Posted on Jun 14, 2021
Cybersecurity is more than “just” technology these days. With legislative bodies increasingly writing more laws, technology and legal terminologies have become more intertwined than ever before. As organizations build cyber risk strategies, they need to understand risk mitigation’s underlying goal. This is why understanding the difference between due care and due diligence is important to how you set your risk mitigation strategies.
According to the online version of Black’s Law Dictionary, due care is engaging in just, proper, and sufficient care based on given circumstances to show the absence of negligence. Additionally, due care is defined as sufficient care, implying a person has not been careless and has not violated a law. In non-legal terms, due care focuses on whether someone’s actions did not contribute to harm or violate the law.
Due care focuses on whether someone did what they were supposed to do, regardless of the situation. For example, if you’re driving your car, you’re expected to engage in safe behavior that prevents a car accident. You’re expected to follow the speed limit and not text while driving. A reasonable person would consider those activities proof of “due care.”
Due diligence, while similar to due care, has a slightly different meaning. According to the online version of Black’s Law Dictionary, due diligence applies the idea of reasonable to how a person acted under the particular set of circumstances at issue. In non-legal terms, due diligence focuses on whether the average person would have done the same thing if they were in the same situation.
Due diligence focuses on whether someone did what other reasonable people would do based on the situation they were in. Returning to the driving analogy, if you get into an accident because you hit a car stopped at a traffic light, people are going to ask a lot of questions about your actions beyond proving that you followed the law. Even if you weren’t speeding or texting, you’ll need to show that you engaged in due diligence. In this example, due diligence might mean situational awareness, like being aware that the light was red.
Due care in cybersecurity means taking reasonable steps to protect your organization’s reputational, financial, and legal best interests. Looking at the similarities across most cybersecurity frameworks, you can set some basic best practices.
You can’t protect data, devices, or users that you don’t know you have. In order to prove due care over your cybersecurity posture, you need to identity and catalog all:
Your cybersecurity policy is the written document that defines your organization’s best practices. Before writing your policy, your organization should do a risk assessment that helps it set the controls used to mitigate cyber risk.
Additionally, the policy outlines the responsibilities for your senior management and Board of Directors. It also assigns responsibility for managing security to someone, usually a Chief Information Security Officer (CISO), in your organization.
Malicious actors continuously evolve their threat methodologies, which means that the controls you have in place today may not secure your environment tomorrow. To protect your organization and prove that you’re doing everything you can, you need to continuously monitor your cybersecurity controls. As part of this process, you need to make sure that your security team gets alerted to new risks or weaknesses.
It’s the nature of today’s cybersecurity world that data security incidents will happen. Creating, testing, and reviewing your incident response processes shows that you’re taking the appropriate actions to be resilient. You need to make sure that your incident response team has the right people, processes, and technologies to detect, investigate, and remediate incidents as quickly as possible.
Your audit trail is the documentation proving that your organization is doing what it says it should do. Nearly every cybersecurity or privacy law requires organizations to undergo an independent assessment of their programs. To prove compliance with laws and internal controls, you want to make sure that you have objective documentation, like event logs or control monitoring reports.
Due diligence in cybersecurity is the process of identifying and remediating the cyber risks that third-party vendors bring to your ecosystem. While due care focuses on you managing the risks your organization controls, due diligence focuses on managing the risks that your vendors and supply stream control.
Similar to your due care requirements, you can’t mitigate risks that you don’t know exist. You need to make sure that you have a complete picture of all:
One of the biggest third-party risk management problems organizations face is monitoring shadow IT, or software downloaded without the IT department’s knowledge. You need to make sure that you know all potential third-party service providers throughout your ecosystem.
Your vendor risk management policy details the steps you take to mitigate third-party risk. As part of this policy, you want to consider:
A primary part of third-party risk management (TPRM) due diligence is knowing the potential security risks any of them would pose. Before you sign a contract, you should engage in a risk review that includes documentation, like System and Organization Controls (SOC) reports.
However, you also need to engage in your own independent review. Depending on the type of information that the vendor will collect, transmit, store, or process, you may want to consider hiring a penetration tester who can look for security weaknesses or request the vendor’s more recent penetration test report.
Your SLAs are the contracts that define your relationship with your vendors. To ensure that you engage in appropriate due diligence, you want to make sure that you define each party’s responsibility for security.
SecurityScorecard’s security ratings platform continuously scans your organization’s environment and ecosystem to detect potential security risks. Our security ratings give you an easy-to-read view of your security posture, using an A-F scale. Our reporting capabilities and dashboards give you a way to document your due care over your cybersecurity posture and your due diligence over your third-party cybersecurity risk by monitoring across ten categories of risk.
Our platform gives you holistic visibility into your cybersecurity posture so that you can take reasonable, proactive steps to mitigate new risks, whether they come from your own environment or your supply chain.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.