Q&A: Cybersecurity Risks, Observations & Best Practices
Earlier this year, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a report highlighting cybersecurity and resiliency observations, bringing more attention to how today’s businesses are building risk management programs and fending off growing cybersecurity threats. And with the COVID-19 pandemic forcing countless businesses to transition their workforces to remote environments, cybersecurity is a priority that organizations cannot afford to overlook.
We recently spoke with Demetria Johnson, a Director in MFA’s IT Advisory Practice, to review her own observations of the cybersecurity landscape and how customers are keeping security top of mind.
Q: Have you seen a change in leadership in recent years as the threat landscape has grown and regulatory agencies have put more pressure on companies to stay secure?
Demetria Johnson (DJ): We are definitely seeing more questions being asked — particularly at the board level and within audit committees. The C-suite and senior management are certainly more aware of possible threats and are taking steps in the right direction to address evolving threats and mitigate risks across the business.
Q: You’ve conducted a lot of risk assessments and IT audits. In what areas do you find customers are most in need of updated cybersecurity risk controls?
DJ: In general, business leaders are paying more attention to the technical risks, but the biggest piece still deficient is the human factor. As an employee connected to my company’s network and information, if I make a mistake and click on the wrong link or open the wrong attachment, I expose my company to serious risks.
We’re still seeing a lack of adequate training to make employees aware of these risks and give them the necessary education to mitigate these threats. Unfortunately, acknowledging that you read the company’s security policy isn’t enough protection.
Q: How are you seeing cyber threats manifest themselves, and what steps can organizations take immediately to shore up their risk management programs to address those threats?
DJ: The biggest trend we’re seeing in the industry is hackers going after individual employees (versus corporate-level attacks). Phishing emails and ransomware are two of the biggest ways they are targeting employees. The bad actors are trying to take advantage of individual weaknesses, laziness, and lack of knowledge, so that’s why that human education piece is so critical.
In addition to robust information security awareness training, we are starting to see some companies use simulated phishing exercises to test employee education. It’s a pretty compelling way to demonstrate whether individuals are able to assess security risks on their own or if they require more training.
Q: We’re all attached to our mobile devices at all times. Should we be more concerned about mobile cyber threats — and how can businesses address these concerns?
DJ: Yes, mobile threats are definitely a concern, notably for businesses with Bring Your Own Device (BYOD) policies. There’s an appeal to reducing costs by allowing employees to use their own devices but safeguarding the appropriate company data becomes a much more difficult and important task. Through mobile device management policies, businesses can push down password management requirements and remote wiping capabilities, which is critical to protecting sensitive data.
Businesses who are still issuing company-owned devices tend to have a better handle on device security since they are responsible for managing the entirety of the device.
Q: Vendor management has been identified as a top area by OCIE. Do you find that companies are sufficiently aware of the risks posed by third-party relationships and do they have practices in place to manage vendors appropriately?
DJ: Are they aware of the threats? Yes. Do they have formal programs in place? Not necessarily.
When we complete SOC reports for customers, we always include a vendor management checklist, and we’d love to see more businesses following through on some of those guidelines. At the end of the day, third party exposure can be a serious risk. And though awareness is up, the follow-through needs a little more work overall.
Q: What question do you get asked most often?
DJ: More often than not, the question is ‘Where do we start?’ We always advise starting with an enterprise risk assessment. This will help businesses to understand where their data is stored, what systems have access, the interconnections between systems, etc. Companies really need to start here so they can appropriately build out policies, procedures and trainings to protect sensitive information.
I also like to remind businesses up front about the potential risks that can come with a cybersecurity breach or lack of controls. They’re often focused on the data piece — which is critical, obviously — but reputational risk is something to keep in mind also. Bouncing back from a cyber-attack or incident is hard enough when you’re a global enterprise, but even more difficult for small-to-medium size companies.
Q: What is the single most important step companies should be taking to ensure comprehensive cybersecurity protection?
DJ: Training, training and more training. It doesn’t have to be complicated, but it does need to appropriately inform employees of the risks and explain how to mitigate them. It’s great if a simple training module can give real-life examples of what to do and what not to do in various scenarios. Coupled with a comprehensive security policy, this gives businesses the best chance of mitigating social engineering and human-directed threats.
And then Part 1B needs to be incident response. It’s great to have risk management policies and download templates and scorecards, but if you don’t have a plan in place to respond when something happens, you basically have nothing.
The SEC has spent recent years both educating businesses on cyber risks and observing practices across various business sizes and lifecycles. For more information on best practices and SEC recommendations, visit https://www.sec.gov/spotlight/cybersecurity.
MFA’s IT Advisory Team provides a full range of proactive technology and cybersecurity solutions to combat today’s growing IT challenges, including cybersecurity risk assessments, SOC reports and strategic IT consulting. Please reach out to a member of our team to discuss your business’ IT and cybersecurity objectives.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.