Cyber Security Due Diligence Checklist for 2023

Estimates are that while 43% of all cyberattacks target small businesses, only about 5% of the average company’s files and folders are protected. With individuals and businesses becoming more reliant on tech to manage their lives, it is not difficult to forecast where that trend will head.   If you are in charge of your company’s cyber posture, you understand the need for a comprehensive method to ensure that all your systems, files, and folders are safe.   The following is a cyber security due diligence checklist you should check out. After all, even if your corporate cyber security is robust, it never hurts to look at industry norms to ensure all your bases are covered.  

Use The NIST Framework

Every company should at least compare its infrastructure cybersecurity to the National Institute of Standards and Technology (NIST) cyber security best practices framework.  This guide covers identifying cyber risks, implementing protective measures, detecting attacks, responding to threats, and recovering after you have thwarted a cyberattack. Your cyber security due diligence checklist should mirror much of the NIST document, scaled to the size and scope of your business.

Perform Risk Analysis

Every company is potentially a victim of a cyberattack or cybercrime. The possible outcomes are numerous:

• Damage to a company’s reputation
• Client data can be compromised
• Theft of assets
• Systems shut down
• Data is corrupted or destroyed

By actively analyzing where your risks reside and addressing those vulnerabilities as you find them, you reduce the chance someone with ill intent can get onto your system. At a minimum, your cyber security due diligence checklist should include a review of:

• Data backup processes, equipment, and configurations
• Firewall and antivirus precautions
• All assets that are connected to the internet
• Restoration procedures in the event of an attack

Once you have completed the review, you should identify and prioritize risks, incorporating your findings into your general cyber security due diligence checklist.

Review Employee Accounts and Permissions

Employees come and go in just about every company. When they do, their access to accounts and systems in the company’s IT infrastructure should be terminated before their departure (when possible) and quickly afterward if not.  With larger companies with rigid IT and cyber security processes, discontinuing former employee remote and network access is part of the separation procedure. Smaller companies, however, occasionally are not as rigid or may not be as responsive. In addition to terminating access and permissions of employees leaving the company, as the IT manager, you should also review the network permissions of all employees and verify they are assigned correctly. There are several situations where an employee might have permissions they should not:

• Work responsibilities changes
• Job description changes
• Disciplinary actions
• IT security initiatives

Another facet of account management is determining what employees need to access the company network externally. For example, does an employee qualify as a legitimate work-from-home case, or do they only need occasional access? Remote access is a significant vulnerability unless your access is controlled and secure. Network and system administrators should understand why certain parts of the company computer system have security or job-specific access criteria. Additionally, they should understand the type of work employees with specific access do that pertains to that access.  Understanding why someone needs to access specific files can help with policy setting and enforcement.

Review and Set Remote Access Policies

Often, a data breach occurs when an employee gains informal access to files or parts of a network. Informal access happens when a user can access a system or files without going through the formal process of logging in and verifying their credentials.  Computers that are left alone but online, or employees, contractors, or temporary employees allowing others to use their devices without formally logging in are all examples of informal access.   Those types of breaches often occur when employees are helping someone manage a project or perform assigned work. Without adequate access permissions and policies, there is very little for a company to do if it discovers a breach. Informal access also includes the type of files and online access permitted on company electronics. A company must have internal internet access policies regarding personal work, emails, and internet access on company electronics. Your cyber security due diligence checklist should also include an annual review of the hardware and software your employees use to remotely connect to your network. All equipment with remote access to your network should have up-to-date security safeguards. Old equipment should be swapped out for new periodically and security software should be regularly updated. Multiple vendors like TeleTraders specialize in swapping out old equipment, selling unused equipment, and even taking old equipment for charitable use. This is one way to recoup the costs of new equipment and modifications you find as a result of your cyber security due diligence checklist.

Require Multi-Factor Authentication Where Needed

For sensitive accounts, multi-factor authentication helps make it more difficult for an unauthorized user to gain access. Besides accessing the company network externally, areas that might need additional multi-factor authentication include, but are not limited to:

• Client files
• Accounting and financial information
• Personnel files
• Sensitive corporate documents

You might trust all your employees, but all it takes is for one intruder to gain a single password to access areas of a network they should not. Multi-factor authentication guarantees that a person must know more than just a password to access a file or part of a network.

Check Firewalls, Anti-Virus, and Backups

Scheduled reviews of firewall configuration and anti-virus software to ensure all are up-to-date is a critical security step. You also must be as diligent with your backup system. Finding out after the fact that something was not up-to-date or was not working properly is more than just inconvenient. For example, suppose your backup system was corrupting your backup data or not picking up all the data it was supposed to backup. The only way you know that is through operational checks. If you do not check the data being backed up, you will only find out there is a problem when a machine quits working or after critical data gets lost. You do not want to find out after the fact that your system protections were not working when the company computer system got attacked.

Updating Hardware

Hardware usually gets overlooked until it malfunctions or becomes so outdated that basic operations bog down or even cannot be completed. Reviewing hardware every time you go through your cyber security due diligence checklist is vital. You do not want to find out you need new hardware as you are trying to thwart or recover from a cyberattack. Upgrading hardware through a reputable company like TeleTraders can help you keep your hardware up-to-date with the latest software and performance updates. Crucially, updating or selling your older hardware can secure your cyber assets and ensure your business is free from malware.

Robust Training

New cyber security threats emerge almost daily. That means training your staff needs to be an ongoing process and priority. You should have an aggressive training and education program that helps all IT staff stay current. Training should also extend to your everyday employees. Most times, an employee that exposes a company to a cybercrime does not do it intentionally. They opened a file on an email or were careless with their password. They did not mean to do harm, but they did. The only way to combat that is through training. Most people are aware of cybercrime and its destructiveness but have no clue how easy it is for bad actors to be successful. Training helps prepare them for recognizing and avoiding threats.

Final Thoughts

Your company is vulnerable to a cyberattack. Every company is. Whether those with ill intent only get so far as targeting your company depends on the policies, procedures, and security processes you have in place. This cyber security due diligence checklist can help you get started ensuring your company is as safe from cyberattacks and cybercrime as possible. By working with companies that specialize in ensuring companies have the best equipment available, your adherence to the cyber security due diligence checklist is all but assured.