In the report “Planning for Failure,” Forrester analysts John Kindervag and Rick Holland make the argument that rushing to fix security after a data breach could be the wrong approach. “You must decide if you want to prosecute before you remediate,” the report argues. “Things work differently in real life than it does on your favorite crime investigation show. Too often, companies clean up a breach and then decide later they want to find and prosecute the perpetrator.”
The report continues, “Unfortunately, they’ve just cleaned up most of the evidence, and true justice becomes illusory.”
Kindervag and Holland say when a company discovers they’ve been victims of a data breach, the security professional there must “make an investigation and prosecution decision immediately. Bringing a bad guy to justice could be problematic. You may need to keep a breached system running in order to preserve evidence. In addition, it could take a significant amount of time before a trained forensic investigation or law enforcement official can respond to your breach.”
When it comes to stealthy cyberattacks, “if you close the hole, they may switch to something else,” Holland says. He acknowledges the advice to hold back on fast remediation is going to be received differently in various places based on the “risk tolerance” of the company. But he says performing computer forensics properly remains an area of specialization in which few companies today are really fully equipped. “They have to bring in those specialists. They just don’t have those skill sets.”
The Forrester report describes how to set up an incident-response team, and the kinds of information technology, business managers and legal representatives who should be part of it. According to a recent survey Forrester did of 341 enterprise decision-makers in North America and Europe, 25% of them said their companies had suffered at least one data breach in the last 12 months. Of those where a corporate data breach had occurred, 43% said changes had been made mainly in having to meet additional security and audit requirements.