February 22, 2021

Two-Week PPP Application Window Opens Specifically for Small Businesses

New changes to the Paycheck Protection Program (PPP) were announced by President Biden on February 22. These tweaks to the PPP rules are meant to help small businesses and give them an exclusive window of time to apply for PPP funding starting February 24.

Details of the Latest PPP Changes

Another $284 billion was injected into the PPP program as part of the $900 Billion COVID-19 relief package signed December 27, 2020. Since applications opened in January, it’s estimated that the SBA has approved around $134 billion in forgivable small business loans. To improve equitable distribution of loans and help give small businesses an advantage, President Biden introduced the following changes:

  • An exclusive window for businesses with less than 20 employees to apply for PPP loans beginning February 24. Businesses with 20 or more employees will be locked out of applying until March 9.
  • Self-employed, sole proprietors and independent contractors can now use gross income, much like the recently changed calculation for farmers.
  • Business owners with non-fraud felonies and those who were/are delinquent on student loans are now eligible to apply for PPP funding.
  • At least $1 billion will be allocated for minority-owned businesses.

The Biden administration has not indicated whether they will try to extend the program after the current round expires March 31.

Our advisors are closely following COVID-19 relief efforts and will continue to publish insights to keep you informed on our COVID-19 Resource Center. Tune in to our video series PPP with Paul and Dan to learn more about the Paycheck Protection Program. To discuss your situation and recovery options, contact an Anders advisor below.

All Insights

February 19, 2021

5 Cybersecurity Lessons Businesses Should Learn from the Oldsmar, Florida Water Supply Hack

Disaster almost struck on Friday, February 5, when an unidentified outsider attempted to drastically increase the sodium hydroxide levels in the water supply of the city of Oldsmar, Florida. The impact could have been tragic as they attempted to raise the setting from 100 parts per million to 11,100 parts per million. Normally sodium hydroxide is harmless when used to regulate PH levels in drinking water, but at that high of a level it could have caused severe damage to anyone who consumed it. While this doesn’t sound like a typical data breach that could have been prevented with cybersecurity best practices, there are definitely cyber controls that could have helped avoid the attempt. Below we dig into the cybersecurity vulnerabilities we identified from the situation and our mitigation recommendations your business can learn from.

How could this have happened?

This is an active investigation that’s being analyzed to figure out what happened and identify the outsider. Reports following the incident indicate a significant number of basic cyber mistakes were made that left the city’s water supply vulnerable to anyone with an internet connection. Cyber risk can be substantially reduced by implementing basic technology controls and following good cyber hygiene. However, many businesses struggle to stay on top of cybersecurity, often because of a lack of manpower, lack of funding, or a lack of knowledge and expertise.

Let’s look at five cybersecurity vulnerabilities the water utility had that could possibly made the attempt possible. Applying these lessons to your business will increase your protection from cyber criminals.

Vulnerability #1: Sensitive SCADA equipment was exposed directly to the internet.

Initial reports indicate the outsiders utilized a common remote access software tool named TeamViewer to access the supervisory control and data acquisition (SCADA) control system. TeamViewer enables a user to remotely view a desktop’s screen and control the mouse to move and click. The use of tools like TeamViewer has substantial benefits, such as giving personnel the ability to perform system status checks remotely and responding to alarms or alerts. However, the risk of using remote access tools like TeamViewer can be massive.

Recommended Mitigation

Industrial Control Systems (ICS) and SCADA equipment should be kept isolated and ‘air gapped’ from the rest of the computer network. If ICS or SCADA systems are going to be exposed to the internet, additional controls must be implemented to mitigate the risk. If remote access software is going to be utilized, it must leverage a one-way unidirectional approach, meaning the user is limited to view only and cannot click or take action on the remote device.

Vulnerability #2: A firewall was not in place to protect sensitive SCADA equipment.

