Cybersecurity is more than “just” technology these days. With legislative bodies increasingly writing more laws, technology and legal terminologies have become more intertwined than ever before. As organizations build cyber risk strategies, they need to understand risk mitigation’s underlying goal. This is why understanding the difference between due care and due diligence is important to how you set your risk mitigation strategies.
What is due care?
According to the online version of Black’s Law Dictionary, due care is engaging in just, proper, and sufficient care based on given circumstances to show the absence of negligence. Additionally, due care is defined as sufficient care, implying a person has not been careless and has not violated a law. In non-legal terms, due care focuses on whether someone’s actions did not contribute to harm or violate the law.
Due care focuses on whether someone did what they were supposed to do, regardless of the situation. For example, if you’re driving your car, you’re expected to engage in safe behavior that prevents a car accident. You’re expected to follow the speed limit and not text while driving. A reasonable person would consider those activities proof of “due care.”
What is due diligence?
Due diligence, while similar to due care, has a slightly different meaning. According to the online version of Black’s Law Dictionary, due diligence applies the idea of reasonable to how a person acted under the particular set of circumstances at issue. In non-legal terms, due diligence focuses on whether the average person would have done the same thing if they were in the same situation.
Due diligence focuses on whether someone did what other reasonable people would do based on the situation they were in. Returning to the driving analogy, if you get into an accident because you hit a car stopped at a traffic light, people are going to ask a lot of questions about your actions beyond proving that you followed the law. Even if you weren’t speeding or texting, you’ll need to show that you engaged in due diligence. In this example, due diligence might mean situational awareness, like being aware that the light was red.
What is due care in cybersecurity?
Due care in cybersecurity means taking reasonable steps to protect your organization’s reputational, financial, and legal best interests. Looking at the similarities across most cybersecurity frameworks, you can set some basic best practices.
Know your assets
You can’t protect data, devices, or users that you don’t know you have. In order to prove due care over your cybersecurity posture, you need to identity and catalog all:
- Data assets, including personally identifiable information (PII) and intellectual property (IP)
- Storage locations, including on-premises and cloud
- Devices, including Internet of Things (IoT) devices, routers, switches
- Users, including standard and privileged accounts and access
Establish a cybersecurity policy
Your cybersecurity policy is the written document that defines your organization’s best practices. Before writing your policy, your organization should do a risk assessment that helps it set the controls used to mitigate cyber risk.
Additionally, the policy outlines the responsibilities for your senior management and Board of Directors. It also assigns responsibility for managing security to someone, usually a Chief Information Security Officer (CISO), in your organization.
Continuously monitoring controls
Malicious actors continuously evolve their threat methodologies, which means that the controls you have in place today may not secure your environment tomorrow. To protect your organization and prove that you’re doing everything you can, you need to continuously monitor your cybersecurity controls. As part of this process, you need to make sure that your security team gets alerted to new risks or weaknesses.
Create an incident response process
It’s the nature of today’s cybersecurity world that data security incidents will happen. Creating, testing, and reviewing your incident response processes shows that you’re taking the appropriate actions to be resilient. You need to make sure that your incident response team has the right people, processes, and technologies to detect, investigate, and remediate incidents as quickly as possible.
Create an audit trail
Your audit trail is the documentation proving that your organization is doing what it says it should do. Nearly every cybersecurity or privacy law requires organizations to undergo an independent assessment of their programs. To prove compliance with laws and internal controls, you want to make sure that you have objective documentation, like event logs or control monitoring reports.
What is due diligence in cybersecurity?
Due diligence in cybersecurity is the process of identifying and remediating the cyber risks that third-party vendors bring to your ecosystem. While due care focuses on you managing the risks your organization controls, due diligence focuses on managing the risks that your vendors and supply stream control.
Identify all vendors
Similar to your due care requirements, you can’t mitigate risks that you don’t know exist. You need to make sure that you have a complete picture of all:
- Cloud services providers
- Operating systems
One of the biggest third-party risk management problems organizations face is monitoring shadow IT, or software downloaded without the IT department’s knowledge. You need to make sure that you know all potential third-party service providers throughout your ecosystem.
Vendor risk management policy
Your vendor risk management policy details the steps you take to mitigate third-party risk. As part of this policy, you want to consider:
- Defining appropriate controls
- Setting metrics for measuring third-party compliance
- Continuously monitoring vendor security posture
Continuously monitor third-party vendors
A primary part of third-party risk management (TPRM) due diligence is knowing the potential security risks any of them would pose. Before you sign a contract, you should engage in a risk review that includes documentation, like System and Organization Controls (SOC) reports.
However, you also need to engage in your own independent review. Depending on the type of information that the vendor will collect, transmit, store, or process, you may want to consider hiring a penetration tester who can look for security weaknesses or request the vendor’s more recent penetration test report.
Include security in service level agreements (SLAs)
Your SLAs are the contracts that define your relationship with your vendors. To ensure that you engage in appropriate due diligence, you want to make sure that you define each party’s responsibility for security.
SecurityScorecard’s supports due care and due diligence
SecurityScorecard’s security ratings platform continuously scans your organization’s environment and ecosystem to detect potential security risks. Our security ratings give you an easy-to-read view of your security posture, using an A-F scale. Our reporting capabilities and dashboards give you a way to document your due care over your cybersecurity posture and your due diligence over your third-party cybersecurity risk by monitoring across ten categories of risk.
Our platform gives you holistic visibility into your cybersecurity posture so that you can take reasonable, proactive steps to mitigate new risks, whether they come from your own environment or your supply chain.