Cybersecurity Threat Landscape

Q&A: Cybersecurity Risks, Observations & Best Practices

Earlier this year, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a report highlighting cybersecurity and resiliency observations, bringing more attention to how today’s businesses are building risk management programs and fending off growing cybersecurity threats. And with the COVID-19 pandemic forcing countless businesses to transition their workforces to remote environments, cybersecurity is a priority that organizations cannot afford to overlook.

We recently spoke with Demetria Johnson, a Director in MFA’s IT Advisory Practice, to review her own observations of the cybersecurity landscape and how customers are keeping security top of mind. 

Q: Have you seen a change in leadership in recent years as the threat landscape has grown and regulatory agencies have put more pressure on companies to stay secure?

Demetria Johnson (DJ): We are definitely seeing more questions being asked — particularly at the board level and within audit committees. The C-suite and senior management are certainly more aware of possible threats and are taking steps in the right direction to address evolving threats and mitigate risks across the business.

Q: You’ve conducted a lot of risk assessments and IT audits. In what areas do you find customers are most in need of updated cybersecurity risk controls?

DJ: In general, business leaders are paying more attention to the technical risks, but the biggest piece still deficient is the human factor. As an employee connected to my company’s network and information, if I make a mistake and click on the wrong link or open the wrong attachment, I expose my company to serious risks.

We’re still seeing a lack of adequate training to make employees aware of these risks and give them the necessary education to mitigate these threats. Unfortunately, acknowledging that you read the company’s security policy isn’t enough protection.

Q: How are you seeing cyber threats manifest themselves, and what steps can organizations take immediately to shore up their risk management programs to address those threats?

DJ: The biggest trend we’re seeing in the industry is hackers going after individual employees (versus corporate-level attacks). Phishing emails and ransomware are two of the biggest ways they are targeting employees. The bad actors are trying to take advantage of individual weaknesses, laziness, and lack of knowledge, so that’s why that human education piece is so critical.

In addition to robust information security awareness training, we are starting to see some companies use simulated phishing exercises to test employee education. It’s a pretty compelling way to demonstrate whether individuals are able to assess security risks on their own or if they require more training.

Q: We’re all attached to our mobile devices at all times. Should we be more concerned about mobile cyber threats — and how can businesses address these concerns?

DJ: Yes, mobile threats are definitely a concern, notably for businesses with Bring Your Own Device (BYOD) policies. There’s an appeal to reducing costs by allowing employees to use their own devices but safeguarding the appropriate company data becomes a much more difficult and important task. Through mobile device management policies, businesses can push down password management requirements and remote wiping capabilities, which is critical to protecting sensitive data.

Businesses who are still issuing company-owned devices tend to have a better handle on device security since they are responsible for managing the entirety of the device.

Q: Vendor management has been identified as a top area by OCIE. Do you find that companies are sufficiently aware of the risks posed by third-party relationships and do they have practices in place to manage vendors appropriately?

DJ: Are they aware of the threats? Yes. Do they have formal programs in place? Not necessarily.

When we complete SOC reports for customers, we always include a vendor management checklist, and we’d love to see more businesses following through on some of those guidelines. At the end of the day, third party exposure can be a serious risk. And though awareness is up, the follow-through needs a little more work overall.

Q: What question do you get asked most often?

DJ: More often than not, the question is ‘Where do we start?’ We always advise starting with an enterprise risk assessment. This will help businesses to understand where their data is stored, what systems have access, the interconnections between systems, etc. Companies really need to start here so they can appropriately build out policies, procedures and trainings to protect sensitive information.

I also like to remind businesses up front about the potential risks that can come with a cybersecurity breach or lack of controls. They’re often focused on the data piece — which is critical, obviously — but reputational risk is something to keep in mind also. Bouncing back from a cyber-attack or incident is hard enough when you’re a global enterprise, but even more difficult for small-to-medium size companies.

Q: What is the single most important step companies should be taking to ensure comprehensive cybersecurity protection?

DJ: Training, training and more training. It doesn’t have to be complicated, but it does need to appropriately inform employees of the risks and explain how to mitigate them. It’s great if a simple training module can give real-life examples of what to do and what not to do in various scenarios. Coupled with a comprehensive security policy, this gives businesses the best chance of mitigating social engineering and human-directed threats.

And then Part 1B needs to be incident response. It’s great to have risk management policies and download templates and scorecards, but if you don’t have a plan in place to respond when something happens, you basically have nothing.

MFA Observations
The SEC has spent recent years both educating businesses on cyber risks and observing practices across various business sizes and lifecycles. For more information on best practices and SEC recommendations, visit

MFA’s IT Advisory Team provides a full range of proactive technology and cybersecurity solutions to combat today’s growing IT challenges, including cybersecurity risk assessments, SOC reports and strategic IT consulting. Please reach out to a member of our team to discuss your business’ IT and cybersecurity objectives.

Contact Us

Information Security Solutions

Related posts
Insurance Strategies to Reclaim Liquidity

Reclaim Liquidity With These Three Insurance Strategies

Strategically approaching the insurance risk program can be a vital method to unlock liquidity by…

Read More
Managing IT Risk During the COVID Crisis

Managing Your IT Risk During the COVID-19 Crisis

Even companies with limited resources can implement a “Bring Your Own Device” (BYOD) Policy and…

Read More