Connecting any technology to the internet without a firewall is a recipe for disaster. Publicly accessible tools and websites like Shodan are constantly searching and probing for unprotected systems connected to the internet. Once hackers identify an unprotected computer, they then begin probing with known vulnerabilities to take control of the device and wreak havoc.

Recommended Mitigation

Implement a firewall to protect all internet-connected devices and keep the firewall updated and current. Logging should be enabled on the firewall to watch for intrusion attempts.

Vulnerability #3: A single common password was shared by all computers for remote access, and no additional authentication was required.

The reuse of passwords is a major issue in cybersecurity. It is common for passwords to be compromised in a data breach, and then that user ID and password combination is shared by hackers on the dark web. Hackers will then use these compromised credentials for ‘credential stuffing’ attacks, where hackers use scripts to try these credentials on thousands of web sites – banking, shopping, etc. The use of unique passwords mitigates these risks but unfortunately many users will use the same password on multiple sites. In this case, a single password was the only thing required to access TeamViewer and control the water supply equipment.

Recommended Mitigation

Create unique passwords and utilize a password manager to help track your passwords. For sensitive access, like SCADA equipment or TeamViewer, utilize multi-factor authentication (MFA) to require additional levels of authentication beyond just a password.

Vulnerability #4: All computers used by water plant personnel were connected to each other, including the SCADA system.

If all computers are connected to the same network, and any node on that network is compromised, then the entire network is compromised. Specific attention should be paid to dividing the network into separate secure segments, thus providing an additional level of protection if one computer is attacked.

Recommended Mitigation

Sensitive pieces of technology, like SCADA and ICS, should be walled off from the remainder of the network and isolated.

Vulnerability #5: The technology was running on an outdated 32-bit version of the Windows 7 operating system.

Windows 7 is an end of life operating system that is vulnerable to attack (unless the customer purchases an Extended Security Update (ESU) plan. Microsoft ended support for Windows 7 in January 2020. Accordingly, Microsoft is no longer producing security updates for Windows 7 while it contains many well-known vulnerabilities that hackers are able to exploit. 

Recommended Mitigation

Use up-to-date versions of operating systems, such as Windows 10, and keep them current by applying the last updates. If a system cannot be updated to a modern operating system, it must be isolated from the internet and the rest of the network.

Understanding Your Cyber Risk

Businesses must ensure that appropriate cyber controls have been implemented through their enterprises, including both IT and operations technology (OT), like ICS and SCADA systems. If this water district had performed a basic cybersecurity audit or cyber risk assessment, the five vulnerabilities we’ve highlighted in this blog post would have been flagged. Then a remediation plan should have been created to implement these basic cyber controls over a period of time. Lack of awareness of cyber risks and controls is no longer acceptable in today’s world. The significance of the risk should link directly to the investment made to mitigate the risk.

Once cyber controls are implemented and operating effectively, then it is a good idea to perform quarterly vulnerability scans to identify potential weaknesses and out of date software. Periodic penetration tests, where a skilled white hat hacker attempts to infiltrate your systems, is a great idea to test your defenses.

Whether you’re looking for supplemental cybersecurity expertise to add to your team, or technology advisors to take care of it all for you, Anders Technology can help you implement cybersecurity best practices to protect you and your organization from evolving threats. Contact an Anders advisor below to see how we can help you mitigate security risk and defend against a costly cyberattack.

All Insights

February 16, 2021

PPP 1 and 2 Loans: What Expenses are Considered Covered Costs?

A second round of Paycheck Protection Program (PPP) loans brings many questions around funding eligibility and how the money can be spent to qualify for forgiveness. Once you have either a PPP1 or PPP2 loan, it’s important to understand what costs are covered so you can maximize forgiveness.

Similar to the first round, 60% of PPP2 funds will need to be used for payroll and 40% can be used for non-payroll expenses. Below is a list of nonpayroll costs that qualify and the related eligibility and documentation requirements.

