Digital due diligence can help determine potential risks or even existing vulnerabilities to company assets


AIG

World tech

What is digital due diligence?

A digital due diligence is an examination of an organisation’s IT systems and procedures to determine potential associated risk or even existing compromise to company assets. It includes a review of internal security technology and controls, processes and policies, as well as an external look at potential threat factors. A company might have a mis-configured firewall or may not enforce periodic password changes. It may be in an industry that has suffered few cyber attacks or in one that is frequently attacked by criminals or even competitors. All of these, and many more, affect the potential risk to company assets.

What makes a good score?

A good score provides a comparative analysis to industry averages. It also highlights deviations from current best practices. It needs to consider multiple facets of cyber security, not only IT security systems and controls but also risks that may arise from physical security or operational policies. This should be carried out with careful consideration of the external threats to the business. For example, if a hacker organization declares that one company is a target for future attacks, this information needs to be included in the assessment. Lastly, a good score needs to be linked to the business value of each asset at risk. High risk of breach to a low-value asset is not as troubling as a low risk of breach to a critical asset, or one that has cascading effect on the organisation.

How can risk managers get a better score?

Once valuable assets have been identified and major gaps have been mapped against these, closing down the biggest gaps will provide the most dramatic improvement to a company’s risk score. Although it is tempting to consider the introduction of new security technologies and systems, an improvement in procedures and policies often have the biggest effect on an organisation’s overall security posture.

This activity should always be followed by a comprehensive monitoring and compliance programme to ensure that the risk manager can adequately measure the improvements to their risk posture.