By Michael Kane, J.J Marshall & Associates

Cybersecurity is a shared responsibility of all users and departments across your organization.  Everyone has an obligation to do their part to safeguard company, client, and consumer information.  A single incident can, at worst, bring down a company, and at the very least will require the time and effort, oftentimes significant, of multiple internal and external resources to lock down, remediate, and recover.  Know your role in your company’s cyber security program!

End Users:

Follow these key points to be an integral part of the foundation of your organization’s security.

  • Use strong, unique passwords:
    • Passwords should be complex and meet or exceed the minimum standards required by your company.
    • Use a password manager approved by your company.
    • Never share passwords! Did you know that even your IT department likely does not know or have access to your own passwords?
  • Beware of email:
    • Phishing attacks are more sophisticated than ever.
    • Verify trusted senders, hover over links to ensure they are legitimate and lead to the intended destination.
    • Still not sure? Call the sender on a known, trusted phone number to verify the email and its contents or links.
    • When in doubt, don’t click!
  • See something, say something:
    • If something just doesn’t seem right, escalate to your manager, your IT manager, or your Compliance manager.
    • Follow your company’s policies and procedures to ensure appropriate actions are taken.

Managers:

Maintain involvement with your teams, encourage full participation and two-way communications.  Lead by example.

  • Foster a culture of cybersecurity awareness:
    • Make cybersecurity a regular topic of team meetings
    • Include examples (good and bad) of what happens when there is an incident.
  • Work with your training department:
    • Ensure 100% participation in training presentations and exercises.
  • Encourage and empower employees:
    • Motivate everyone to speak up, to share, and to report issues or incidents.
    • Create a safe environment where employees may do so without fear of punishment or retribution.
  • Lead by example:
    • Diligently follow your company’s cybersecurity policies and procedures.

IT Leaders and Professionals: Are the Gatekeepers of Trust

As appropriate to the size, scope, and potential exposure of your organization’s operations, review and implement from the following to ensure the highest level of security for your, and your clients’, sensitive information.

  • Zero Trust Architecture
    • Assume anything may be a breach.
    • Verify every user, device, and connection.
    • Implement granular access controls, segmentation, and continuous monitoring.
  • Real-Time Threat Detection & SIEM Tools
    • Deploy a modern SIEM or XDR platform for real-time log analysis, anomaly detection, and fast incident response.
    • Integrate with threat intelligence feeds.
  • Security Awareness & Phishing Simulation Training
    • Work with your company’s training department to build a relevant and robust training program.
    • Implement simulated phishing emails and mandate additional training for users who click and open them.
  • Patch Management & Vulnerability Scanning
    • Automate patch cycles
    • Keep software and systems updated to prevent incidents through non-patched vulnerabilities.
    • Run internal and external system scans on a regular schedule.
  • Multi-Factor Authentication (MFA) Everywhere
    • Require MFA for all end users, privileged accounts, VPN access, cloud consoles, and critical systems.
  • Data Loss Prevention (DLP) & Encryption Policies
    • Implement DLP to monitor movement of sensitive data.
    • Enforce encryption at rest and in transit.
  • Incident Response (IR) Playbooks & Tabletop Exercises
    • Document complete IR plans for the spectrum of incident types.
    • Conduct regular exercises to test your plans, emphasizing individual roles, team coordination, regulatory communication, and recovery procedures.
    • Maintain paper copies of playbooks. Assume no system access when an incident occurs.
  • Backups + Ransomware Resilience
    • Implement immutable, offsite backups and regular recovery testing.
    • Prepare ahead of time for Ransomware attacks and what your company’s response will be to demands.

Don’t risk unnecessary exposure to client fallout, regulatory action, reputational damage, and legal consequences.  Know your role and play your part in your company’s information and cyber security program, and don’t let your guard down.

Michael joined JJ Marshall as Chief Compliance Officer in June 2024. Before moving to JJM, Michael worked for Unifund for over 19 years, his last three years as Chief Compliance Officer, and prior to that in positions in Inventory and Vendor Management, Business Intelligence, Legal Operations Management, analytics, and sales. He is certified with the Receivables Management Association International as a Certified Receivables Compliance Professional, and with the American Collectors Association as a Credit and Collections Compliance Officer.