If your system has been hacked, what would your first reaction be?
Speaking for myself, I think I would want to know who did it and figure out how it was done. That’s my personality, to learn the who, what, and why of a situation first, and then focus on the damage control. I suspect that this is human nature for a lot of people, too.
On the other hand, when I asked that question to a security professional during an informal conversation, his response was this: Find out what information was hacked and determine whether the FBI needs to be involved immediately. You have to figure the data had already been compromised, he said, so you’ve got to work on minimizing the damage.
According to Edward J. McAndrew, assistant United States attorney and cybercrime coordinator with the U.S. Attorney’s Office in the District of Delaware, and Anthony DiBello, director of strategic partnerships for Guidance Software, the security professional I spoke with is on the right track. When a hack happens, it is important to resist human nature regarding the hacker (at least immediately). Instead, you want to focus on mitigating damage and data loss and providing information to law enforcement so the cops can identify and take action against the bad guys.
Contacting law enforcement doesn’t seem to be a priority during the immediate post-breach phase. For instance, Digital Guardian asked dozens of security professionals what steps to take after a data breach. Granted, a breach doesn’t necessarily mean the network was hacked – it could have happened via a lost cellphone or laptop – but I found it interesting that contacting law enforcement was not included in the comments, not even in the most detailed responses of action steps to take. If your company suffered another type of break-in or property loss, that would be the first step. So why isn’t it a priority when data is compromised or stolen?
It could be that we still haven’t reached the point where we consider electronically stored information in the same way we consider physical property, although I do think that is changing. It could also be a cultural or territorial thing – IT staff not wanting to admit or be held responsible for the hack happening under their watch. Or it could simply be that there is no protocol in place on how or when to report a hack to law enforcement. So McAndrew and DiBello have come up with the information that is helpful for the authorities to use to find cyber criminals, adding that these tips will also be dependent on the type of incident and other factors. But overall, it is a starting point for IT and security staff to create an incident reporting protocol if none is in place. The tips include:
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba