect its digital assets, support business continuity, and maintain stakeholder trust. Stay ahead in the digital age by making IT assessments an integral part of your IT strategy.

For more insights and to explore how our IT advisory solutions can fortify your Tribal enterprise’s defenses, visit MGO’s IT Advisory Solutions.

How IT Assessments Strengthen Your Cybersecurity and Business Resilience

Key Takeaways:

IT assessments find vulnerabilities and threats, enabling organizations to implement proactive measures and strengthen their security posture.

Regular IT assessments help organizations adhere to industry standards and regulatory requirements, avoiding legal penalties and maintaining customer trust.

By safeguarding IT systems and confirming their integrity and availability, IT assessments play a crucial role in business continuity and resilience against disruptions.

In today’s rapidly evolving digital landscape, keeping robust and secure information technology (IT) systems is paramount for the success and sustainability of any organization. IT assessments have emerged as a vital part of an effective IT advisory strategy, providing your organization with a comprehensive understanding of its IT infrastructure, finding vulnerabilities, and helping you align with industry standards and regulatory requirements.

IT assessments involve a thorough evaluation of your organization’s IT environment — encompassing systems, networks, applications, and data assets. These assessments aim to show weaknesses, verify compliance, and offer actionable insights to enhance your overall IT performance and security. The scope of IT assessments includes various elements such as risk assessment, IT security management, policy reviews, access controls, network security, data protection, and incident response preparedness.

Key Components of IT Assessments

IT assessments typically encompass the following key components, each critical for a comprehensive evaluation of your organization’s IT infrastructure:

Risk assessment: Conducting a risk assessment is foundational to understanding potential threats and vulnerabilities within your organization’s IT environment. This involves evaluating factors such as cybersecurity threats, data breaches, insider threats, and regulatory non-compliance. Identifying and prioritizing risks based on their potential impact allows your organization to implement proactive measures to mitigate these risks.

Review of policies and procedures: Policies and procedures form the backbone of your organization’s IT framework. Evaluating these policies confirms they are comprehensive, up-to-date, and aligned with industry standards and regulatory requirements. Effective policies facilitate enforcement and adherence, significantly reducing the risk of IT-related incidents.

Access controls: Implementing robust access controls is crucial for protecting sensitive data and systems. Assessing access controls involves evaluating user access rights, privileges, and authentication mechanisms. Effective access controls prevent unauthorized access and mitigate the risk of data breaches.

Network security: Your organization’s network architecture, configuration, and security controls must be assessed to identify vulnerabilities and potential points of compromise. This includes reviewing firewalls, intrusion detection and prevention systems (IDPS), virtual private networks (VPNs), and network segmentation practices.

Data protection: Data protection measures such as encryption, data loss prevention (DLP) controls, and data backup and recovery procedures are vital for safeguarding sensitive information. Confirming these measures helps protect your data against unauthorized access, disclosure, or alteration.

Incident response preparedness: Effectively responding to IT incidents is critical to minimize damage and recovery time. Reviewing incident response plans and procedures — including incident detection, reporting mechanisms, and escalation processes — confirms your organization is prepared to handle IT incidents efficiently.

Vendor and third-party risk management: Many organizations rely on third-party vendors and service providers, introducing additional IT risks. Assessing your organization’s practices for managing these risks, including vendor contracts and due diligence processes, is essential for mitigating supply chain vulnerabilities.

Why IT Assessments Are Essential for Your Organization

IT assessments are not just a regulatory requirement; they are a strategic necessity. IT assessments offer several key benefits for your organization, including:

Find potential vulnerabilities and threats before they are exploited, allowing your organization to implement proactive measures to mitigate risks.

Verify compliance with industry standards and regulatory requirements to help you avoid legal penalties and keep customer trust.

Strengthen your organization’s overall security posture to reduce the likelihood of successful cyberattacks.

Offer the insights you need for effective risk management, enabling the allocation of resources to address the most critical threats.

Safeguard your business continuity by confirming the integrity and availability of IT systems, protecting your organization against disruptions caused by IT incidents.

