Data Security and Privacy – An Ounce of Prevention is Worth a Pound of Cure, Or Is It?

By Michael Kane, J.J Marshall & Associates

We all want to believe that our data security is bulletproof, that we have taken all the necessary measures to protect our systems and data, both proprietary and consumer, and that we are keeping this data private.  We have the best hardware and software solutions in place and top-notch, more-than-competent CISOs and IT personnel on constant alert.  Our employees are all familiar with proper data handling and with keeping consumer data private.  But we can never rest, let our guard down, or assume we have it all covered.  On either side of these measures and systems we must also equip our personnel, from the top echelons to the rank and file, to be part of the preventative strategies and the reactive measures.

An Ounce of Prevention…

All the firewalls, antivirus, and anti-malware are powerless against a click on one malicious link or the inadvertent sending of sensitive information through unsecure channels.  Consider the following questions:

• How seriously does your entire organization take data privacy and security? Not just the folks dealing with it daily, but everyone?
• Is data privacy and security part of your organizational culture?
• Does everyone in your organization understand that it is everyone’s job to monitor and react?
• Does everyone in your organization know their role before, during, and after an incident?
• How often does your organization train, drill, and rehearse?
• Is your organization utilizing the most up-to-date systems and methods to keep data secure?

If your answers differ much from “very seriously”, “yes, everyone”, “yes”, “yes”, “yes”, “continuously”, and “yes”, consider taking a deeper look into your data privacy and security programs and determining where improvements may be made.

It cannot be left to a few in an organization to protect the rest.  Data privacy and security must be part of the fabric of an organization, from clean desk and proper data handling and disposal by operational employees, to enterprise level systems management by the IT department.

Everyone has a role, inside and outside of an actual incident.  While some roles may be more visible and defined, as found in an organization’s incident response plans, everyone must know what they are expected to do when something happens, even if it is a simple “stay out of the way.”

Training must take place continuously.  The days of annual privacy and security training are long over.  Over time, poor habits can replace good habits in the handling of confidential data, and learnings may be forgotten.  Many professions require recursive training for even the most competent and well-trained personnel.  Refresher training for employees handing sensitive information will keep good habits top-of-mind.  At the enterprise level, while actual drills and incident response rehearsals may take place on a periodic basis, the preparation for these events must also be continuous.  Do not dust off the manuals the week before the drill.  Oh, and those manuals must be printed, on paper.  Do not assume access to systems to read them when things go sideways.

Finally, data privacy and security systems continue to evolve.  While not every organization may be able to utilize, or afford, all the latest and greatest tools, it is a good investment to pick and choose those which may be implemented reasonably.  Consider the following, described briefly here and in more detail in a recent article published here.

• Security Operations Center (SOC): SOCs provide a continuous, real-time defense against threats by monitoring an organization’s network traffic, endpoints, servers, and systems.
• Security Information and Event Management (SIEM): SIEM is utilized within an SOC and gathers log and event data from all types of devices and applications for centralized analysis. Correlation rules and machine learning algorithms assist in detecting potentially malicious patterns.
• Extended Detection and Response (XDR): XDR integrates security layers into a combined solution, and can leverage SIEM, endpoint detection and response (EDR) (see below), and network traffic analysis (NTA) tools. XDR leverages security data from this integration, applying advanced analytics, behavioral analysis, and machine learning to build increased threat visibility and robust threat detection.
• Endpoint Detection and Response (EDR): EDR tools continuously monitor and analyze activities on endpoints (computers, mobile devices, and servers) in real time. Activities monitored may include process execution, network connections, file changes, and logins.
• User and Entity Behavior Analytics (UEBA): UEBA utilizes machine learning, statistical analysis, and advanced analytics to detect unusual or risky behavior by users, devices, and applications within a network. UEBA is useful for identifying insider threats, compromised accounts, malware, data exfiltration and other advanced threats, and can detect harder to find threats that may be missed by rule-based solutions.
• Data Loss Prevention (DLP) Tools: DLP tools prevent the unauthorized access, transfer, or sharing of data, and are used to identify, monitor, and protect data in use, in transit, or at rest. They may also be used to determine what data may have been affected by a security incident.
• Data Correlation Techniques: These techniques may be used to connect unrelated events, compare event logs across multiple devices to detect anomalous behavior and threats.

… Is Worth a Pound of Cure.  Or is it?

In the world of data privacy and security, there really is no “cure.”  If data is mishandled or a data breach or security incident occurs, an organization may not survive the resulting impacts of mitigation and remediation, regulatory consequences, payouts to victims, increased oversight, stress on continuing day-to-day operations, loss of clients and of new business.  Even if an organization recovers, it may never be the same.  Do not subscribe to the adage that “what doesn’t kill us makes us stronger.”  Rather, where there is no cure, organizations must inoculate through prevention and preparation.

Michael joined JJ Marshall as Chief Compliance Officer in June 2024. Before moving to JJM, Michael worked for Unifund for over 19 years, his last three years as Chief Compliance Officer, and prior to that in positions in Inventory and Vendor Management, Business Intelligence, Legal Operations Management, analytics, and sales. He is certified with the Receivables Management Association International as a Certified Receivables Compliance Professional, and with the American Collectors Association as a Credit and Collections Compliance Officer.