As businesses increase their online presence and dependency on IT, the number of incidents of computer misuse continues to rise. To limit the occurrence of such incidents, acceptable use policies and security measures must be implemented, but when controls are bypassed, either intentionally or unintentionally, organisations must be prepared to act quickly and effectively to minimise their impact.
Where an incidence of computer misuse is suspected, such as the theft of intellectual property, computer forensic experts are often called in, who are able to analyse computer equipment in order to produce legal evidence. This might involve recovering deleted files, finding evidence of websites visited online, or determining whether a USB storage device was connected to a machine.
Many businesses may be tempted to ask for internal technical help to substantiate their suspicions before calling in external specialists, but for any findings to be admissible in a court of law or employment tribunal, all investigations must follow the ACPO (Association of Chief Police Officers) guidelines for computer based evidence. If untrained IT staff are allowed access to a machine, they may render any recovered evidence useless.
A proper incident response procedure should be put in place and enforced to ensure that evidence is not deleted, damaged or contaminated. Such a procedure should include the following steps:
1) Contact a team of analysts qualified to carry out investigations in line with the ACPO guidelines for computer based evidence.
2) Do not allow unqualified staff to examine the system.
3) Secure and seal the system in a locked cupboard.
4) Make detailed notes on activities. This will include how the incident came to light, a list of all possible users of the computer, and any other information you may have.
5) If possible, do not switch the computer on. Every time a computer is switched on, data can be changed.
For this procedure to be effective, any members of staff responsible for dealing with a computer related incident should be fully trained on how to handle evidence and all members of staff should be made aware of each other’s role, responsibilities, and capabilities in this regard.
The main aim of these measures is to prevent an operational security problem from becoming a business problem that impacts on revenue and services. For example, if an incident of computer misuse is seen to have occurred but cannot be proved due to contamination of evidence, this could lead to a costly wrongful dismissal pay out at an employment tribunal. Equally, if evidence is lost, the identities of those involved may not be found, which could leave the company exposed to future attacks.
For the reasons described above, it is never too early to put incident response training in place, since waiting until an incident has occurred is, of course, too late to ensure that it is addressed effectively. In addition, having visible measures in place to tackle such events has the added benefit of acting as a deterrent against computer misuse, making it an effective way to reduce the number of computer related incidents and the resulting cost to your company.