登录查看更多内容

Cyber Incidents – ECSC Top Tips #14 – Don't Touch The Evidence

ECSC | Part of the Wavenet Group

Founded in 2000, ECSC Group plc is the UK’s longest running full-service cyber security service provider.

发布日期: 2022年8月30日

Welcome to #14 in a series of helpful tips, should you ever find yourself victim of a cyber incident. Based on over 20 years of cyber incident response work, for clients of all sizes and sectors, ECSC is available 24/7/365 when you need it most.

Don't Touch The Evidence

Once in a while, you encounter an incident that might end up in court (or an employee tribunal). You need to spot these potential escalations at an early point, and act differently from a 'normal' incident response.

Let's say you have an employee under investigation and their company laptop is the centre of attention. Reminder here why Bring Your Own Device (BYOD) is a terrible idea, as you cannot investigate this device without the explicit permission of the owner. The Computer Misuse Act makes this very clear – you can go to prison.

However, assuming the device in question is owned by the company, you are free to investigate. STOP, first mistake. If I were brought in to defend your employee, I would firstly ask how many other employees (IT/HR etc) had access to the device following the suspicions.

An easy employee defence is, “IT planted the evidence as they never liked me”. This is quite likely, as IT don't normally like many users.

So, your FIRST action should be to isolate the device under trusted control and not to investigate anything. Then hand it over to expert investigators who understand how to follow (and document) any valid evidential trail.

If you think you'd benefit from the ECSC experts being by your side when you need them most, then the easiest solution is a low-cost Incident Response Retainer, giving you access to 24/7/365 remote and on-site guidance, advice and support.