The Critical Importance of IT Assessments for Modern Enterprises

In an era where IT systems are the backbone of business operations, the importance of IT assessments cannot be overstated. These assessments provide your organization with a clear understanding of its IT vulnerabilities and offer you a roadmap for mitigating risks.

By investing in regular IT assessments, you will not only help protect your digital assets but also support business continuity and keep stakeholder trust. For enterprises striving to stay ahead in the digital age, IT assessments are an indispensable part of a robust IT advisory strategy.

To learn how MGO’s IT Advisory Solutions can fortify your organization’s defenses, reach out to our team today.

CFOs and CISOs: Boost Your SEC Cybersecurity Compliance with These 5 Best Practices

Key Takeaways:

New SEC cybersecurity rules require public companies to disclose material cybersecurity incidents, risk management processes, and governance.
Determining “materiality” of cyber incidents for disclosure is challenging and requires close collaboration between CISOs providing technical context and CFOs/executives making final determinations.
To comply, companies should take steps such as designating accountable leadership, adding specialized cybersecurity knowledge, and updating financial processes.

For years, chief financial officers (CFOs) could afford to be removed from the daily cybersecurity efforts led by chief information security officers (CISOs). But, with new Securities and Exchange Commission (SEC) cybersecurity rules, those days are gone.

Adopted on July 26, 2023, the SEC’s “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rules recognize cyber incidents can significantly impact public companies’ operations, finances, and reputations. The requirements push companies to be more transparent and accountable about cybersecurity.

While compliance with these rules falls squarely on publicly traded organizations, the impact extends to private-owned companies as well. If your company is a vendor or partner to public firms, you can expect inquiries and audits to verify you meet their security standards. Liabilities and risks permeate the entire supply chain.

SEC Cybersecurity Disclosure Requirements

If you are a public company, what do you need to report under the new rules? Here are the main requirements:

Cybersecurity Incident Disclosure

Report within four business days of determining the incident is “material”
Describe the nature, scope, timing, and impacts (or potential impacts)
Note any undetermined details at time of filing
Compliance required for SEC registrants as of December 18, 2023; smaller reporting companies (SRCs) have until June 15, 2024, to comply

Annual Risk Management & Strategy Disclosure

Outline processes to identify, assess, and manage material cyber risks
Explain how these processes integrate with overall risk governance
Detail impacts from previous material incidents
Disclose use of third-party security consultants/auditors and procedures
Compliance required for all registrants (including SRCs) beginning with annual reports for fiscal years ending on or after December 15, 2023

Annual Governance Disclosure

Describe board oversight and committee responsibilities for cyber risk
Identify management roles accountable for cybersecurity programs
Specify escalation protocols to board/committees on cyber issues
Compliance required for all registrants for fiscal years ending on or after December 15, 2023

Determining Cybersecurity “Materiality”

A central tenet of the SEC guidelines is the “materiality” concept regarding incident reporting. Essentially, cybersecurity events are considered “material” and require disclosure if they could sway investment decisions or shareholder votes. Think of materiality as anything significant enough to concern your board and executive team.

The tricky part is that materiality determinations do not solely rest with technology and security leaders. Corporate officers and boards make the ultimate call, despite often lacking full context into security event ramifications on financials and operations. Bridging this disconnect through close CISO collaboration is critical to set appropriate disclosure thresholds aligned with your company’s true risk profile. Ideally, final decisions should also be independently verified by an outside, nonbiased service provider.

The SEC final rule also makes extensive (more than 40) references to “third party” impacts. A breach or attack affecting a key vendor could very well represent a material event for your organization that necessitates SEC disclosure. Do not let third-party cybersecurity shortcomings undermine compliance.

Best Practices to Comply with New SEC Cybersecurity Rules

While no one-size-fits all checklist exists, your company and relevant vendors should consider these best practices on the path to cybersecurity rule compliance:

1. Designate Accountable Leadership

Empower specific business leaders as security program owners, not just technical teams. These individuals need to establish clear reporting and communication between security operations and the board/c-suite. Executive working sessions focused on cybersecurity scenario planning are also advised.

2. Add Cybersecurity Knowledge

The rules do not explicitly require it, but it is wise to have dedicated cybersecurity oversight at the board level. Bringing in third-party advisors can help boards understand cyber responsibilities and implement improved processes. This knowledge is often lacking today despite its importance.

