What costs do businesses have to bear after a ransomware attack, data breach, or other cybersecurity event? Expenses including legal fees, ransom paid to cyberattackers, and revenue lost during business interruption all come to mind. Forensic IT costs aren’t usually the headline expenses, but they’re also not insignificant.
“Forensics can be a big component,” says Brian Thornton, President of ProWriters. “It’s what happens up front and drives everything.” Until a computer forensics team finishes investigating an incident, businesses can’t fully move forward with their response.
This reality makes forensic investigation costs worth every dollar. But forensic IT costs start at around ten thousand dollars. Even small merchants could find themselves facing forensic bills three times that large.
The cost of forensics is one more reason businesses—especially small and medium-sized enterprises, whose bottom lines can’t easily absorb the expense—need robust, comprehensive Cyber Liability Insurance.
Thornton spoke with Ben Demonte, a managing director and North America leader for Kroll’s Cyber Risk Practice, about the current state of computer forensics. They also discussed how businesses can make themselves “good risks” who qualify for strong Cyber policies.
Computer Forensics Today: Live Systems, Not “Dead Boxes”
Forensic IT (information technology) gathers and presents digital evidence to determine:
- What kind of incident occurred
- When and how it occurred
- What data, if any, cyberattackers accessed, viewed, or exfiltrated (exported)
Demonte finds people don’t understand current computer forensics. They still think about “dead box forensics.” In the past, investigators did often image and examine physical, individual, affected machines in a lab.
“That has changed,” says Demonte. “It’s changed because actors use different techniques and tactics. It’s changed because technology has changed… We’ve moved more toward a live system forensics. Let’s see what the computer is doing while it’s turned on. … Let’s look at all the processes and programs running.”
Live system forensics lets investigators identify threats more quickly. This speed, in turn, can help affected businesses return to normal operations faster.
Computer Forensic Analysis in the Cloud Depends on Logs
Modern forensic IT also depends upon detailed network activity logs.
In the best possible cases, forensic analysis of logs reveals that bad actors who entered the system didn’t view, access, or exfiltrate data. “You still have an intrusion to deal with,” says Demonte. “But at least you know [the actor] didn’t take any data.”
Logs are critical to determining a breach’s scope and a company’s liability. But Demonte says businesses often don’t have them, especially as more computing shifts to the cloud. When licensing applications from third-party managed service providers (MSPs), companies don’t always get licenses that include detailed logs. They may also fail to activate log options the apps deactivate by default.
Thornton sees the same problem. “If you go with basic settings and don’t make any adjustments,” he says, “you’re not putting things in place you easily could, that are often free.” These measures include not only detailed logs, but also preventative practices like multi-factor authentication.
Dealing with MSPs can make computer forensics more challenging. MSPs themselves aren’t immune to cyberattackers. If ransomware hits an MSP with 200 downstream clients, the MSP now has 200 potentially ransomed or encrypted endpoints. The MSP must have forensic analysis done, as each of its clients must. That investigation time can mean more downtime for each client at an endpoint—yet another reason businesses need Cyber Liability insurance.
How Businesses Can Make Themselves “Good Risks” for Cyber Carriers
Forensic IT costs vary based on a situation’s complexity. However, Demonte and Thornton say businesses can take steps to reduce their risk before the need for forensic analysis arises. These steps could ultimately help hold investigation costs down.
Businesses should use widely accepted cybersecurity tools and best practices. These include:
- Multi-factor authentication
- Strong passwords
- Good logs
- Threat detection tools on systems’ endpoints (servers, mobile devices, and more)
Demonte notes these tools are for detection, not prevention, but are still important. “It’s not about just making the fence higher,” he says. “It’s about, ‘If someone gets over the fence, how fast will I know it, and how fast can I kick them back over?’”
Businesses must also establish and follow good document and email retention policies. The longer companies retain these sources of data, the greater their risk. Demonte tells the “horror story” of a hospital employee who’d been keeping four years’ worth of daily patient admission emails when bad actors compromised the email. Policies calling for shorter retention periods—60, 90, or 120 days—greatly reduce the risk of personal, protected information being exposed.
Finally, businesses must carry strong Cyber Liability coverage. The policy will help companies cover forensic IT costs, and the other expenses associated with cyber events.
Demonte advises insurance brokers to tell their clients how to be good risk for cyber insurance carriers. “They’re less likely to have a problem.” Demonte explains. “[These steps] are meaningful to the carrier when they’re trying to evaluate risk.” Companies taking a proactive approach to cyber threats are more likely to secure the coverage they need.
Do you want to know more about Cyber Liability coverage and how to place the best coverage for your clients? Download ProWriters’ free eBook, Retail vs. Wholesale Brokerage: Which is Better for Cyber Insurance?, today.
