Five ways to survive a data breach investigation

If you have to call in external investigators, here are some tips to maximise their effectiveness and minimise your embarrassment.


Security experts say it all the time: If a company thinks it has suffered a data security breach, the key to getting at the truth unscathed is to have a response plan in place for what needs to be done and who needs to be in charge of certain tasks. And, as SANS Institute instructor Lenny Zeltser advised in CSOonline's recent How to Respond to an Unexpected IT Security Incident article, "ask lots and lots of questions" before making rash decisions.

Unfortunately, many companies still fail to heed that advice and end up in a lot more trouble than was necessary -- see The Company That Did Everything Wrong Parts 1 and Part 2 for painful examples.

Robert Fitzgerald, a Boston-based digital forensics investigator and president of The Lorenzi Group, finds that at many of the companies he investigates, the words of Franklin D. Roosevelt ring true: The only thing [companies] have to fear is fear itself.

"People get nervous when we come in and it's a shame, because our job isn't to tear through and tell you how bad you are," Fitzgerald said. "We're not law enforcement."

But people get nervous anyway. So they do stupid things on purpose or by accident that lands the company in a heap of trouble. People who fear lawsuits or have something to hide tamper with evidence [Fitzgerald calls it "spoliation"] in ways that may seem clever -- overwriting files, reinstalling the operating system, loading a bunch of other data on discs and drives and them deleting them -- but are easily uncovered during an investigation.

To help companies avoid such madness, Fitzgerald recently sat down with CSOonline to outline five steps that can be taken to ensure a smooth investigation that ends with the company's reputation intact.

1. Have a response that's built for speed When a company brings in Fitzgerald's crew, the goal is to move with all deliberate speed so the truth can be uncovered and corrective measures can be made. Nothing gets in the way of that like a company that has nothing ready when the investigators arrive. To that end, it's important straightaway to have such items on hand as the employee manual, rules for who can do what on work machines, office and personal e-mails and computer software and hardware.

"Data is fluid, it moves quickly, so we move quickly," he said. "If you call us this morning, we want to be there this morning. The longer you wait, the more likely evidence will get spoiled. When we make suggestions, in the presence of legal counsel, we'll make suggestions we think is best for you."

Don't hem and haw, Fitzgerald said. He and his team know what they're doing. "Many times we have cases where people waited and stuff goes missing. We'll ask for all computers and drives that were used and affected, and why you think those things were affected. It's important to have an idea of why a machine was infected," he said. "We'll want to see the employee manual. That will help us define the rules people work in. We'll need names and e-mails, work and personal, of any employees you suspect might be involved. Personal e-mail addresses you should have simply for emergency contacts. There are resumes and applications where this information can be found. We need this because personal e-mails can be used to move sensitive data out of the company gates."

"Recommended For You"

Lawmakers question Sony and Epsilon on data breaches Vint Cerf on Google's privacy practices