The importance of due diligence in Information Security

Due diligence is not just a regulatory requirement but a fundamental component of a robust information security strategy. However, many organisations fall into the trap of treating due diligence as a checkbox exercise, often neglecting its significance until a security incident occurs. This complacency can lead to financial and reputational damage.

For instance, the lack of proper due diligence can leave your organisation vulnerable to data breaches, fines, and loss of customer trust. In June 2024, the NHS was victim of a cyber incident that meant patients’ appointments and procedures were cancelled; this was because of a third-party supplier. Proper due diligence could have identified vulnerabilities in the supplier’s systems, potentially preventing the breach and its subsequent fallout.

But the threat isn’t just limited to supply chains and partners - it's just as important for an organisation to understand its own digital risks just like they would treat their cyber security. How might an attacker use open source Personally Identifiable Information (PII) to 'social engineer' employees at the company? Would they be able to leverage or blackmail their way into accessing critical information without even having to break down cyber security infrastructure? Due diligence and intelligence gathering should never just be limited to external reasons if an organisation wants to fully manage their risk profile.

What stops organisations from undertaking due diligence activities?

Effective due diligence requires buy-in from management and stakeholders. Due diligence goes beyond compliance; it involves actively managing risks to protect data and prevent costly outcomes. For many organisations, the cost of conducting due diligence activities is considered too high in relation to the associated risk.

However, this analysis is often due to undervaluing the cost of not conducting regular due diligence. There are plenty of statistics available that highlight exactly how much money is lost in cyber-attacks per year for organisations of all sizes and types. Each entity will need to do their own risk assessment to understand how operations would be affected (and the resulting financial damage). Your risk assessment would determine your organisation’s risk appetite and what actions should be taken to prevent or limit the impact of a shut down or breach.

Additionally, companies often discount how much the positive aspects of due diligence are worth, understandably focussing on the more immediate concerns around cyber security risks. An organisation that is configured to regularly conduct and synthesise intelligence around itself and its key partners provides decision makers with accurate and up-to-date information on capabilities for growth. To be prepared for digital and cyber threats means you’re also prepared to grow more quickly, acquire more partnerships with less effort, and maintain compliance with less difficulty.

Compliance-driven Due Diligence

Of course, for some organisations it is more appropriate to follow a compliance driven model - using limited resources in the most efficient way possible to achieve and maintain compliance in certain necessary frameworks.

Take for example ISO 27001:2022, a popular framework designed to cover a range of areas within Information Security. One of these areas, which is new in the most recent edition of the standard, is the incorporation of digital and cyber threat intelligence gathering into the requirements of the regime. While the wording of the standard provides some flexibility as to how to meet that requirement, what is true is that organisations need to incorporate some form of threat detection into their processes to achieve and maintain compliance.

Due diligence as described above is a way to do this- a way to reap the benefits of increased business intelligence while simultaneously performing it to achieve an ISO standard. This is true of not just ISO, but other international standards such as DORA, PCI DSS, NIST, and NISD2, all of which have some form of requirement around due diligence, threat intelligence, or the like.

PGI can support with your due diligence needs

PGI’s Digital Investigations experts provide comprehensive due diligence services to ensure your organisation meets its information security requirements. Whether it's conducting internal audits, third-party risk assessments, or ongoing threat detection, our expert team is here to support you.

Don't wait for a security incident to highlight vulnerabilities. Proactively manage your risks with our tailored due diligence solutions. Contact us today to learn how we can help you protect your data, comply with industry standards, and secure your business against potential threats.

Are you adapting your cyber defence strategy?

Join us on 30 April at 3:30pm GMT+1 for our free webinar: Proactively managing emerging digital threats.