The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

Many of the areas where we have seen companies struggle involve management-level strategic decisions that must be made when a security incident is identified. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities.

While there may be no right or wrong answer, in our experience executives that have anticipated these decision points before a breach are better able to make decisions that align with the organization’s overall strategic goals and are able to do so with greater speed and confidence.

Situation. If a breach is relatively minor in size and scope internal IT resources may be able to handle its investigation. If, however, a breach is large in size and scope many companies prefer to retain external forensic investigators that specialize in breach investigations. The difficulty, of course, is that it is near impossible to tell ex ante the size and scope of a breach.

Strategic considerations: Management typically considers the following when determining whether to engage external resources:

  1. Operational Impact. All forensic investigations divert IT resources from normal business needs. That said the degree of operational impact is typically far less if an external forensic investigator leads the investigation.
  2. Chain of Custody. If litigation or an investigation arises from a security incident questions may arise concerning what evidence was preserved and whether the evidence was preserved correctly. If internal resources were used the individuals that collected evidence may be called upon to testify as to their evidentiary methods and to establish a chain of custody.
  3. Management Confidence. Most IT departments do not receive significant training on forensic investigations and lack the internal resources to perform complex investigatory tasks (g., to reverse engineer malware; to break encryption; to perform complex log correlations). If management relies upon internal resources to investigate a security incident, management should consider the level of confidence that they will feel in the ultimate findings of the investigation.
  4. Cost. Companies that specialize in forensic investigation are not cheap. The average cost of a forensic investigation by a third party is approximately $250,000 (although the median is ~$40,000). That said, complex forensic investigations that require examination of numerous hosts and servers can reach seven figures.
  5. Speed. If an investigator is able to deploy large quantities of external resources they may be able to complete an investigation faster which may, in turn, allow a company to identify and remediate a breach (and thus limit exposure) in a shorter time frame. For example, if ten machines need to be imaged and a company maintains in-house capability to forensically image one machine per day the preservation component of an internal investigation may take 10 days as compared to an external investigator that has the capacity to deploy ten simultaneous teams and accomplish the same preservation in 1 day.