An Overview of Due Diligence and Due Care in Cyber Security#

The top management of a company bears primary responsibility for the safety and security of its valued assets. Therefore, the backing of top-level management and their understanding of the many cyber risks faced by the company are the cornerstones of an effective security management programs in a company. The senior management of the organization must be aware of the many risks to its assets, as well as those risks’ consequences and potential financial losses.

The management’s failure to understand the significance of cyber risk and security management and its failure to devote the required time and resources to managing organizational risks could have disastrous implications for organizations. This implies that if top-level management fails to exercise due diligence and due care, they will be held accountable and liable under various laws and regulations. This article discusses the basic ideas behind due diligence and due care, their significance in relation to cyber security, and several approaches of practicing them inside an organization.

What is meant by Due Diligence?#

Due Diligence can be defined as performing all the necessary steps to prevent something bad from happening to other people or their property. Due Diligence helps individuals or organizations to gain situational awareness before making important decisions or starting a new project. In order to understand this concept a little further let us consider an example. For example, a company decides to invest in a new venture. Now before embarking on this project the company decides to perform a review or an investigation of all the potential issues surrounding the project and uses this information to decide if investing in that particular project is a good decision or not. By performing these steps the company has performed due diligence before taking on this project.

The concept of due diligence is very important in the domains of business, finance, compliance, and many others. Due diligence is a crucial business strategy that helps organizations to examine and weigh the risk of making specific decisions, such acquiring or merging with another business. This strategy assists businesses in considering all of the associated risks with a certain business decision before putting their resources into action. Before merging with another company, purchasing stock, real estate, investing, insuring, or working with business partners, particularly when doing so globally, all businesses and organizations are required to do a due diligence assessment. Due diligence helps decision-makers make wise and informed business decisions by raising the quality of the information at their disposal.

What is meant by Due care?#

On the other hand, practising the essential caution that a sensible and competent person would take in the same scenario in order to avoid harming others is known as exercising due care. Due care demonstrates that a person has exercised appropriate caution in carrying out their obligations and acting in a way that doesn’t break the law. For instance, a user might surf a dubious website, but first a security warning shows on the user’s screen, alerting them to the risk of accessing the site, such as the theft of personal data. However, that user chooses to disregard the security notice and continues to view the website. By disregarding the security alert in this instance, the user has failed to exercise due care.

Due care is an important notion that has been adopted by practically every industry. It entails the obligation to follow the technical and ethical requirements of the field, to keep one’s skills current, and to carry out one’s tasks as effectively as possible. Failure to exercise proper care can result in the individual or organization in question being held accountable for negligence, as well as monetary fines.

Due Diligence and Due Care in the Context of Cyber Security#

In the area of cyber security as well, exercising due diligence and due care is quite important. Due diligence and due care ensure that the organization takes the security of its assets very seriously and takes the required actions to protect its reputational, financial, and legal interests. For example, an organization’s intellectual property consists of some files that the employees are not allowed to share with anyone. However, let us suppose the organization doesn’t take different threats into account and fails to protect its critical resources. In the event of the employee sharing this information with an outsider and getting terminated as result, he/she can sue the company for wrongful termination. This is all due to the fact that the organization didn’t exercise due diligence and due care to protect its resources and ends up losing the legal battle against the former employee.

The organization’s overall security posture is improved with due diligence and care. Due diligence and due care guarantee management support for developing a strong security management system by ensuring top-level management is aware of their legal and regulatory obligations to secure the sensitive or critical data of the organization. As was previously said, conducting cybersecurity due diligence is very important during mergers and acquisitions since it may reveal any security issues that could pose problems for the company. Thus, it aids in renegotiating the deal’s conditions or price. In order to ensure that the organization is fully compliant and that any cyber risks are kept to a minimum, these risks are then handled by taking the required steps in the form of due care.

Examples of Exercising Due Diligence in an organization#

This section explains some of the ways in which an organization can perform due diligence. These examples are as follows:

Identification of Organization’s assets#

It is very important to identify all the organization’s assets as one of the first steps towards performing due diligence. If the organization isn’t aware of all the assets possessed by the organization, then it isn’t possible to provide sufficient security controls to protect those assets from different threats. These resources might be of many different kinds, ranging from tangible fixed assets like organization’s facility and hardware equipment to intangible resources like intellectual property. Asset inventory, therefore, serves as a crucial step in performing organizational due diligence.

Cyber Security Risk Assessment#

Another important example of performing due diligence in an organization is cyber security risk assessment. Cyber security risk assessment involves the identification and evaluation of threats to the valuable assets of an organization and the loss potential due to each threat. It, therefore, assists in assessing the level of risk due to each threat and provides the necessary information to the decision-makers in order to decide on the risk remediation strategies.

Vulnerability Assessment#

Vulnerability Assessment also forms one of the due diligence-related activities in an organization. The purpose of a Vulnerability assessment is to evaluate the organization’s IT infrastructure and identify any software or hardware-related vulnerabilities. The discovered vulnerabilities are thus assigned a severity level according to the risk posed by the exploitation of each vulnerability. This information is therefore used to recommend appropriate mitigation strategies.

Vendor Risk Management#

Third-party suppliers who give services to the company are referred to as vendors. If sensitive company data is revealed as a result of a data breach or other cyberattack on the vendor company, the security of that company’s sensitive data may be jeopardized. Therefore, before signing the deal, the company must consider all of the risks involved and assess them properly. This can entail confirming their information security protocols and perhaps even running background checks on important shareholders. The organization must also implement security measures for regularly analyzing and monitoring the risks posed by third-party suppliers.

