This is an exclusive article series conducted by the Editor Team of CIO News with Krishnamohan Kandar, Vice President & CISO at CRIF India.
In today’s digital landscape, cyber security breaches have become all too common, with headlines often focusing on the aftermath—reputational damage, financial losses, and legal implications. While these consequences are important, the underlying root causes are rarely discussed in depth. The reality is that hackers are not just opportunistic; they are highly skilled and often ingenious, constantly evolving their methods to exploit vulnerabilities. However, many of these vulnerabilities are practically handed to them on a silver platter due to the lack of proper due diligence and due care by organizations. It is essential that we shift our focus toward identifying and addressing these preventable gaps in cybersecurity practices. Cybersecurity isn’t just about warding off external enemies. The foundation of any effective security posture lies within the processes and policies that govern how an organization manages and protects its own data. In short, cybersecurity begins at home.
Understanding Due Diligence and Due Care
Due diligence refers to the continuous actions an organization takes to identify, manage, and mitigate cybersecurity risks. This includes regular audits, risk assessments, patching known vulnerabilities, and reviewing internal controls to ensure they are effective and updated.
Due care is the implementation of the proper actions and measures that protect an organization’s assets from cyber threats. It involves setting up security policies, enforcing controls, monitoring activities, and responding to incidents in a timely and appropriate manner.
These principles are not just theoretical concepts; they are critical to ensuring that an organization’s internal security is robust and resilient to external attacks. Without proper due diligence and due care, internal vulnerabilities can easily be exploited by attackers.
When Internal Failures Open the Door to Breaches
Many cyberattacks occur because internal controls were weak, poorly managed, or altogether missing. These breaches weren’t just the result of brilliant hackers; they were facilitated by an organization’s failure to apply due diligence and due care.
- Credit reporting giant based out of the USA:
- What happened: The breach exposed personal information (including Social Security numbers) of 147 million Americans.
- Due diligence failure: Failed to patch a known vulnerability in Apache Struts software, despite a patch being available months before the attack. Lack of proper asset management and vulnerability scanning contributed to this oversight.
- US retail chain of department stores:
- What happened: Hackers stole credit cards and personal information of over 40 million
- Due diligence failure: The breach was caused by a third-party vendor (an HVAC contractor) that was compromised. Failed to adequately vet and monitor their vendor’s cybersecurity practices, leading to the compromise of their own
- Multinational Transportation Company providing ride services:
- What happened: Data of 57 million users and drivers was
- Due diligence failure: Stored sensitive data (like access credentials) in a publicly accessible GitHub Hackers were able to gain access to this data, which the company failed to properly secure or regularly audit.
Internal Failures vs. External Threats: Strong Governance is Key
Organizations often prioritize defending against external threats while neglecting internal governance. This approach is not only shortsighted but also dangerous. Strengthening internal security through due diligence and due care is as critical, if not more so, than focusing on external threats.
- Overlooking Insider Threats
An organization’s employees, vendors, and partners pose risks that are often harder to detect but just as damaging as external cybercriminals. A disgruntled employee, a careless contractor, or even someone who mistakenly clicks on a phishing link can open the door to a breach. In such cases, strong governance practices, such as employee training, access management, and continuous monitoring, can prevent insider threats from escalating into full-blown breaches.
- The Need for Stronger Internal Audits
Regular internal audits are essential to ensure that security policies and controls are being followed. However, many organizations fail to perform them consistently or thoroughly. Audits should include checks on user access levels, encryption practices, firewall configurations, and software patching status. Identifying gaps in these areas before they are exploited by hackers is key to proactive cybersecurity.
- Vendor and Third-Party Management
Third-party vendors and partners can introduce significant risks into an organization’s environment. Many breaches occur because an organization fails to monitor and enforce security practices for its vendors. Strong governance should include rigorous vetting, continuous monitoring and contractual security requirements for vendors.
The Role of Leadership in Fostering Security Governance
While technology plays a huge role in cybersecurity, governance is equally a matter of leadership. Senior management must set the tone for security by ensuring that cybersecurity is not just a checklist item but an integral part of the organization’s culture. Leadership should focus on:
- Promoting a Culture of Security: Employees at all levels need to understand the importance of cybersecurity, not just as a technical issue but as a business-critical
- Budgeting for Security: Security governance often falters due to insufficient senior leaders must ensure that budgets are aligned with the organization’s cybersecurity needs.
- Enforcing Accountability: When breaches occur due to internal failures, accountability must be Without consequences, there’s no incentive to improve security practices.
Conclusion: Building Security from the Inside Out
The cybersecurity landscape is fraught with threats, both external and internal. While organizations must stay vigilant against external attacks, they cannot afford to ignore the vulnerabilities within their own systems. Cybersecurity breaches often stem from poor internal governance, inadequate internal controls, and the failure to implement due diligence and due care.
To truly safeguard an organization’s data and assets, internal security must be prioritized. This involves regular audits, strong leadership, continuous monitoring, and a culture of security that permeates the entire organization. After all, cybersecurity doesn’t start at the network’s edge—it begins at home.
Also read: Automation in Oil and Gas: Horizons and Expectations for the Next 5 Years
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.