Information Technology is invaluable to business. However, the dependability on IT means that most companies are susceptible to misuse of their computer systems by employees or outside sources.
Information technology security incidents vary in severity. Confidential data leaks and breaches are frequently reported in the press, often making headline news, particularly when they involve data about people. However, incidents also include occasions where company data is stolen or used inappropriately, for example, theft of IP by employees, staff exchanging offensive emails or hacking from outside parties. In these cases, companies are often required to investigate internally.
In 1904, Edmond Locard stated “Every contact leaves a trace” marking the birth of forensics. One hundred years later, firmly in the digital age, it couldn’t be more true. Every time a computer is switched on, a file is accessed, a memory stick is inserted, a webpage is visited... -a trace is left on that computer.
When IT security incidents occur, senior management often respond by contacting their IT department for assistance. Conversely, unless IT personnel are experienced in forensics, they could (and often do) end up changing or inadvertently deleting the evidence. Hence, the effective management of an IT security incident is crucial.
There are no set dos and don’ts when dealing with incidents since the circumstances dictate the response. For example, taking a simple user’s computer suspected as being utilised to steal IP. Consideration has to be made to a range of questions, for instance, is encryption is involved? What evidence may be stored on servers? Have external media/mobile phones been used and who owns these devices? Do you have enough evidence or is a covert investigation required?
Additionally, an experienced IT expert will also assess the information security procedures of the company to determine if their procedures were adequate at the time of the incident. This may assist an IT solicitor to assess the impact of legal or internal proceedings on a brand. For example, do you want the world to know your large company does not encrypt their laptops?
Why is the initial incident response so important? Not only could a case be jeopardised, often the cost of investigating an inappropriately examined incident can more than doubling the overall costs and result in a more complex legal case.
The key is to be prepared and if it’s just happened - stop! To prepare for IT security incidents, businesses can implement documented procedures, similar to disaster recovery planning. These procedures should contain the contact details of suitable digital forensics expert(s) and IT solicitor(s) who can provide immediate responses. It should also include instructions for IT (and management) advising against the overwhelming temptation to ‘take a peek’ at the evidence so far!
If an incident has just occurred - stop and seek immediate advice from an IT forensics expert and consult an IT solicitor. Most will provide free initial advice which could end up saving your evidence and your pocket.
Article by Samantha Raincock, IT Expert Witness and Security Specialist, Sam Raincock Consultancy
Disclaimer