Will your cyber security expert stand up in court?
- Sponsor content by Brendan Read, a Partner at KordaMentha
AS the number of costly cyber attacks on companies has increased, so too has the demand for full-service cyber experts who can gather evidence securely, produce comprehensive reports, explain those findings to clients and act as expert witnesses in a court of law.
According to the Australian Cyber Security Centre’s second annual report (1), a cybercrime is reported every eight minutes in Australia, with criminals taking advantage of our working-from-home arrangements to launch attacks. The devastating and costly nature of these ransomware and phishing attacks call for a level of forensic ability and experience that is second to none. Indeed, as cyber attacks have become increasingly sophisticated, so too has the expertise required to bring the threat to heel, document the exfiltration competently, mitigate impacts and appear as a reliable expert witness in court, if need be. Finding cyber professionals who excel in all these areas is more important than ever.
Considerable pressure is building on businesses to engage with suitably experienced cyber professionals to stem the financial, legal and reputational damage of breaches. Companies are now obliged to notify individuals, as well as the Office of the Australian Information Commissioner, if a cyber breach involves the release of personal or financial data, or information that may cause harm to individuals. In 2020, ASIC commenced proceedings in the Federal Court against RI Advice Group for a lack of “adequate cyber security systems”, after a hacker spent more than 155 hours logged into the server of RI Advice-licensed Frontier Financial Group (2).
In news that should act as a wake-up call to boardrooms across the country, the Federal Government has also flagged making company directors personally liable (3) for cyber breaches, paving the way for costly class actions by shareholders in the wake of a cyber breach. The Federal Government’s Critical Infrastructure Bill also allows the government to take over the cyber security system of major companies — such as health, energy and infrastructure providers — should they be hit by a debilitating attack (4).
The good news is that some companies are starting to invest in cyber security at a level commensurate with the risk of attacks. However, it is worth highlighting the skills that chief information security officers (CISOs), directors and management should be looking for when engaging cyber professionals to ensure they are hiring the best person for their needs.
THE INVESTIGATIVE MINDSET
When hiring consultants, companies would be wise to check that the cyber security expert has a clearly delineated methodology for the collection and presentation of evidence. Is the consultant investigating and securing evidence in accordance with a clear framework, or do they appear to be merely documenting a version of events? Can the consultant collate relevant evidence from swathes of data or are they struggling to locate the devil in the detail?
It is vital that the integrity of the data is preserved and handled with utmost care from collection through to analysis. Should the matter end up in court, easily defensible reports which outline the chain of custody and analytical methodology are crucial.
It is also important that the analysis detailed in reports is repeatable, which means findings can be provided to another independent forensic expert who can clearly see the methodology and evidence-gathering process and replicate it to test the conclusions.
Whenever a cyber breach has occurred, there is a considerable amount of sensitive data at stake. Companies must trust their cyber security expert has the qualifications and acumen to handle such sensitive information.
According to ABS Census data 2016, most cyber security professionals hold an advanced diploma or higher qualification, although several have no formal qualifications. While there is no national standard for cyber security expertise, experienced and highly qualified professionals are easy to recognise.
To begin with, they should possess a history of complex engagements in evidence collection and documentation, investigation and analysis.
Cyber security experts also should have previous experience as expert witnesses in court to indicate they can present their findings and respond to challenges to their credibility by opposing counsel under cross examination.
The independence of the cyber security expert is equally important. As a court will likely frown upon a company’s internal IT report, suspecting, quite rightly, that company employees are not the most effective, nor objective, chroniclers of their own incidents.
Bringing in an outside expert makes sense on a practical level, too, as IT staff often do not have the time to devote themselves to the investigation of a cyber breach. An independent external investigator, on the other hand, can give the breach the attention it deserves, respond quickly and without bias and ensure the requirements are met for admissible legal evidence.
Perhaps one of the most overlooked skills in the cyber expert’s toolkit is clear and effective verbal communication. At the end of the day, what clients are seeking is comfort and reassurance that the threat has been identified, and they rely on the cyber consultant to outline the steps they took in collecting and analysing evidence in lay terms.
Cyber experts must also be able to present their findings to a court of law and distil technical concepts into accessible language. This is where confidence, borne out of experience and knowledge, separates the true experts from the less experienced hires.
The communication shortcomings of an inexperienced cyber expert often become apparent once the matter proceeds to court, exposing haphazard data collection methods, incomplete notetaking, crucial evidence missed and the inability to adequately justify the approach.
If cyber experts fail to articulate their work and explain the decision-making process, then the court will struggle to understand the methodology and the evidence will be deemed inadmissible.
Companies, therefore, have much at stake. Cyber breaches are likely to continue, and even escalate, in the years to come, causing huge financial losses and much anxiety among some employers. However, the extent of the fall-out can be curtailed if managers undertake their due diligence and seek out qualified, articulate and competent cyber security experts.
If managers panic and hire the wrong consultant, the damage will only multiply.
Cybersecurity expert Brendan Read is a Partner at KordaMentha and former police detective from the Queensland Police High Tech Crime Investigation Unit.