The words “due diligence” may make you think of a courtroom drama on television. Surely, that’s something only lawyers have to worry about? Not so fast. Due diligence is something your business can be doing, too. Are you covering the basics?
Due diligence is about taking care and being cautious in doing business. It extends to how you manage your technology, too. You may think you’re immune to a data breach or cyberattack, but cybercriminals can target you regardless of business size or industry sector.
Depending on your industry, you may even have compliance or regulatory laws to follow. Some insurance providers also expect a certain level of security standards from you. The costs associated with these cyber incidents are increasing, too. Don’t leave your business vulnerable.
Technological due diligence requires attention to several areas. Generally, you’ll need to show the following:
1. Each staff member has a unique login for systems, accounts, etc. Require complex, distinct passwords. Educate employees to protect these credentials (e.g. not write them on sticky notes that sit on their desktop) and utilize 2-factor authentication wherever possible.
2. Ensure you have a process in place for regular data backup. We recommend a 3-2-1 backup strategy. Keep three copies of your business data. One on the cloud with the other two on different devices (e.g. on your local computer and on a backup USB drive).
3. You patch and upgrade security consistently across everything. While most computers and applications have gotten fairly good at automating this, there is still some user intervention and monitoring required. Other equipment like routers/firewalls and other network devices need a more manual intervention. In addition to this, it's helpful to regulate the process in the event a patch breaks some expected functionality. It makes it much easier to track down the cause and fix the problem
4. You’ve installed antivirus software, and ensured it is working. You don’t want to end up in a situation where you don't know your computers are infected until it’s too late. Be proactive.
5. Email filtering is in place. These filters help protect your business from spam, malware, phishing, and other threats which are ever-increasing.
6. You have installed firewalls to monitor and control ingoing and outgoing network traffic. Most consumer routers (and even many routers purported to be "commercial grade") do not have these controls and, at best, only block inbound traffic.
7. You limit user access. Instead of giving everyone full access, set conditions based on role and responsibility. This approach minimizes vulnerabilities and the likelihood the receptionist clicking on a phishing link exposes the entire company.
8. There are physical security procedures to limit access to your environment. This can range anywhere from locks on the server/network closet doors to installing security cameras, fence a perimeter, and require RFID scanning in protected areas. Any place where company information resides should be physically protected.
9. If your company lets employees use their own phones, laptops, or tablets, have a Bring Your Own Device (BYOD) policy in place. Installing mobile device management software is useful, too (and we can help with that!)
10. On top of all of the above, you test these systems too. You can’t take a set-and-sit approach to securing your network, systems, and hardware or just assume that backups are there and working "auto-magically". Ongoing testing will help you identify risks, repair vulnerabilities, and protect your business.
It can also help you to keep proof of things by:
inventorying all devices on your network.
write down and keep logs of when checks or tests are made to your various systems
keeping copies of any training provided and employee handbook messaging;
updating your organizational chart regularly;
vetting contractors/vendors before granting them access;
having a "default deny" policy in place which limits
IT due diligence protects your business. Meeting these security standards can also cut costs and preserve your brand reputation. Demonstrating vigilance helps you avoid hefty compliance or regulatory fines and fight litigation. In the event of legal action, you'll also want to prove the efforts you made. So, be sure to thoroughly document all IT security efforts.