3. Update Financial Processes

The speedy 8-K cybersecurity incident reporting necessitates updates to disclosure management procedures. Public companies should already have 8-K drafting processes, so adjusting for cyber specifics presents a modest lift. The key is removing bottlenecks to rapidly describe incident details.

4. Dedicate Compliance Resources

CISOs in many companies oversee skeletal teams lacking the bandwidth for major initiatives like interpreting new regulations, implementing new disclosures processes, conducting risk assessments, and more. Ensure your team has the resources needed to achieve compliance.

5. Build Cybersecurity Culture

Equip your leadership team, board, and financial executives with a comprehensive understanding of cyber risks and disclosure nuances. Implement ongoing education and guidance programs to keep them well-versed in cybersecurity threats, response procedures, and the latest developments in the field.

How MGO Can Expedite Your Compliance Journey

The SEC cybersecurity rules are a wake-up call to take cyber preparedness as seriously as any other existential risk to your organization. Let our team of security, financial, and regulatory professionals guide you toward proactive, comprehensive compliance. Reach out today to discuss your roadmap.

SEC Adopts Rules on Cybersecurity Risk Management

Executive Summary

The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.

The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K.
However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.

Defining “material” disclosures

According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Why is the SEC implementing this rule change?

The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”

But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.

What are the requirements for risk management, strategy, and governance disclosures?

Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).

How will the SEC cybersecurity rules affect you?

The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.

Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.

Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.

The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.

Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.

How we can help

It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.

If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.

Cybersecurity Best Practices When Working From Home

by Joshua Silberman, IT/Cyber Security Consultant, MGO Technology Group

As a large percentage of the US workforce transitions to work from home (WFH) situations due to the COVID-19 pandemic, we’ve looked at challenges that many organizations may face in setting up work from home (WFH) environments, as well as one of the most common tools used in making WFH resources available to your staff. Today, we’ll look at some of the best advice you, your IT team, or your managed service provider can provide your staff as they continue to work from home.

1. Turn on your corporate VPN, if provided, as soon as you login.

As stated in our previous article, the Virtual Private Network (VPN) is designed to make the connection between your employees and your corporate resources secure. Employees should get in the habit of activating the VPN as soon as their work or home laptops are turned on.

2. Change your password regularly

It is recommended that firms have a special procedure for incorporating password changes while employees are remote. For example, some setups require employees to be logged into the VPN before they initiate the password change on their own devices. Your employer’s technical staff or MSP should formalized the procedure and make it publicly available to you.

3. Avoid sharing your password

Sharing of passwords goes against almost everything we know about cybersecurity. However, in these times extraneous circumstances may require a transfer of passwords, especially in cases of troubleshooting. Try to avoid sharing your password, but if you must, follow these simple rules:

ONLY share your password with a trusted source whose identity you can verify. This includes your local IT department or MSP. If you have any doubt about who you are sharing your password with, DO NOT SHARE IT. The inconvenience of not sharing your password is not worth the potential damage that could be caused by a data breach.
ONLY share your password through a secure method. The safest is a phone call, but if you must use a messaging service, try to stick to simple SMS and do not use apps such as Facebook Messenger.
As soon as the task requiring the password share is completed, change your password immediately. The longer this action is delayed the longer you and your firm are at risk.

4. Avoid letting other family members use your corporate laptop or devices.

It might be tempting to hand off your device to a family member for a simple task, but remember that in most cases you do not own your corporate devices and are liable for any damage or data leakage caused by your family members.

5. Be mindful of who is around you both virtually and in person.

Picture this scenario: You are on a call with someone in which confidential information is shared. A family member overhears and decides to share this information over their personal social media page for exposure, perhaps not understanding the confidential nature of this information. Suddenly you have a potential data breach of confidential information on your hands.

Though quarters might be tight, it’s important to be cognizant of who is around you at all times. This may include having discussions with family members so they understand that what might see or hear from you is confidential.

6. Remember that, in most cases, your work devices are not yours.

When you are issued a device, it usually comes the legal caveat that the device still belongs to the company along with anything that is introduced to that device. In most employment agreements the employer stipulates that they have the right to access, search, seize, and erase the device at any time. So if you have personal files and photos on any of your work devices, it would be prudent to move or back them up to a personal storage space.

