Many situations can warrant the need to declare a major corporate crisis. Data Breach, Cyber Attack or even during fast moving corporate fraud (such as data destruction, financially motivated fraud or espionage) are some examples.
Businesses learn very quickly that they are often unprepared to investigate and manage these incidents well. They are unable to provide meaningful data to forensic investigators like us which leads to frustration by executives and misinformation in the public forum.
IT departments are woefully unequipped to deal with the dynamic aspects of a crisis where you may have media relations, incident response and business continuity plans being actioned. However, they are often the team singled out as responsible for containment, recovery and forensics.
Often under these tense situations, IT department heads (and in the case of NZ and Australia where extensive use of outsourcing is common place – IT Vendors) will be ducking for cover and potentially looking to minimise their own liability through finger pointing and cover ups. This further adds to delays and misinformation.
A Crisis Management plan should include a single point of contact between the incident responders and executives and media/public relations specialists. Be prepared to provide hourly updates on a data breach where a sensitive data breach has hit the media or reputational damage is impacting share price.
The key things these people will want to know are 1. What data has been accessed and ex-filtrated? 2. How did they get in? 3. Have they maintained access or still have control? 3. Can we articulate the value of the data or the sensitivity of it?
If you don’t think as an organisation you could answer these questions under the pressure of a crisis, in a timely manner, then it is probably time to consider that you need a Crisis management plan, incident response plan and forensic capability.
When we talk about forensic capability, the need arises because traditional IT have not necessarily implemented the tools required to sufficiently investigate a breach to answer the types of questions that need to be answered quickly in a crisis situation. Most people think of our security operations tools e.g. SIEM as defensive products. They are sold because they are used to stop an attack, breach or corporate fraud. Whilst they go a long way towards preventing incidents, they can also be very valuable from a forensic perspective, after the event. Attackers will clear logs on systems if they are skilled and therefore make investigations very challenging. We can provide many examples where artificial intelligence products like DarkTrace have been used to catch employees who have stolen product data and given it to their competition many months after the event.