SAN FRANCISCO–If you are in business long enough, you’re going to get hacked and you’re going to have to call the cops. Maybe you’ll need their help finding the perpetrators of a crime in which your business was victimized. Maybe employees will have conducted a crime involving IT, or maybe you’ll simply be asked to help investigate a crime conducted against someone else. The fact is: your business will engage with law enforcement at some point, and you better be prepared. Sadly, few businesses today are.
That’s the assessment offered by Nick Selby, managing director at Trident Risk Management, an IT security consulting firm, and a Texas police officer, who urged attendees at the Security B-Sides Conference here Monday to be prepared when that day arrives.
The fact is, according to Selby, many companies still don’t want to contact law enforcement or make information about a security breach public – at least not if they don’t have to. Furthermore, companies don’t often engage with local law enforcement at all. And that’s a strategy that could be setting up companies victimized by cybercrime for a setback.
Consider if your company was breached, and you needed to reach out to law enforcement for help. If you don’t have previous relationship with that law enforcement organization established, or you don’t know how to properly communicate the nature of the crime in a way the police understand – things may not go as you would hope.
“If you tell an officer that you just got hit on your head and your wallet stolen, they’re going to do everything they can to go catch the crook. However, if you call and tell them your database was hacked they don’t necessarily know what that means,” Selby says.
Computer incidents are often much more abstract when it comes to damages and the value of goods stolen, it’s important to rely that information in a way that aligns with specific laws broken, and show that the case is worthy of pursuit. The best way to get results: talk in a language law enforcement understands.
“You want to call and tell them that your company’s servers were breached as described in P enal Code 33.02 and benefits were obtained through damage caused in excess of $62,000.00, which is a third degree felony. And the attacks came from a Louisiana IP address,” he said.
Selby relayed a real-world example. A crew was ripping off airlines, running a scam through Craigslist. They were offering cheap tickets online and asked buyers to meet them at an airport to conduct the transaction. When the buyer showed up, the criminals would accept $200 cash for the tickets, then go inside the airport and purchase tickets with stolen credit cards.
“If each of these incidents were seen as one-time, individual incidents, it would be hard to get much law enforcement attention,” he said. However, a little investigating changed that. “It turned out it was multi-state operation and that it was huge. The airline gathered as much evidence as they could and presented it to federal authorities. Federal agents then engaged with state investigators and the operation was broken and arrests were made,” he said.
Providing law enforcement with the precise evidence they need will not only help the crime more readily be solved, but can also lesson aggravation to your business, Selby explained. “When the guys with blue windbreakers come in, you don’t want them to shut down your data center with evidence tape,” he said. “It is much more useful if you plan your response in advance, and provide them with the systems that exact systems that were affected. They’ll work with you, rather than turn your entire data center into an evidence room,” he says.
That’s especially so if you have already established an ongoing relationship with law enforcement. That can go a long way when you have to deal with an incident – whether it’s one of your employees being investigated, or if you’ve been victimized by a digital crime. “You want to build these relationships in advance of a breach,” he said.
Cultivating those relationships is more straightforward than many might suspect. “If you have an IT security department of any size some of your employees will be ex-military or ex-police. Cultivate their existing relationships. If someone on your team wants to join the FBI Citizen Academy, encourage them,” he says. Other ways to encourage good relations with law enforcement, Selby says, includes participating in the local private sector law enforcement information sharing group InfraGard or FIRST.org (Forum for Incident Response and Security Teams).
By building a relationship with law enforcement, and communicating what police need to know in the event of a breach, you are in a much better position should something go awry. “If you get to know local law enforcement and you provide them with the information they need for the crime, and you ask them what else they need from you to help them with the case – you will get a hell of a better response that simply call and say ‘Help, I’ve been hacked – fix it,” he said.
George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme.