Due Diligence in Cybersecurity

Introduction

Due diligence can be defined as an action that is considered reasonable for people or businesses to be expected to take to keep themselves or others and their assets safe from harm. Due diligence is often associated with legal matters and corporate acquisitions. As cybersecurity moves slowly beyond being technology and encryption focused to include other specialists making use of due diligence to aid in protecting company assets and to mitigate risks is vital. So what is cybersecurity due diligence? The term has been defined as “the review of the governance, processes and controls that are used to secure information assets.” Such due diligence obligations may exist between states, between non-state actors (e.g., private corporations), and between state and non-state actors. This blog will examine the issues surrounding due diligence in cybersecurity and why they are vital to preventing or mitigating cyber attacks.

Why should we worry about Due Diligence?

The various regulation and standards that relate to cybersecurity include aspects of due diligence when companies implement security measures or determine their acceptable level of risk. Data Protection, like GDPR, emphasizes organisations to take the necessary measures to ensure data is kept secure throughout its life-cycle. Also, Privacy regulations again are putting the emphasise on organisations to take responsibility for the data and information they collect, process and retain.

When it comes to acquisitions the legacy assets from the organisation itself and other company it acquires all require a measure due diligence as they may affect or create new risk when integrating legacy systems. By opening up new attack surfaces which were not present in the original parent company and acquired company when they were operating separately – thus the importance of doing a pre and post risk assessment, which should include (but not be limited to) penetration tests and access control audits, to avoid the chances of excessive privileges and creeping privileges as a result of the take-over. This basic cybersecurity due to diligence controls often are ignored and should be done to include cybersecurity audits and remediation processes.

Whom Does Due Diligence Affect

Due diligence affects the company, their 3rd-party partners, the employees of those companies. As a lack of  oversight of third parties can increase the risk of successful cyber attacks because vendor breaches can lead to regulatory actions for companies. Indeed, recent regulatory guidance provides that vendor diligence is an essential part of any cybersecurity program. This makes sense; there is no point in spending time and resources protecting the data on your network if that same data is unprotected at a vendor.

The reputation of companies can suffer it in the event of a cyber-attack and/or data breach. Especially if it turns out a lack of due diligence ensuring security controls and policies were implemented was responsible for the cyber-attack and/or data breach. With the risks of fines under GDPR can be up to 4% of annual global turnover or €20 million whichever is greater the cost of lack of due diligence in cybersecurity for many companies is now a serious risk to their bottom line.

Problems that can undermine due diligence:
  • Unknown and Forgotten Applications and Websites - Security vulnerabilities and exploits may lead to an attacker taking advantage. These can occur due to poor record-keeping and employee turnover. 
  • Software patches - Look-up Wannacry incident as to why software should always be kept up to date. 
  • Firmware upgrades - See above. This is old advice that ideally everyone should already be doing. There are no longer excuses for not enabling automatic or scheduled updates. Compromise about timing and availability need to be made the excuse that a system is needed 24/7 is too simplistic. Downtime for maintenance is vital. If a system is needed 24/7 ideally you need a duplicate so you can switch between the two to carry out maintenance. If a company cannot have that then they should accept that a 24/7 service is not realistic if they want to stay secure.
  • Default login for connected devices - An old problem of connected devices – such as Ethernet and Wi-Fi routers, SCADA and other mass-produced items with network or internet connectivity – are not updated to replace the manufacturer’s default login. These default logins allow outside parties to expose the company to various penetration risks to which the compromised connected device is connected. When evaluating devices, the company should implement password policies for these devices and maintain a list of any devices that use the manufacturer default login settings. Scanners that can examine whether default login credentials are being used are available to identify devices in question.
  • User Training and Enforcement - The weakest link in a company’s cybersecurity policy is the human element (though the potential to be the strongest). Use of noncompany email accounts, “bring your own device” instances, use of cloud storage (e.g., Dropbox, OneDrive, Google Drive) or bringing infected USB drives and flash drives to work increase vulnerabilities for a breach. A company should maintain policies toward personnel training and enforcement in these areas, instances of past breaches due to human factors and measures used to correct or prevent these instances, such as prohibiting use of nonwork email accounts or cloud storage applications, security software that scans devices inserted into company hardware or requiring two-factor authentication for all logins to company data or networks.

What steps can help ensure Due Diligence in Cybersecurity

Thus the importance of a companies due diligence is in its risk management. This means continual assessment and reassessment. Unfortunately, a company may struggle to identify most material risks without active engagement with their third-parties. 
One way to ensure diligence: Security Information Event Management (SEIM). Through machine learning and automation, SIEM can help companies identify potential vulnerabilities in their IT environment. This includes third-parties and the databases they with which they regularly connect. They can closely monitor the most sensitive databases with close log management and security event correlation. 
Further, they can deploy User and Entity Behaviour Analytics (UEBA) capabilities through SIEM which watches for insider third-party threats. Any abnormal behaviours could indicate a cyber risk and thus a potential data breach or ongoing attack. Hopefully, shortening their investigation times and reduce mitigation and remediation time. 

Along with:
  • Information Governance: Are there data inventories? How is data storage managed? Who takes ownership of this?
  • Data Privacy: How is sensitive information used? Who can access and how?
  • Risk Assessment: Is risk assessed through a structured process, at regular intervals?
  • Strategy & Program Design: Are there documented policies and procedures? Is there a formalized governance process?
  • Information Security: Are there processes in place to protect, detect, respond and remediate threats?
  • Cyber Threat Intelligence: Is there a process in place to proactively understand and manage the threat environment?
  • Incident Response: Is there a documented plan in place as to how to respond to an incident? Is there an adequate and tested disaster recovery process?
  • Cyber Insurance: Are the policies structured to effectively mitigate all aspects of risk associated with cyber?
  • Industry: Is there a process in place to understand the valuable assets and associated threats of that specific industry?
  • Business: Is there a process and plan in place to involve all business units in security?
  • Cultural: Is there an awareness of the importance of security and do all insiders understand their role in maintaining that security?
  • Financial: How is the security program funded and is there a process in place to ensure that investment benefits are maximized?

Conclusion

The area of Due Diligence when considered and implemented as part of the cybersecurity tool kit can help understand risk and minimise the impact of the potential attacks. It can be considered part of the key element to stop or move cybersecurity from operating in its bubble. 

Sources

Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more