by Seth Berman, executive managing director and UK head of digital risk management and investigations company Stroz Friedberg
From drinks companies to pizza restaurants, dating sites to news sites, a growing number of organisations have been forced to deal with the aftermath of reported data breaches. In their wake, there is a heightened focus on developing strategies that can tackle such events effectively and minimise the exposure to cyber security risks. The challenge has been made plain by William Hague, the UK Foreign Secretary, describing the threat from cyber criminals as “one of the great challenges of our time”.
The impact of a data breach can be significant, with one British company reportedly losing £800m in revenue in the wake of a state-sponsored cyber attack. While the risk of financial harm through the loss of valuable intellectual property, customer and personally identifiable information or commercially sensitive information can be significant, damage to the public perception of a business could be both more immediate and longer lasting. Preparing a response strategy to regain control of a data breach scenario is, therefore, no longer just an option but should form an essential part of risk and contingency planning strategies.
However, tackling cybercrime requires a different approach from that used with more traditional crime. For most crimes, when an organisation finds itself victimized, it goes to law enforcement to identify and prosecute the perpetrator. For cybercrimes, that option is not always a viable one. In many hacking incidents, the initial objective is unlikely to be the tracking down the hackers, but instead determining what systems and data may have been compromised.
This is a task corporates need to direct themselves.
Even if law enforcement could determine the scope of the incident for the victim, there are serious downsides to this approach for most corporates, as it may require granting law enforcement essentially unlimited access to secret corporate data and restricted networks. Moreover, by handing the investigation over to the police, corporations lose control over the timing and content of any public notification, which could prove a public relations disaster, especially in a hacking investigation in which the public often perceives that the corporate victim is as at fault for failing to prevent the hacking.
A key question is, therefore, when (or even whether) to notify law enforcement authorities.
The strategy will, in part, be shaped by the type of data breach or hacking. Many hacking incidents are carried out by employees or former employees with a grudge. Such perpetrators are relatively easy to track and locate, arming corporations with a range of civil enforcement options, including dismissing or suing the individual. From a law enforcement perspective, a wide range of possible criminal actions may be pursued, including charges related to theft, fraud, embezzlement and computer hacking.
By contrast, hackings co-ordinated by outsiders present a very different challenge.
Unlike most crimes, there is typically no physical link between an outside hacker and his victim. The hacker could be thousands of miles away and completely unknown to the victim. This makes it much more difficult to identify and bring perpetrators to justice.
Instead, when investigating an external hacking incident, answers to a more basic series of questions will be required, such as how did the breach occur; has it stopped; how long has it been going on; and what data was stolen?
Sophisticated computer forensics may help answer these questions. Forensic experts will secure and review copies of the network traffic logs and configurations, and make forensic images of infected computers. This is a very intrusive process that requires scanning the entire corporate network for virus signatures, copying key computers and servers in full and monitoring network traffic.
A victim company may be required to notify regulators and the public of a data breach. Some jurisdictions require notification for certain industries while others require notification for any industry if the breached data included personally identifying information (PII) about individuals. In such cases, the question of whether to notify the authorities may be moot, but there is still the question of when you notify law enforcement – before or after a private investigation is complete.
In my experience, most companies faced with this situation conduct a private investigation before notifying law enforcement, with three factors often driving this decision:
1) It is not always immediately clear if a breach requiring notification has occurred and the only way to determine if a notification is required may be to complete the investigation yourself;
2) If individuals need to be notified about the breach, only the company and its forensics experts are in a position to determine who needs to be notified;
3) It is much easier to control the public relations and communications strategy if the company knows the extent of the problem before it is announced.
In short, giving control to public authorities early in an investigation is rarely an option.
Beyond the practical and legal considerations, there is always at least one good reason to involve law enforcement at some stage of a breach investigation: it is in the public interest. Criminal investigations of one hacking often uncover evidence of additional victims. For this reason, companies should probably err on the side of notifying law enforcement if they are victims, but typically only after their own investigation has revealed the incident’s nature and scope.
Risk and governance professionals must ensure the new cyber security risk map and, in particular, the wider financial, regulatory and compliance considerations are understood at all levels of the organisation. Senior executives have a responsibility to stakeholders to respond appropriately, keeping in mind that hacking is very different from other sorts of crimes. While law enforcement has a role to play, organisations working with outside experts must direct the investigation to establish the extent of the data breach and the requirement to notify regulators or the public. Even where law enforcement is able to identify and prosecute a hacker, only private computer forensics and legal experts may provide answer that will allow a company to respond effectively to the incident.
Seth Berman is executive managing director and UK head of Stroz Friedberg, a digital risk management and investigations company. He spearheaded government hacking investigations as a former US Department of Justice prosecutor, before making the move into private consultancy.