SEC Regulation Changes, Deepfake Detection Surge, and Microsoft's MFA Enforcement

[00:00:01] It's Wednesday, May 22nd, 2024, and I'm Dave Sobel. Three things to know today.

[00:00:07] The SEC adopts changes to regulation S-P, strengthening privacy and data protection,

[00:00:14] a surge in untested deepfake detection services without high accuracy, and

[00:00:20] Microsoft to enforce multi-factor authentication for all accounts by year end. This is the Business of Tech.

[00:00:27] The Security and Exchange Commission has adopted changes to regulation S-P,

[00:00:34] requiring financial institutions to disclose security breaches within 30 days of learning about them.

[00:00:40] The amendments also expand safeguards and disposal rules, require written compliance records,

[00:00:46] and extend the rules to transfer agents. The new requirements aim to protect the privacy of customers' financial data

[00:00:53] and ensure prompt notification in case of a breach.

[00:00:57] The Environmental Protection Agency has issued an enforcement alert warning about the increasing frequency and severity of cyber attacks

[00:01:05] against water utilities in the U.S. The agency found that about 70% of utilities inspected in the past year

[00:01:13] violated standards meant to prevent breaches.

[00:01:16] Recent attacks by groups affiliated with Russia and Iran have targeted smaller communities.

[00:01:22] The EPA urged water systems to improve protections against hacks,

[00:01:26] including changing default passwords and cutting off system access to former employees.

[00:01:32] And in a focus on S&B, Axios reports on how defense contractors,

[00:01:37] including small businesses, are at risk of being targeted by nation-state hackers, particularly from China.

[00:01:44] Despite warnings, many defense contractors underestimate the importance of cybersecurity.

[00:01:49] The lack of technical expertise and financial resources further hinders their ability to defend against cyber threats.

[00:01:56] The NSA provides free cybersecurity tools to defense contractors.

[00:02:01] These tools cannot fully eliminate the risks posed by sophisticated hacking groups.

[00:02:07] And Google has published new security recommendations and a white paper

[00:02:11] scrutinizing Microsoft's cybersecurity practices in response to recent nation-state attacks.

[00:02:17] Google aims to poach government customers from Microsoft and offers a Google Workspace program as an alternative.

[00:02:25] And North Korean IT workers are posing as Americans to secure remote jobs and use the salaries to fund their country's missile program.

[00:02:34] Remote hiring practices have made it easier for them to deceive hiring managers,

[00:02:38] and the advancement of AI technologies like deepfake videos adds to the challenge.

[00:02:44] Federal prosecutors have charged individuals involved in an elaborate scheme where North Korean workers landed jobs at over

[00:02:51] 300 US companies,

[00:02:53] generating at least 6.8 million dollars in revenue.

[00:02:57] The US government has been warning about this threat for years as it allows North Koreans to bypass sanctions.

[00:03:05] Why do we care?

[00:03:07] For those serving financial sectors, you have new regulations, and for those serving utilities, be warned.

[00:03:12] Whether you focus on defense or not, please take advantages of the resources available, be it the NSA or Gini.

[00:03:19] Consider that companies struggle to verify identities and detect malicious activity in remote interviews for you and your customers.

[00:03:26] Generative AI tools make it easier for North Korean workers to create believable resumes.

[00:03:31] That process requires investment, and we care because everything here needs to be addressed.

[00:03:38] So let's talk a little bit about bias.

[00:03:41] Algorithms can reveal and help correct biases in decision-making, according to a study from Proceedings of the National Academy of Science.

[00:03:49] Participants in the study were more likely to recognize bias in algorithmic ratings compared to their own ratings,

[00:03:56] even when the algorithms were trained on their own decisions.

[00:04:00] Algorithms remove the bias blind spot by presenting decisions in a way that is more similar to how people assume decisions.

[00:04:07] The study also found that participants were more willing to correct biases when they were attributed to algorithms, resulting in less biased final writings.

[00:04:17] A surge of companies claim to offer hyper-accurate deepfake detection services. Deep abilities are largely untested.

[00:04:26] Deep Media, a rising star in the field, has won military contracts worth nearly $2 million but lacks subject matter expertise and has no experience in deepfake.

[00:04:35] Deepfake has no subject matter expertise and has a sole machine learning engineer with an undergraduate degree in astrophysics.

[00:04:42] While the demand for deepfake detection is high, the effectiveness of current detection tools is questionable as they can be easily fooled.

[00:04:50] Nonetheless, about 40 companies offer deepfake detection services, claiming high levels of accuracy.

[00:04:58] Researchers at Anthropic have made a breakthrough in understanding large language models by using dictionary learning to uncover patterns in neuron activation.

[00:05:07] They identified features linked to specific topics and found that by manipulating these features, they could change the AI system's behavior.

