Two of the most basic tenets of cybersecurity management, due diligence and due care, are related to how we look at our responsibilities in the field. These beliefs guide us in our work to fulfill those responsibilities daily, as they set moral guidelines for our efforts. With a set of fundamental principles to guide us, we can better plan and implement the work that reduces the risks related to information technology in an environment filled with intentional and unintentional threats.
Two of the most basic tenets of cybersecurity management, due diligence and due care, are related to how we look at our responsibilities in the field. Those two might seem almost familiar, and they should. For a medical provider, they would be the tenets that guide you to care for the person, to help them, which is why you got into the business in the first place. Without these two essential guides, we tend to get all caught up in our jobs’ financial and technical aspects rather than understanding that we do this work for the people we serve, to help others. To meet that obligation to heal our clients or to protect them from the bad guys by safeguarding their data.
In cybersecurity, these beliefs guide us in our work to fulfill those responsibilities daily, as they set moral and legal guidelines for our efforts. With a set of fundamental principles to guide us, we can better plan and implement the work that reduces the risks related to information technology in an environment filled with intentional and unintentional threats.
Cybersecurity is work done to protect the data and information technology resources we use daily to accomplish our jobs or connect to others in our private and professional lives. Much of our world is dominated by this technology, so we must protect it from threats that could limit or even destroy it or that could so corrupt the data we use that it is no longer of value.
What is “Due Care?”
Due care is the practice of planning and implementing the various active components of cybersecurity. It is being able to assert that you have looked at all the things you must protect in your organization and have created and begun using a reasonably effective way to do so.
An example of what we mean here might be to say you have data on a server and have created plans to protect that data. You protected it by putting in redundant systems doors with physical locks that can only be opened by those that need to enter the server room; your heating, ventilation, and air conditioning are appropriate to the needs presented, and you have a backup location in case this server room fails or is lost in some way. You have also implemented security measures that ensure that the server’s data is protected during its use, storage, and eventual disposal.
Due care is this beginning process of ensuring security, and may also be used when required updates or investments in new technologies or work spaces demand it.
What due care does not mean is that you “guarantee” your security and protective measures are perfect. No one can guarantee that, and it isn’t expected that you would be able to. You have done your best to create the safest environment possible under the circumstances and financial limitations present.
What are some examples of due care?
When you begin your due care initiative, it can be hard to know exactly what you are trying to do. No matter the size of your organization or how many people and pieces of equipment you have, you have to start somewhere, right?
So, start with some of the basics:
- Know your data
- Figure out the data your organization presently uses or may use in the “near” future
- Classify the data
- Know the security requirements for protecting the data as classified
- Know your IT infrastructure and systems
- Do you have servers, computers, or peripherals?
- Do you connect to the Internet?
- Do you have the ability to provide power for everything (if only for a while) if the main supply goes down?
- Do you have backup sites for your data in case of an outage or catastrophe?
- Know your people
- Train your employees and management in the use of your data and systems
- Plan for and implement cybersecurity training
- Plan for problem resolution
Obviously, there is more to concern yourself with than just this short list, but it should give you some idea of the types of things you should be looking at.
You should also understand that all the above information will produce policies, procedures, and guidelines that direct and define your cybersecurity efforts while showing outside agencies that you have worked to protect your data.
What is “Due Diligence,” then?
Our next step is to continually maintain the care we put into designing and implementing our security. This is due diligence. We are protecting the investment we made into our security at the beginning by constantly monitoring and updating it as requirements change.
If you were to put up a fence to keep your dogs in the yard, you wouldn’t let it rot and fall apart, right? It wouldn’t take long for the dogs to run free in the neighborhood, potentially getting them hurt or allowing them to hurt others. You have to keep an eye on the fence and look for holes, broken panels, failing vertical poles, and gates that don’t secure. Your diligence keeps the original wall in good shape and everyone safe and sound.
In cybersecurity, this is where you watch to make sure the security measures you have implemented are effective and allow you to do your work still. You patch any gaps, repair broken components, and make sure you have a backup in case something fails.
How will this Affect You?
Due care and due diligence are required in cybersecurity to protect your investments and your data sources, such as clients, patients, and employees. Without one or the other, you are likely to see failures that will cost you financially or even force you out of business. You can see what happened to close one business in our case study, “Brookside ENT.”
What should you do?
If you are an organization or business that uses data, then it is that data that gives you the ability to accomplish your work. Protecting it is, and should be, at the forefront of your cybersecurity program mission statement.
Take the time to perform your due care and due diligence duties, as they will pay off by helping to ensure that you can continue to serve your customers and stay in business, whatever that business may be.
Northstarr Recommendations
As mentioned above, due care and due diligence are sometimes very complex items to deal with, especially if your organization is small or has a limited amount of IT/cybersecurity workers. Northstarr has the knowledge and expertise to help you efficiently get through this process.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!