Timing of Eligible Nonpayroll Costs

Eligible nonpayroll costs are those that are either:

  • Paid during the covered period
  • Incurred on or before the end of the covered period but paid by the due date after the covered period

Example: If rent for the month of October is due by November 1st and your covered period ended October 21, you would get to include a portion of that November payment to account for 21 of the 31 days.

Types of Nonpayroll Costs

Below is a list of eligible nonpayroll costs, assuming they meet the timing criteria above.

  • Interest payments on (most) business loan obligations that were in existence before February 15, 2020
  • Rent/lease payments on real or personal property under an agreement in place before February 15, 2020
  • Business utility payments for services in place before February 15, 2020, including electricity, gas, transportation, water, telephone and internet
  • Covered operations expenditures, including:
    • Payment for any business software or cloud computing service that facilitates business operations
    • Product or service delivery
    • The processing, payment or tracking of payroll expenses
    • Human resources
    • Sales and billing functions
    • Accounting or tracking of supplies, inventory, records and expenses
  • Covered property damage costs
    • Cost related to property damage and vandalism or looting due to the public disturbances that occurred in 2020, but cannot have been reimbursed by insurance
  • Covered supplier costs, including payments made to a supplier of goods for supply that meets the following criteria:
    • Is essential to operations of the business AND
    • Payment made pursuant to a contract, order, or purchase order that was either:
      • In effect any time before the covered period, OR
      • For perishable goods only, in effect any time prior to the end of the covered period
  • Covered worker protection expenses
    • Operating or capital expenditures to facilitate the change of business activities related to COVID. This may include purchases, maintenance or renovation of assets that create or expand:
      • Drive-through window facility
      • Indoor, outdoor, or combined air or air pressure ventilation or filtration system
      • Physical barriers such as a sneeze guard
      • Expansion of additional indoor, outdoor, or combined business space
      • Onsite or offsite health screen capabilities

Required Documentation

It’s important to keep proper documentation of expenses paid with loan proceeds to make the forgiveness process simpler when the time comes to apply. Make sure to keep track of the following documentation for each expense:

  • Copies of invoices, purchase orders, receipts or cancelled checks
  • Copies of account statements and lease agreements

Our advisors are closely following COVID-19 relief efforts and will continue to publish insights to keep you informed on our COVID-19 Resource Center. To discuss your situation and recovery options, contact an Anders advisor below. Tune in to our video series PPP with Paul and Dan to learn more about the Paycheck Protection Program.

All Insights

February 12, 2021

The Right Accounting Fit: Which Solution Fits Your Needs?

Whether you want your accounting expertise to be a dashboard away or down the hall, Anders has the right solution.

Download All Resources

February 12, 2021

Outsourced CFO Services

Learn how Anders Outsourced CFO can help your business strategize for the future.

Download All Resources

February 12, 2021

PPP with Paul and Dan Video Series

With new updates and legislation evolving quickly around the Paycheck Protection Program (PPP), our CARES Act Research and Response Team has been focused on relaying information you need to know. Two of the team members, Paul C. Rhea and Daniel K. Schindler, are sharing the latest changes around PPP loans and the forgiveness process in their video series: PPP with Paul and Dan.

View each segment of the series below. Check out more CARES Act content in our COVID-19 Resource Center, or learn how we can help your business recover from COVID-19.

February 12, 2021
February 8, 2021

December 29, 2020

December 29, 2020

November 10, 2020

October 13, 2020

October 7, 2020

September 18, 2020

September 4, 2020

August 28, 2020

August 21, 2020

August 13, 2020

July 24, 2020

July 16, 2020

June 25, 2020
All Insights

February 11, 2021

Beth Schulte

February 11, 2021

Jordan E. Reichert

February 4, 2021

Robert M. Heitz

February 4, 2021

Nancy A. Fussner

Keep up with Anders

Want to keep up with all the latest insights from Anders? Subscribe and receive the information that matters to you.

  • This field is for validation purposes and should be left unchanged.