The terms “due diligence” and “due care” are both important to risk management, but have different meanings depending on the context in which they are used. Most importantly, the two concepts differ depending on whether you are referring to real-life scenarios or a regulatory environment.

In day-to-day life, due care refers to our habits, policies, and procedures that we use to keep us safe and out of trouble. Due diligence means that we take necessary precautions in a given situation. For example, we perform due diligence when investigating a potential problem that has been detected.

In a regulatory or compliance environment, due care still means you have policies and procedures in place to protect your organization. Due diligence, on the other hand, focuses on third-party risk management activities.

In this article we’ll explore “due care” versus “due diligence” in cybersecurity, and particularly in a regulatory and compliance framework. We’ll also review actions you can take to integrate either one into your overall risk management strategy.

See also

5 Steps to Reduce the Web of Uncertainty in Third-Party Risk Management

What Is Due Care in Cybersecurity?

Due care refers to the continuing maintenance required to keep something in excellent operating order or to meet universally accepted standards. This is especially important if due care arises from a contract, regulation, or law. We apply due care when carrying out mitigation procedures; the lack of due care is negligence.

Here are some examples of due care in cybersecurity:

Monitor and Protect Your Network from Malicious Activity

Monitoring your cybersecurity controls is necessary to secure your firm and demonstrate that you’re doing everything you can to prevent unnecessary risk. You must assure that your security staff is alerted to new dangers or gaps as part of these procedures.

Cybersecurity is a moving target. To combat threats and act with due care, you must maintain a network monitoring routine. As new forms of cyber-attacks and threats emerge, it’s necessary to implement risk mitigation with continuous monitoring.

Train Your Employees in Cybersecurity Awareness

Implement guidelines on managing and protecting customer information and other sensitive data. Assure that access controls are in place, and train your staff on cybersecurity hygiene. Clearly define the consequences of violating company policies.

Apply Policies, Standards, Baselines, and Procedures

To protect critical company information, establish security policies. Your cybersecurity policy should be a written document that outlines your company’s best practices for cybersecurity. Before drafting your policy, your company should do a risk assessment to determine the measures that need to be employed to manage cyber risk.

Make Backup Copies of Critical Corporate Information and Data

Back up all of your company’s critical data at least once a week. Word processing documents, spreadsheets, databases, financial files, human resources files, and accounts receivable or payable files are all examples of critical data. If possible, perform automatic backups.

Secure Your Wi-Fi Network

If you have a Wi-Fi network at your workplace, make sure it is secure and hidden. To hide your Wi-Fi network, configure your wireless access point or router not to broadcast the network’s name.

What Is Due Diligence in Cybersecurity?

Due diligence means that you investigate and verify your third-party partners and supply chain to assure that they meet your cybersecurity standards. An organization should perform various activities to detect and remediate the cyber threats that third-party providers bring to your ecosystem.

Following are some examples of due diligence and how they fit into a cybersecurity strategy:

Vendor Risk Management Policy

Your vendor risk management policy details the steps you take to mitigate third-party risk. As part of this policy, document the decision-making processes for accepting new vendors. This may include verification of their information security procedures and maybe even background checks for key shareholders.

The policy will also outline ongoing maintenance activities and continuous monitoring metrics to assure third-party compliance in the future.

Monitor Third-Party Vendors

Understanding the potential security threats that a third party exposes to your business is essential for third-party risk management (TPRM) and due diligence. Documenting all concerns in your initial assessment will give you a baseline for continuous monitoring and metrics that should be reviewed periodically with each third party.

Depending on the information the vendor is collecting, storing, or processing, you may conduct an independent investigation. For example, you may want to hire a penetration tester to look for security flaws, or request the vendor’s most recent penetration test report.

Perform Annual Security Audits

Security audits are technical examinations of an IT system’s configurations, technologies, infrastructure, and other factors to reduce the risk of a data breach. By taking action on findings from security audits, you are demonstrating due diligence in your business practices and how you manage third-party relationships.

ROAR Is an Integral Part of Any Cybersecurity Strategy

The RiskOptics ROAR Platform is risk management software built specifically to meet the needs of an ever-evolving cyber risk landscape. It streamlines workflows so you don’t have to manage all tasks manually.

In addition, ROAR contains dynamic visualization and other technical risk assessment tools to help organizations eliminate duplicate work and minimize the time required to implement and monitor policies, making it the ultimate solution to better manage your IT and cyber risk strategy.

Contact us for a free demo! Learn how we can help improve your organization’s information security and risk and compliance practices.

How to Upgrade Your Cyber Risk
Management Program with NIST