In a survey of over 1,000 corporate IT security professionals in the United States (US) and in Europe, Middle East and Africa (EMEA) only six to seven percent said that they would ask for help from an outside consultant when responding and diagnosing an intrusion or other data compromise. Thus, more than 90 percent said they would do it all themselves. The survey, titled Threat Intelligence and Incident Response: A Study of US and EMEA Organizations, was conducted by the Ponemon Institute in 2013 and published in February 2014.
The six to seven percent figure is remarkable particularly after reading the rest of their survey responses. Essentially, while more then 90 percent will prefer doing it all themselves, huge numbers of them also acknowledge that they lack adequate tools, skills or training to do the analysis.
Consequently, if you are in senior management of an organization whose data was just compromised, there are four reasons why you should get help from an outside consultant in general and Fordham Forensics in particular.
1. 55 percent of survey respondents say that their security team lacks adequate forensic technologies or tools to quickly determine the root cause of a cyber attack.
When a computer system or network has been compromised time is of the essence. The rush is not only to figure out what happened and put an end to it but for many types of personal, payment and health related data there are time periods within which the assessment must be made and reported. Having the right tools and technologies can make a big difference in how fast the analysis can be done.
Our consultants have made the investment in the latest leading edge technology and tools to quickly determine the root cause of an attack. In fact, all of our engagements are very time sensitive and the results must be reported to client and counsel in time for any necessary action. Furthermore, those results are often challenged by opposing entities with their own well equipped experts. Thus, they have to be timely and they have to be correct.
2. 43 percent say that the security team lacks adequate training, skills or expertise to conduct a thorough root cause analysis.
When a compromise has occurred it is essential to know what has happened. That answer is not just about how it happened but what has happened is also important. In other words, in addition to determining if there was a breach it is also important and perhaps even more important to know was there an actual data compromise and what data was compromised?
Answering this latter question has significant consequences for personal, payment and health information where there could be penalties or other cost consequences to an actual compromise. Even when the compromise does not involve regulated data sets like personal, payment and health information, an organization’s continued existence could be threatened if management is not able to adequately assess the consequence of the compromise and pilot their ship to safe waters.
Our consultants have adequate training, skills and expertise to conduct a thorough analysis. They possess significant experience as well as respected professional certifications that evidence their skills. Furthermore, these certifications impose continuing education requirements in order to maintain those credentials. Thus, our consultants are always up to date and have the highest level of skills and expertise.
3. 38 percent say it will take at least a year to know the root cause of an incident and 41 percent say they will never know with certainty the root cause.
By their own admission, 79 percent of corporate IT security managers think it will take them a year or more to determine the root cause of a security compromise. When a compromise occurs an organization simply does not have a year or more to determine the cause and take action. Rather the timeframe in which the cause must be determined is a matter of days if not hours and the period within which the consequence of the compromise must be known is a few weeks.
Our consultants are well versed in timeframes of days and a few weeks. Thus, you will not need to wait a year or more to know what happened and what you need to do about it.
4. Forensic practices should be employed
Although the particular issue of forensic practices was not addressed in the Ponemon survey, if management intends to pursue a legal remedy against the culprit it will be essential that the data used to determine the cause and consequence was collected and preserved so that it can be used as evidence at trial. In house personal are not typically familiar with those processes or experienced in presenting and defending that data at deposition or trial. Consequently, the best person to use for this process is an outside consultant with forensic expertise and experience.
While many might think that a legal remedy is unlikely, one never knows about the source and the consequence until the analysis is performed. Remarkably the source could be a competitor, a vendor, a former employee or even a current employee. In fact, it could be any number of possible entities where legal action could offer a desirable remedy after the results were known.
Forensic practices must be employed from the start of the analysis. Proceding without that discipline often ruins the evidential quality and acceptibility of the data
Having worked on hundreds of forensic matters, our consultants are well versed in forensic practices. We have also successfully presented and defended our opinions over 20 times on matters in various Federal and State courts.
Certainly, no one likes being second guessed. From that perspective, it is not surprising that more than 90 percent of the survey respondents would choose not to seek help from an outside expert to investigate their intrusion and data breach.
When one considers the two choices of using in-house resources or using an outside consultant to investigate an intrusion and data breach two factors looms large. First, by their own admission in the recent Ponemon Institute survey, over half of the in-house security professionals are not adequately equipped to handle the unique challenges of a network intrusion and data compromise. Equally shocking is that these results are not an isolated aberration. Indeed, the firm of Ernst & Young had similar results in their 2013 Global Information Security Survey. Specifically, they found that, “Information Security Departments continue to struggle with a lack of skilled resources and support.” In fact, 50 percent of respondents in the Ernst & Young survey “cited a lack of skilled resources as a barrier to value creation.”
Second, over 70 percent of the respondents in recent Ponemon Institute survey think it will take them a year or more to fully understand the scope and consequence of the intrusion. Of course, management does not have that kind of time to determine the cause and assess the impact.
Consequently, whenever your network or its sensitive data has been compromised the data clearly is in favor of using an outside expert for the investigation and analysis. Thus, when your network or sensitive data has been compromised, we can help When It Really Matters.