Due Diligence in Cybersecurity
Due diligence can be defined as an action that is considered reasonable for people or businesses to be expected to take to keep themselves or others and their assets safe from harm. Due diligence is often associated with legal matters and corporate acquisitions. As cybersecurity moves slowly beyond being technology and encryption focused to include other specialists making use of due diligence to aid in protecting company assets and to mitigate risks is vital. So what is cybersecurity due diligence? The term has been defined as “the review of the governance, processes and controls that are used to secure information assets.” Such due diligence obligations may exist between states, between non-state actors (e.g., private corporations), and between state and non-state actors. This blog will examine the issues surrounding due diligence in cybersecurity and why they are vital to preventing or mitigating cyber attacks.
Why should we worry about Due Diligence?
The various regulation and standards that relate to cybersecurity include aspects of due diligence when companies implement security measures or determine their acceptable level of risk. Data Protection, like GDPR, emphasizes organisations to take the necessary measures to ensure data is kept secure throughout its life-cycle. Also, Privacy regulations again are putting the emphasise on organisations to take responsibility for the data and information they collect, process and retain.
When it comes to acquisitions the legacy assets from the organisation itself and other company it acquires all require a measure due diligence as they may affect or create new risk when integrating legacy systems. By opening up new attack surfaces which were not present in the original parent company and acquired company when they were operating separately – thus the importance of doing a pre and post risk assessment, which should include (but not be limited to) penetration tests and access control audits, to avoid the chances of excessive privileges and creeping privileges as a result of the take-over. This basic cybersecurity due to diligence controls often are ignored and should be done to include cybersecurity audits and remediation processes.
Whom Does Due Diligence Affect
Due diligence affects the company, their 3rd-party partners, the employees of those companies. As a lack of oversight of third parties can increase the risk of successful cyber attacks because vendor breaches can lead to regulatory actions for companies. Indeed, recent regulatory guidance provides that vendor diligence is an essential part of any cybersecurity program. This makes sense; there is no point in spending time and resources protecting the data on your network if that same data is unprotected at a vendor.
The reputation of companies can suffer it in the event of a cyber-attack and/or data breach. Especially if it turns out a lack of due diligence ensuring security controls and policies were implemented was responsible for the cyber-attack and/or data breach. With the risks of fines under GDPR can be up to 4% of annual global turnover or €20 million whichever is greater the cost of lack of due diligence in cybersecurity for many companies is now a serious risk to their bottom line.
Problems that can undermine due diligence:
- Unknown and Forgotten Applications and Websites - Security vulnerabilities and exploits may lead to an attacker taking advantage. These can occur due to poor record-keeping and employee turnover.
- Software patches - Look-up Wannacry incident as to why software should always be kept up to date.
- Firmware upgrades - See above. This is old advice that ideally everyone should already be doing. There are no longer excuses for not enabling automatic or scheduled updates. Compromise about timing and availability need to be made the excuse that a system is needed 24/7 is too simplistic. Downtime for maintenance is vital. If a system is needed 24/7 ideally you need a duplicate so you can switch between the two to carry out maintenance. If a company cannot have that then they should accept that a 24/7 service is not realistic if they want to stay secure.
- Default login for connected devices - An old problem of connected devices – such as Ethernet and Wi-Fi routers, SCADA and other mass-produced items with network or internet connectivity – are not updated to replace the manufacturer’s default login. These default logins allow outside parties to expose the company to various penetration risks to which the compromised connected device is connected. When evaluating devices, the company should implement password policies for these devices and maintain a list of any devices that use the manufacturer default login settings. Scanners that can examine whether default login credentials are being used are available to identify devices in question.
- User Training and Enforcement - The weakest link in a company’s cybersecurity policy is the human element (though the potential to be the strongest). Use of noncompany email accounts, “bring your own device” instances, use of cloud storage (e.g., Dropbox, OneDrive, Google Drive) or bringing infected USB drives and flash drives to work increase vulnerabilities for a breach. A company should maintain policies toward personnel training and enforcement in these areas, instances of past breaches due to human factors and measures used to correct or prevent these instances, such as prohibiting use of nonwork email accounts or cloud storage applications, security software that scans devices inserted into company hardware or requiring two-factor authentication for all logins to company data or networks.
What steps can help ensure Due Diligence in Cybersecurity
Thus the importance of a companies due diligence is in its risk management. This means continual assessment and reassessment. Unfortunately, a company may struggle to identify most material risks without active engagement with their third-parties.
One way to ensure diligence: Security Information Event Management (SEIM). Through machine learning and automation, SIEM can help companies identify potential vulnerabilities in their IT environment. This includes third-parties and the databases they with which they regularly connect. They can closely monitor the most sensitive databases with close log management and security event correlation.
Further, they can deploy User and Entity Behaviour Analytics (UEBA) capabilities through SIEM which watches for insider third-party threats. Any abnormal behaviours could indicate a cyber risk and thus a potential data breach or ongoing attack. Hopefully, shortening their investigation times and reduce mitigation and remediation time.
- Information Governance: Are there data inventories? How is data storage managed? Who takes ownership of this?
- Data Privacy: How is sensitive information used? Who can access and how?
- Risk Assessment: Is risk assessed through a structured process, at regular intervals?
- Strategy & Program Design: Are there documented policies and procedures? Is there a formalized governance process?
- Information Security: Are there processes in place to protect, detect, respond and remediate threats?
- Cyber Threat Intelligence: Is there a process in place to proactively understand and manage the threat environment?
- Incident Response: Is there a documented plan in place as to how to respond to an incident? Is there an adequate and tested disaster recovery process?
- Cyber Insurance: Are the policies structured to effectively mitigate all aspects of risk associated with cyber?
- Industry: Is there a process in place to understand the valuable assets and associated threats of that specific industry?
- Business: Is there a process and plan in place to involve all business units in security?
- Cultural: Is there an awareness of the importance of security and do all insiders understand their role in maintaining that security?
- Financial: How is the security program funded and is there a process in place to ensure that investment benefits are maximized?
The area of Due Diligence when considered and implemented as part of the cybersecurity tool kit can help understand risk and minimise the impact of the potential attacks. It can be considered part of the key element to stop or move cybersecurity from operating in its bubble.