When you discover that one or more computers in your business has been breached, it is easy to get very excited and try to eliminate your risk by taking systems offline, and having your computer support personnel wipe the hard drive and re-install a fresh operating system and set of applications. This is the wrong course of action if you were hoping to take legal action against the perpetrators.
Most local police departments have cyber-crime investigators these days, and the first order of business is to call the police and report the crime, just as you would if your business had been physically burglarized. Reporting the crime to the IC3 or the Internet Crime Complaint Center is a good idea too.
Here are some tips, courtesy of an article from TechRepublic, about the next steps to take after you discover you have been the victim of a cyber-crime.
- Maintain data integrity – This means saving the infected computer as-is so a complete and successful forensic analysis can be completed. Resist the urge to wipe and refresh. You need to leave the computer turned on so that any remote Internet connections can be documented.
- Call the cops – This crime needs to be reported, as any crime would be. In many cases, the cyber insurance policy you bought (you DID get cyber insurance, right?) will likely require that the police be notified, and that they open a case.
- Call a forensic specialist – Sure, the police are sending someone with forensic training (hopefully), but your company should hire your own forensic specialist to work with police and complete an independent investigation. Might be best to make that relationship before you need it, so you have someone you trust available when you call.
- Chain of custody – To stand up in court the chain of custody must be maintained in a legal manner. Often the hard drive is cloned so that the original state of the infection may be preserved. Anyone involved in the case who handles the physical or electronic evidence needs to be documented.
- Legal jurisdiction – Knowing which rules of law apply to your case, and adhering to legal procedure is critical if the case is to withstand the rigors of a trial.
- Employee training – Your IT staff should be trained in these issues, and if you use an outside IT consulting company they should be as well, and you need to have that conversation with them the next time you meet with them. Training the rest of your staff in cybersecurity, and having a process in place that everyone knows and can follow is important in a case such as this.
So planning for your response to a cyber-incursion is another item to add to your To-Do list, but this is something better accomplished right away. Many companies do not discover a breach to their network until long after the attack has been underway. That is not the time to be figuring out what to do next. you need a plan, and you may need to outsource this planning to an experienced cybersecurity consultant. You need to establish that relationship anyway, and this would be a great way to kill two birds with one stone.
- Electronic evidence – a basic guide for First Responders
- Forensic Examination of Digital Evidence: A Guide for Law Enforcement,
- TechRepublic –