Cyber Security Due Diligence Checklist for 2023
Cyber Security Due Diligence Checklist for 2023
Estimates are that while 43% of all cyberattacks target small businesses, only about 5% of the average company’s files and folders are protected. With individuals and businesses becoming more reliant on tech to manage their lives, it is not difficult to forecast where that trend will head. If you are in charge of your company’s cyber posture, you understand the need for a comprehensive method to ensure that all your systems, files, and folders are safe. The following is a cyber security due diligence checklist you should check out. After all, even if your corporate cyber security is robust, it never hurts to look at industry norms to ensure all your bases are covered.Use The NIST Framework
Every company should at least compare its infrastructure cybersecurity to the National Institute of Standards and Technology (NIST) cyber security best practices framework. This guide covers identifying cyber risks, implementing protective measures, detecting attacks, responding to threats, and recovering after you have thwarted a cyberattack. Your cyber security due diligence checklist should mirror much of the NIST document, scaled to the size and scope of your business.Perform Risk Analysis
Every company is potentially a victim of a cyberattack or cybercrime. The possible outcomes are numerous:- Damage to a company’s reputation
- Client data can be compromised
- Theft of assets
- Systems shut down
- Data is corrupted or destroyed
- Data backup processes, equipment, and configurations
- Firewall and antivirus precautions
- All assets that are connected to the internet
- Restoration procedures in the event of an attack
Review Employee Accounts and Permissions
Employees come and go in just about every company. When they do, their access to accounts and systems in the company’s IT infrastructure should be terminated before their departure (when possible) and quickly afterward if not. With larger companies with rigid IT and cyber security processes, discontinuing former employee remote and network access is part of the separation procedure. Smaller companies, however, occasionally are not as rigid or may not be as responsive. In addition to terminating access and permissions of employees leaving the company, as the IT manager, you should also review the network permissions of all employees and verify they are assigned correctly. There are several situations where an employee might have permissions they should not:- Work responsibilities changes
- Job description changes
- Disciplinary actions
- IT security initiatives
Review and Set Remote Access Policies
Often, a data breach occurs when an employee gains informal access to files or parts of a network. Informal access happens when a user can access a system or files without going through the formal process of logging in and verifying their credentials. Computers that are left alone but online, or employees, contractors, or temporary employees allowing others to use their devices without formally logging in are all examples of informal access. Those types of breaches often occur when employees are helping someone manage a project or perform assigned work. Without adequate access permissions and policies, there is very little for a company to do if it discovers a breach. Informal access also includes the type of files and online access permitted on company electronics. A company must have internal internet access policies regarding personal work, emails, and internet access on company electronics. Your cyber security due diligence checklist should also include an annual review of the hardware and software your employees use to remotely connect to your network. All equipment with remote access to your network should have up-to-date security safeguards. Old equipment should be swapped out for new periodically and security software should be regularly updated. Multiple vendors like TeleTraders specialize in swapping out old equipment, selling unused equipment, and even taking old equipment for charitable use. This is one way to recoup the costs of new equipment and modifications you find as a result of your cyber security due diligence checklist.
Require Multi-Factor Authentication Where Needed
For sensitive accounts, multi-factor authentication helps make it more difficult for an unauthorized user to gain access. Besides accessing the company network externally, areas that might need additional multi-factor authentication include, but are not limited to:
- Client files
- Accounting and financial information
- Personnel files
- Sensitive corporate documents