ORLANDO – When facing data breach investigations, it's common for enterprises to call on the FBI or Secret Service, but according to a security expert who serves as a part-time police officer, state, county and local law enforcement teams can also assist during a breach.
When you don’t have metrics about who is calling and what is that they want, you can’t get money to get the training to make the people on the response side any better.
Nick Selby, N4Struct Inc.
Nick Selby, a partner with Washington DC-based information security consulting firm N4Struct Inc. who became a Texas police officer two years ago, said local law enforcement should play a larger role in data breach investigations.
FBI investigators are working far too many cases to handle breaches efficiently, Selby told attendees during a luncheon keynote at the 2012 InfoSec World Conference and Expo. Selby doesn’t want IT security pros to dial 911, but he said involving state and local authorities to assist in an investigation should be part of incident response procedures.
“We’re not telling the cops when they are there to help,” Selby said. “The cops who I have met want to help, they just don’t know how.”
Since many law enforcement organizations are often left out of data breach investigations and data breach response plans, Selby said, the vast majority of cybercrime is going unreported and unpunished. Investigators need to justify their expenses in order to get funding for such efforts, and, according to Selby, their lack of involvement in data breach investigations means they can’t justify forensics tools and training to improve their ability to help.
“When the IT people in the companies and their lawyers, audit people and senior leadership don’t want to call law enforcement for help and they decide that getting hacked and getting their stuff stolen is the cost of doing business, they’re not lending their voice to the cry for help,” Selby said. “When you don’t have metrics about who is calling and what it is that they want, you can’t get money to get the training to make the people on the response side any better.”
Selby pointed to ATM fraud, gas pump scams and restaurant breaches as some of the types of cases where local and state police investigators can provide assistance. The FBI often has to decide on a case-by-case basis whether a breach needs significant investigation. Often the extent of a breach and the damage to the business is too unclear, forcing investigators to take on other cases. The 2012 Verizon Data Breach Investigations Report found restaurant point-of-sale terminal breaches, gas pump and ATM fraud among the biggest contributors of data breaches in 2011.
“There are tremendously good IT people in the FBI and the Secret Service and other agencies even down at the state and county level who are very talented, very dedicated people," Selby said, "but they don’t have the resources there; they’re completely overwhelmed.”
Selby, who also serves as managing director of PoliceLedIntelligence.com, a website that helps police share information on intelligence gathering, said he wants to help bridge what he sees as a gap between local law enforcement authorities and enterprise IT professionals. He’s calling for the formation of a non-profit organization to bring law enforcement forensics teams in front of IT security pros at industry conferences to learn about how they can assist an investigation and better understand a breach’s impact from an IT pro’s perspective. Organizations exist to build communications between law enforcement and enterprises, but Selby said groups like Infraguard, which are closely tied to the FBI, don’t go far enough.
“We need more collaboration organically and that in conjunction with existing organizations out there will make everybody stronger so we can do our job better,” Selby said.