How Digital Forensics Detectives Investigate a Data Breach

Digital forensics detective in server room investigating a data breachDigital forensics detective in server room investigating a data breach

If you suspect that your company’s data has been breached or compromised, you potentially face a number of time-sensitive and highly technical questions. As seasoned digital detectives in the cyber space, digital forensics teams can help companies piece together any evidence and understand the scope of a breach. The information they discover can help you protect your business and your customers now, and help prevent future breaches.

While many companies employ general-skill IT professionals, digital forensics is a highly-specialized skill set, according to Kurt Oestreicher, Director of Forensics in Travelers’ Risk Control. While IT teams can get companies back in business following a breach, IT team members are often not trained in forensic investigation techniques that can prevent data from being altered. Travelers enlists with digital forensics firms to investigate data breaches for cyber insurance customers.

“It’s no different from any other crime scene,” Oestreicher says. “The most critical step is preservation of the evidence. If you don’t obtain the evidence properly, everything else you do may be rendered invalid if the case goes to court.”

Among the questions that digital forensics can help answer include:

  • Did a breach really happen?
  • What is the size and business impact?
  • How did the attack occur?

A digital forensics team will examine the network and look for signs of a lingering attack, such as malware or unauthorized user accounts, or accounts with unauthorized privileges. The team can determine if an attack is still ongoing, and firm up the company’s defenses to halt continuing damage. Members of digital forensics teams who have worked with a variety of companies and breaches can bring with them more experience and insight than an in-house team with more limited external exposure might.

“Digital forensics teams can dig deep and turn around lessons learned that can help a company improve their network infrastructure and security,” says Oestreicher.

Understanding Can Aid Recovery

Forensics professionals work closely with a company’s crisis communications team to provide the public and customers with up-to-date information about any private information that may have been compromised, and information on the steps being taken to help protect customers against future breaches.

Getting an accurate count of records that may have been breached is especially important for companies with data that includes private, protected client or customer information such as Personally Identifiable Information or Protected Health Information, which are subject to growing state and federal notification regulations.

These requirements add an extra level of complexity and cost to recovery efforts. The average cost per record in a data breach that contains sensitive or private information grew 8% from $201 to $217 in 2015.1 If a company has 20,000 records compromised, that would amount to $4.3 million.

In the increasingly complicated landscape of data breaches, digital forensics is becoming one of the critical tools that companies can use to piece together clues about the size and scope of a data breach as they work to stem the damage, meet their legal and regulatory requirements and assure customers that they are taking steps to help prevent such a breach from happening in the future.

Source:
1 Ponemon 2015 Cost of a Data Breach Study