I enjoyed reading this article about IT forensics on the Taylor Wessing content hub by Jo Joyce. Here are just a few of my takeaways from the piece.

The point made around having forensic specialists “on call” to support is important. But I also think this should go as far as having a direct contact/emergency call number too and ensuring contracts are in place to reduce any delays in response.

Jo Joyce (the author) states: “In many other cases a third party gets lucky by exploiting a vulnerability created by the organisation itself. Failure to encrypt data-rich systems and files, failure to patch and maintain security software and infrastructure, and poor password or security profiles make organisations easy targets for opportunistic hackers.” I would also add to this that most breaches are due to human error. Regular mandatory training for all staff to educate on the risks and indicators of potential phishing emails is essential to helping prevent attacks. See my previous post on the importance of staff training here. 

“The First 24 hours” – also known as the Golden Hour (or few hours after an incident), are crucial. My recommendation is that any action from the point of an incident becoming known is directed by advice from forensic specialists. I do agree with the three points listed in the article as a general rule of thumb, however, depending on the system(s) impacted, there may be a wider business decision that needs to be taken to immediately limit the impact and ongoing risk of any breach i.e., taking down your own website should non-authorised content be displayed.

Jo states in the piece: “Preservation of evidence from the start is crucial; it will be needed to answer questions from Supervisory Authorities if personal data is compromised. It may also be needed in legal action against threat actors and third party platforms they may try to use.” As the author rightly points out, preservation is the key here. Going back to the above three points, any decision made around switching on/off systems will impact the availability and substance of potentially helpful information that allows for both remediation of the incident, but also the identification of the source. As also noted, depending on the industry, there are regulations in place whereby both pre-incident, but more importantly post incident actions, will need to be explained. Also, where an individual’s data may be compromised, there will be the requirements under the GDPR to identify and report on this and the early and complete preservation of data is key in allowing this to be completed.

Breach Preparation Plan is key. Ensuring communication channels are known and understood, policies and contracts are in place, whilst also having a forensics firm document a set of procedures all help in swiftly responding and recovering from a security related incident.