Wipfli logo

Eagle Hill School


Top 5 forensic readiness steps your organization can take

Oct 01, 2019

It takes, on average, 206 days to detect a data breach and 73 days to contain it. That’s a pretty long lifecycle. And one thing is clear: There is a relationship between how quickly an organization can identify/contain a data breach and how harsh the resulting financial consequences are. 

Organizations spend significant dollars on business continuity planning and testing, as well as implementing an incident response plan. But they often overlook the aftermath of an incident — specifically the need to prepare for a forensic investigation, whether it is financial or digital in nature.

What is forensic readiness?

Forensic readiness is the ability to perform an investigation by having all the necessary items in place ahead of time to help support those investigations. No one wants to scramble during an incident and find out they’re missing critical information that could have been used.

Can you answer these types readiness questions?

  • Could my organization effectively respond to a compromised email account, including being able to tell what information was breached?
  • Could my organization effectively respond to financial fraud performed by a current or formal financial officer?
  • Could my organization effectively respond to data and intellectual theft of property by a current or former employee?
  • Could my organization effectively respond to a sexual harassment investigation involving personal devices? 
  • Could my organization effectively respond to a ransomware or other malware event?
  • Could my organization effectively respond to a website compromise?
  • Could my organization effectively respond to the activities of a disgruntled employee?

5 ways to prepare your organization

As you can see above, there are a variety of incidents that could prompt a forensic investigation. It’s not just a cybersecurity event. There are five things you can do to help your organization prepare for the unknown and to recover faster and with less damage.  

1. Create policies and procedures

Policies and procedures are the bedrock of any security program. Policies are so important because they set expectations with your employees. The list of what you could address in your policies is long: the usage of internet, wireless, personal devices, cloud storage, hosted applications, encryption, email, webmail, data handing responsibilities, physical security expectations, backups, and endpoint management. The more of these your policies cover, the more prepared you’ll be for a forensic investigation. Creating policy and processes documents is a vital step in forensic readiness.

2. Develop an incident response plan

Incident response plans lay out the actions that need to be taken when an incident occurs. They are extremely valuable to develop and have on hand so that your organization doesn’t accidentally skip over key actions in the chaos of an incident. 

Have you defined the members involved in your plan; identified their roles; detailed containment, eradication, and recovery procedures; created tracking forms or other avenues of capturing detailed investigative information; and developed internal and external notification procedures? All these steps are key to developing an effective and comprehensive plan.

3. Plan how to handle employee departures

It’s a sad but true fact that some employees will take data to their new employer or sabotage things on their way out. What’s even worse is that you may not know it until months later.

When an employee hands in their notice, it’s critical to have a process in place to deal with physical security, their access to local networks and cloud networks, sending notifications to vendors they work with, retaining their email, examining their personal devices, and saving their assigned work device for potential review. 

At one of our clients, an IT employee went rogue on their way out and did thousands of dollars worth of damage to their Google Adwords and deliberately sabotaged their ability to sell products on Amazon. The organization hadn’t taken the former employee’s laptop back or used other recommended processes that could have helped prevent the employee from doing such damage.

4. Make sure you’re auditing and logging data

Have you addressed how you are retaining logs and for how long? Are you logging the necessary information when it comes to your critical applications and data, testing and development environment, active directory, remote access, firewall, email and more? 

The difference between auditing and logging is that auditing sets what you’re going to retain, while logging does the retaining of those selections. 

Logging is key to an investigation because it can tie things together. Antivirus logs catch where ransomware started, for example. So it’s important to decide what is important to log — what information would be important in an investigation and what information isn’t and can go unlogged. 

What we find challenging for organizations is retaining logs for a long enough period that they’re useful in a forensic investigation, as well as keeping this information centralized so you don’t have to go looking in different places for what you need. Investing in added storage — which isn’t as expensive as it used to be — to retain logs for a longer period can help keep your organization prepared for an incident and can be worth it in the long run.

5. Obtain or update your insurance coverage

We’ve seen how the costs of responding to ransomware are growing, so it’s more important than ever to have cyber insurance. If your organization has cyber insurance, do you know how much your coverage is and what it covers? Does it require you to work with specific response groups if you experience a cyber incident? It may require you to work with a certain firm or lay out procedures that, if not followed by your company could result in the insurance company not paying out on your claim.

It’s vital to review your coverage yearly and determine if the risks to your organization necessitate more coverage.

Creating your forensic readiness plan

As forensic investigators, we’ve seen time and again that critical information is missing at organizations. It’s hard to imagine you could be the next victim of ransomware or a disgruntled employee, but the longevity and future success or your organization may depend on preparing for the unexpected.

Wipfli is committed to helping ensure organizations are ready for any type of investigation — forensic or otherwise. Contact us to learn more about our forensic readiness service, or keep reading on in these articles:

How to respond to fraud

Financial fraud: What to do when an employee steals from you

Here’s why managed detection and response is so important in today’s complicated networks


Lead Cybersecurity Consultant
View Profile