[00:05:16] While there's still much to be done, progress in interpreting what the models do can help address concerns about bias, safety risks, and autonomy in AI systems.

[00:05:27] Why do we care?

[00:05:28] The Anthropic news is notable because of the advancement in understanding what happens within the black box of generative AI.

[00:05:35] Let's just note it's happening.

[00:05:37] The surge of detection startups risks providing a false sense of certainty and eroding public confidence in authentic media.

[00:05:45] Take your skeptical eye here to the solutions.

[00:05:48] And note that there are solutions, that's why the research matters.

[00:05:52] All this is input to your discussions with clients about best using these technologies.

[00:06:00] A study conducted by EZDemark shows that the adoption of DMARC security standards among .org email domains has doubled in the past year, rising from 3.9% to 7.7% between March 2023 and March 2024.

[00:06:17] While usage has increased, less than 10% of charity domains have implemented basic protections against phishing and spoofing.

[00:06:24] Although there has been progress in implementing stricter policies such as rejection or quarantine, many domains lack essential monitoring and reporting tags.

[00:06:33] The rise in DMARC adoption may be driven by email authentication regulations rather than proactive cybersecurity measures.

[00:06:41] Starting in July, Microsoft will enforce multi-factor authentication for all users signing into Azure to administer resources.

[00:06:49] The multi-factor authentication enforcement will also roll out for command line interpreters, PowerShell, and Terraform.

[00:06:56] MFA offers significant protection against cyberattacks with over 99.99% of MFA-enabled accounts resisting hacking attempts.

[00:07:05] Admins are urged to enable MFA in their tenants before the rollout and can monitor MFA registration using authentication methods, registration reports, and PowerShell scripts.

[00:07:17] Zoom has announced the global availability of post-quantum end-to-end encryption for Zoom meetings with Zoom Phone and Zoom Rooms to follow soon.

[00:07:25] The introduction of quantum-resistant encryption addresses the risk of future decryption attacks by advanced quantum computers, ensuring data security for users.

[00:07:35] Zoom joins other communication platforms in adopting quantum-resistant algorithms, demonstrating its commitment to leading the field of secure video conferencing.

[00:07:44] Why do we care?

[00:07:46] Those easy-to-DMARC folks are leaning heavily into identifying where their solution is needed. Charities, it seems, too.

[00:07:53] Note that it will be July 2024 before MFA is mandatory for Azure administration.

[00:07:59] It's a notable step forward, and at the same time, it took far too long.

[00:08:03] Of course, over on the encryption side, we're outpacing computers we don't even have yet.

[00:08:08] So now, making it practical, where should you spend your time?

[00:08:12] The gap. MFA adoption should not be optional. Period.

[00:08:17] Combine that with good backups, patch management, and a recovery plan, you have the basics of cyber hygiene.

[00:08:22] Be good at that.

[00:08:26] Today's episode is supported by Huntress.

[00:08:29] You want to focus on your clients and are always looking for ways to get more time.

[00:08:34] Use Huntress' fully managed cybersecurity platform to fight off cyber threats.

[00:08:40] Huntress is more than cybersecurity software for endpoints and identities.

[00:08:44] It's a 24x7 security operations center.

[00:08:47] It's security awareness training, community engagement, and dedicated partner support with an average CSAT score of 99.3%.

[00:08:56] Technology can only get you so far.

[00:08:59] Human expertise is what's needed to truly elevate and protect small businesses.

[00:09:04] And you get that with Huntress.

[00:09:07] Secure your clients and help them thrive with the number one rated EDR for SMBs on G2.

[00:09:12] Visit huntress.com slash MSP radio to find out more.

[00:09:18] Thanks for listening.

[00:09:19] It's National Craft Distillery Day and also National Vanilla Pudding Day.

[00:09:24] Maybe not together.

[00:09:26] Have a question you want answered?

[00:09:27] I take those listener questions, send them in ideally as a voice memo or video to question at MSP radio.com.

[00:09:34] I answer listener questions live each week on our Wednesday live show on YouTube and LinkedIn.

[00:09:39] Now it'll be off next week, maybe the week after to get those answers.

[00:09:43] And if you got a comment or a thought, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast.

[00:09:49] I'll talk to you again tomorrow.

[00:09:52] The Business of Tech is written and produced by me, Dave Sobel under ethics guidelines.

[00:09:57] Post it at businessof.tech.

[00:10:00] If you like the content, please make sure to hit that like button, follow or subscribe.

[00:10:05] It's free and easy and the best way to support the show and help us grow.

[00:10:10] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP radio or buy our Why Do We Care merch at businessof.tech.

[00:10:23] Finally, if you're interested in advertising on the show, visit MSP radio dot com slash engage.

[00:10:29] Once again, thanks for listening to me.

[00:10:32] I will talk to you again on our next episode of the Business of Tech.

[00:10:39] Part of the MSP Radio network.