Part of why I have been away from writing my blog as of late is I have just been swamped with computer crime investigations.  I have had the experience of investigating data breaches large and small, as a criminal investigator, and as a private computer examiner.  I think this has given me a unique perspective worth sharing.

It seems that every data breach produces a ton of emotion for a variety of reasons.  I am going to outline some of these emotions.  I think this is important for an investigator to understand because it has such an impact on these investigations.

Emotion 1)

The IT staff is going to feel very guilty about what happened, rightly or wrongly.  The finger is almost immediately pointed in their direction by management.  This comes in two forms.  One believing they must be involved because of course security couldn’t have been penetrated!  Secondly, they are responsible for the computers; so, it follows it is there fault.

Is it IT’s fault?  Maybe it is, maybe it isn’t.  I think the organization managers must stop and assess their responsibility first.  Was IT adequately staffed and trained?  Did management stress that security was important?  Was management willing to fund positions and hardware focused on security?  Did management demand ease of access over security?  Did you allow any middle manager in the organization to override IT and become local/ domain admins?  Did management provide for physical security of computer assets?

That is a lot of questions for management to ask, but I think that is where to start the assessment of whether to blame IT for the breach.

2) Emotion 2-

This is really going to hurt our business.  Maybe we can cover it up?

Not many business’ or involved decision makers are going to openly admit to this, but I think it goes on in almost all cases.  Even with individuals that are very morally motivated to always do the right thing.  There are two major reasons for these feelings.

a) It is going to hurt the business so badly financially and in public image, can the business even survive.

b) It is so damaging to the business, any manager involved has to wonder if they are going to lose their jobs (along with the IT staff).  So, you have the feeling of need to protect your job and indirectly those you support with that job.

3) Emotion 3-

A sense of helpless confusion and anger.  This comes in from a few sources.

a) Not understanding how it happened and where the organization went wrong.

b) Not having the training and experience in responding to a high tech crime incident.

c) Anger that you didn’t take the time to or didn’t know how to take steps that could have prevented the breach.

d) Anger at the person who lost the laptop, left it where it could be stolen, or at the IT admins who didn’t secure the system.

4) Emotion 4- Hopelessness and Fear

For the IT admin and managers they are used to being the decision makers and people who know the answers.  Now suddenly they are having to be the ones to ask for help and seek to understand what do now.  Not being used to this kind of situation, it is difficult to adjust to the new role/ situation.

I point this out not to be negative in any way to anyone.  I point these emotions out because if your company is the one involved in the data breach these emotions will be present in various shapes and intensities.  This is when one of my core rules of dealing with humans comes into effect.  It is one that I have seen over and over again in a 15 year law enforcement career.  You can’t accurately predict how any person is going to respond to a specific high stress situation.  So, be prepared for individuals to react in unexpected ways.

I further point the emotions out because as the investigator you will be dealing with them!  I think you will get a lot more honest and open responses to your investigative questions if you take the time to express an empathetic understanding of what the IT staff and managers are going through.  Just like a cop arriving on the scene of traumatic incident, the involved persons are looking for you to normalize there feelings and demonstrate that you understand and have empathy for their situation.

I know everyone is saying right now, “I thought this was a tech blog, not a psychology blog!”  It is, but I just have really found that understanding the above is the first skill in being a good responder to a data breach.  After all, there are PLENTY of blogs with a dry technical report on what happened!  Or maybe the 1-2-3 of which log files to grab.

I am going to follow this post up with some of the lessons learned and priorities of investigation.  For now, if you are reading my blog think about how you would express empathy and what you would say to the involved persons.  In any kind of investigation one of the first things to remember is: “Everyone is a person first with unique experiences, emotions, and perspectives on events.”

Good luck to you all, and do some good investigating!!