7. Always listen to and follow the advice and notices of your IT staff.

As the COVID-19 situation progresses, new guidelines and rules may have to be developed. These should be communicated to you by your technical staff, HR personnel, or MSP. Assuming the source is verified, you should follow their guidance to the best of your abilities.

8. Never hesitate to ask questions of your IT staff if you are unsure of something.

In the realm of IT Security, there are no stupid questions. Your company has every interest in keeping you productive and safe. You can do your part by engaging with the IT staff or MSP through established channels. This can range from a critical system failure all the way down to reaching out to verify if new guidance you might have received did in fact come from the.

9. Consider how your family activities might affect available bandwidth in your home.

As you work from home, the strain on your home internet connection might become apparent as more devices are using the connection for longer periods of time. This will be especially true if you are home with other family members. You may notice lags on conference calls or the VPN taking longer to connect than usual.

While you can work with your internet service provider to see if you can increase the amount of bandwidth allocated to your house you may also want to consider network usability times with your family. This may be difficult, especially given the bandwidth resources needed for online school learning, but could be a necessary step in ensuring you have enough bandwidth during critical times such as video calls and high volume file transfers.

Ready to learn more? Join us for our up-coming webinar: Cultivating a Culture of Cybersecurity Awareness. Register here.

Or you can schedule a consultation with the MGO Technology Group here.

Cybersecurity Culture: Empowering Your Employees

by Joshua Silberman, IT / Cyber Security Consultant, MGO Technology Group

Are your employees comfortable telling leadership about a potential problem at your company? Now ask yourself, are they comfortable telling leadership about a potential mistake? A large number of today’s cyberbreaches often begin as the result of an innocent mistake by an employee. It might be sharing a password over an unprotected median, a nefarious actor grabbing a picture of an employee’s laptop screen while they are working in public, or as is most common, an employee clicks on an innocuous link from a phishing email. What most employers may not realize is that many employee’s common sense regarding breaches is actually pretty good. At the very least they will suspect that something is amiss, which could be the first step in detecting a potential breach. Empowering your employees to actively look for, and report on, potential breaches goes a long way to helping your organization build a strong cyber security culture.

Creating a positive cyber security culture

The first step is to educate your employees on what to look out for when it comes to cyber and information risk. Many firms employ some form of basic cyber-security training, mostly at the time of on-boarding, but training usually ends there. Cyber security is an ever-shifting landscape where threats are always evolving. This is why it is important for firms to enact a year-round cyber security awareness program based around employee activities. A good employee-based cyber security awareness program will be light on technical jargon and focused on highlighting the vulnerabilities of the processes and systems that all employees use in their day-to-day work, such as instant messaging, answering e-mails, browsing the web, and sending documents through authorized and unauthorized means of file sharing. There is no great need to get into the technical details of how an attack might happen, but rather acknowledge that the danger is out there and focus on what employees can do to look out for potential dangers, such as noticing strange URL’s and suspicious e-mail attachments from unrecognized users. Consistently educating employees on current cyber threats and methods will give them the tools to identify a threat and be proactive in helping your company stop it.

Encouraging active breach and threat reporting

Training employees to spot the dangers is only half the battle. The other half is generating an effective reporting culture. No cyber security strategy is complete without a good cyber security reporting culture that puts a premium on reporting potential breaches. Here are a few suggestions to create a positive culture of reporting:

Have the team that provides your first level IT Support lead awareness/education sessions, as they will mostly likely also be the first point of contact for reporting potential breaches. The sessions can be developed by an outside consultant or an internal cyber security professional, but building a repertoire between those who should be reporting the incident and that first point of contact provides a sense of comfort that your employees are reporting the issue to the right group in the correct way.

In training, the IT support staff should make clear that reporting a threat is NOT a burden and that employees should err on the side of caution. If an employee receives an e-mail they find suspect they should not hesitate to contact their IT department through the designated reporting means.