Threat Hunting#

Threat hunting represents a very important part of due diligence activities in the organization. Threat hunting refers to the set of techniques that are used to proactively search for cyber threats that remain undetected in an organization’s network. Cyber threat hunting scours the organization’s network environment for malicious threats who have eluded the endpoint security detection systems. The company can search for various security threats using a variety of indicators of compromise. Indicators of compromise, or IOCs in short, are pieces of forensic evidence that show that a cyberattack has occurred. Some of the most common examples of indictors of compromise include suspicious network traffic, multiple failed login attempts, anomalies in the privilege account activity, and much more. Using these IOCs an organization can detect if a certain attack has taken place or is still underway.

Examples of Exercising Due Care in an organization#

This section explains some of the ways in which an organization can perform due care. These examples are as follows:

Security Awareness and Training Programs#

Security Awareness and Training Programs are one of the most important ways in which an organization can exercise due care. Security Awareness Programs are meant to educate an organization’s employees about the different tactics and techniques that can be used by malicious adversaries and what the employees can do if they notice some suspicious activity. These awareness programs must be conducted regularly and educate the organization’s employees about how to perform their job duties in a manner that doesn’t compromise the security of the organization. Security training programs are meant for the IT staff of the organization that provides them with necessary technical security training related to their job responsibilities. Through the implementation of these programs, an organization can improve its security posture by cultivating a security culture among its employees.

Disaster Recovery Planning#

Organizations suffer from various disasters or disruptions that can affect normal business activities. It is very important that the organization is well prepared for any event that can disrupt its important business functions and thus Disaster Recovery planning(DRP) forms an important part of the organization’s due care activities. The goal of disaster recovery planning is to minimize the effect of a disaster or disruption to an organization’s activities and to resume the business operations of an organization in a timely manner.

Business Continuity Planning#

A very important component of the organization’s efforts for providing due care is business continuity planning. The goal of business continuity planning is to make sure that any security incident won’t impair an organization’s essential business operations. A business continuity plan is more thorough than a disaster recovery plan and includes backup plans for all potentially vulnerable corporate operations, including assets, personnel, business partners, and business processes. A disaster recovery plan is more focused on the IT infrastructure. Therefore, a company must make sure that it creates a suitable BCP and constantly reviews and updates it in order for a business to continue operating despite various security issues.

Creating and Enforcing Organization’s Security Policies and Procedures#

An organization’s security policies and procedures are one of the most components of the overall cyber security management program. These organizational policies are high-level directives that outline the importance of security in the organization, provide directions about how certain security issues will be handled, and assigns roles and responsibilities associated with the implementation of these policies. The organizational procedures on the other hand are more tactical and contain step-by-step instructions on dealing with a security issue. The ultimate responsibility for forming and implementing these policies lies with the higher management.

Establishing Necessary Security Controls#

It is necessary to establish different controls to remediate security vulnerabilities and mitigate the risks due to security threats. With the absence of such security controls an organization’s assets can be at risk due to different cyber attacks. Therefore establishing security countermeasures to combat these attacks forms an essential part of due care in an organization. Some of the most important security controls in an organization are as follows:

  • Network Security Controls such as data loss prevention systems, intrusion detection systems, configuring access control lists in firewalls, using proxy servers, and much more.

  • Endpoint Security Controls such as installation of latest antivirus software, installation of latest security patches, encryption controls, URL filtering, and much more.

  • Administrative Security Controls such as establishing access controls for different user roles, implementing of least privilege principle, enforcing separation of duties, and much more.

  • Physical Security Controls such as using CCTV cameras, using biometric, RFID(Radio Frequency Identification), or pin code-based facility access controls, installation of fences, and much more.

Data Backup and Recovery Mechanisms#

Data backup and recovery is the set of technologies that are used to back up your data in the event of a loss or any security incident and are used to establish secure systems that allow you to recover your data as a result. Data backup requires the copying and archiving of the necessary organizational data to make it accessible in case of data corruption or deletion. You can only recover data from an earlier point in time if you have backed it up with a reliable backup system. Establishing and configuring Data backup and recovery systems is crucial for any organization to remain operational even under adverse situations and therefore forms an essential part of due care activities.

Why is it important to perform cyber security Due Diligence and Due Care in an organization?#

Performing cyber security due diligence and due care are extremely important for organizations around the world for a variety of reasons. This section highlights the importance of exercising cyber security due diligence and due care in an organization.

  • Cybersecurity due diligence and care reduces the organization’s upper management’s legal liabilities, such as being sued by customers, shareholders, or third parties under various laws and regulations.

  • Cyber security due diligence and due care reduce overall risk to the organization. It helps the higher management make informed decisions before starting a new project.

  • Cyber security due diligence and due care increase an organization’s resiliency to different cyber attacks. By taking into account different ways that the organization’s security can be compromised, due diligence and due care ensure that the organization employs different defense-in-depth strategies for dealing with security incidents.

  • Cyber security due diligence and due care enable an organization to develop different security metrics to measure the performance of existing security controls, deal with evolving risks, and realize new opportunities for business growth in a manner that is safe and secure for the organization.

See also

Do you want to get practical skills to work in cybersecurity or advance your career? Enrol in MCSI Bootcamps