Businesses of every type and size cannot run without information technology. The benefits and opportunities for innovation are numerous, but so are the risks.
Should the business fall victim to a security breach, or a natural disaster that brings it to a standstill, it needs to recover and get up and running as soon as possible. “For this reason, all organisations need to have strategies in place to cover incident response, awareness training, disaster recovery and business continuity,” says Simon Campbell-Young, MD of Credence Security.

Not only can security events cause downtime and recovery hassles, they can also result in legal complications, insurance claims and regulatory issues. During the course of recovery and investigation, there may be claims against third-party partners, employees or even the business itself, depending on what led to the incident.

“The company needs to establish what caused the event. It could be carelessness or negligence; it could be malfeasance or fraud,” he adds. “This is why analysing the event and collecting digital evidence has become crucial.”

According to Campbell-Young, all incidents will leave digital footprints. “Irrespective of the system or device, a trail is always left. This is where cyber forensics, or using IT and legal knowledge to analyse and use the digital evidence found, comes in.’

Cyber forensics is mostly used for investigations that, due to regulatory or criminal elements, will end up in court, and as such, the evidence needs to be collected and stored in a legally acceptable manner. “This evidence is easy to lose or distort, and must be handled and preserved in a manner that guarantees that this hasn’t happened.”

He says there are several digital forensics tools and techniques that can be used to trace the trail of an event, recover any lost data and files, as well as for monitoring to establish whether any abuse has occurred. “But perhaps its most valuable application is the way these tools can be used to identify what caused the incident, and to gather evidence for use by law enforcement and the legal system.”

Every day, in the course of the running of the business, a slew of digital data and records are generated. “All these records and other bits of information can become critical pieces of the puzzle in the event of a security breach. Much of this data is stored and preserved as a matter of course by the disaster recovery and business continuity processes, as well as the data retention policies. All businesses have backup files, system monitoring logs, and even camera footage. However, there is a lot of digital information that isn’t stored automatically, and might be needed should a security event occur.”

Campbell-Young says this evidence could take the form of IM chats or emails, or even SMS messages on smartphones and other devices. “It is impossible to predict exactly what data may be required in the event of an incident, or whether it will be needed for regulatory purposes, or merely for an internal investigation.”

He says this is why forensic readiness is so important. “Forensic readiness helps a business automate its actions and activities so that retrieving digital evidence becomes second nature, without any issues. “The ideal is to have systems in place that record and store digital evidence in the legally appropriate manner as a matter of course. In this way, irrespective of the incident, the evidence is available, without having to impact on operations or productivity.”