Everyone from the organization must know and believe that the consequences of reporting a potential mistake will not be dire. Beyond feeling comfortable reporting suspicious activities, employees must also feel comfortable in reporting suspicious behavior that might be a direct result of their own actions. If an employee feels that admitting a mistake will be detrimental to their career they will keep quiet and a potential breach oversight could occur. Admittedly, this strategy carries some risk as you do not want certain behaviors to be consequence-free. However, the scope of consequence must be weighed against the actual action.

For example, an employee need not be officially reprimanded for admitting to clicking on a suspicious link and reporting it, but it would be prudent for the IT support staff to point out what could have been done differently to avoid the infraction. If the employee becomes a repeat offender, then a more official process might be warranted. Until then, simply pointing out of the issue should be enough to change behavior while maintaining a culture where employees are not fearful of bringing an issue forward.

Strong and proactive cyber security culture starts at the top

When setting the company’s cyber security policy, upper management must keep an eye toward baseline employees who perform the day-to-day actions of the company. Clear signals about saying something if you think something is wrong can go a long way toward changing your company culture. Having a strong IT or Cyber Security group is simply not enough when your own staff could unknowingly be your cyber Achilles Heel. There is a saying in cyber security that “every employee is a potential vulnerability.” However, if trained and leveraged correctly, your employees can also act as another safeguard, actively working to protect your information technology environment.

If you have any questions or would like support developing and implementing an effective cyber security program, reach out to the MGO Technology Group for a consultation.

Credential Harvesting

For many years, malware viruses have been the go-to tool for cyber attackers – and as a result, cybersecurity protocols and training have been engineered to minimize the impact of malware. More recently, a new threat has emerged that is changing the landscape of cyber and information security: credential harvesting. To protect personal and/or company information and resources, you must familiarize yourself with this new data breaching method and ways to manage related risks.

What is credential harvesting?

Credential harvesting, also known as password harvesting, is the process of gathering valid usernames, passwords, private emails, and email addresses through infrastructure breaches. The possible motivations for such a breach are many: the hackers could sell delicate personal and financial data on the dark web; gain access to a company network for purposes of corporate espionage and steal IP or other assets; or use the data to embezzle money.

How credential harvesting occurs

A commonly cited source of credential harvesting is the use of phishing emails. These emails contain an attachment encoded with a hyperlink that, when clicked, uploads data-stealing programs onto your console. While phishing emails are the most common avenue, password harvesting can also be performed by malware viruses, cloned website links, the use of unsecure third party vendors, and ransomware. In many cases, the breached user has no knowledge that the malicious attack has occurred, and continues to believe they are shielded by cybersecurity measures.

This is especially accurate in cases when cloned websites are the source of the credential harvesting, as they are extremely similar in features and makeup to the real webpages they emulate. When a user logs into any account on a cloned website, their login information is directly sent to the attacker. The number of users who access accounts on phony websites can be significant and the stockpile of valuable data collected can have disastrous consequences.

Taking an active stance against credential harvesting scams

There are proactive steps anyone can take to mitigate the chances of falling prey to credential harvesting. Cloned websites can be detected by spotting an unusual URL unrelated to the actual website. For example, when using Google, instead of seeing a normal Google webpage, a cloned Google webpage will have a URL that is not Google related. Another common indicator that a webpage is cloned is if an unexpected web browser window pops up without a user physically opening it. For example, if the Google Chrome application randomly opens up as you are analyzing sensitive data vital to your company, your system may be infected. If caught in such a situation, it is best to not log into any accounts on the opened tab and instead force quit the application, and immediately notify your IT department of what happened.

When it comes to phishing emails, you must be vigilant when receiving emails and be sure not to click on any unknown or unusual links. This could lead to infected programs popping up that you did not intentionally download.

There a number of other ways a credential harvesting can occur. To protect your vital information from an instantaneous and anonymous breach, you should regularly back up your devices to the cloud and promptly install all security patches and upgrades.

Protecting your organization against credential harvesting

Credential harvesting is a real and rising threat … and anyone can be the next victim. Users must continually update their security software, backup their data, and be mindful of the links they follow and sites they visit. Following these simple steps will help protect you, and your business, from becoming the next victim of credential harvesting.

If you have any questions or fear your organization is at risk for credential harvesting, please reach out to the MGO Technology Group for a consultation.