Special Considerations

Insider attacks require the assistance of other players in the company. The human resources department is a key player in the incident response process. It can advise the incident response team regarding employee rights and responsibilities and the disciplinary or termination process. The department probably has people skilled in interviews that could be useful when confronting suspects , victims, or witnesses. HR should be informed as soon as an investigation indicates the potential involvement of an employee.

The corporate legal team is also a key player. This team can provide legal advice on searches and employee privacy issues. It also can represent the company's interests when matters of potential liability are discussed. If the company is deciding whether or not to investigate an incident, for example, the legal department can advise senior management as to the corporate and personal liability if the incident escalates. Many corporate legal counsels are not well versed in computer law. In this case, contacting a cyberlaw expert is highly advisable before proceeding with an investigation. Illegal searches not only can result in the evidence being unusable, they also can result in civil or criminal penalties against the company, its officers, or the incident response team.

The physical security organization can also be crucial in an investigation. As previously discussed, these people can provide corroborating evidence to place the person at the computer. Physical security personnel might also be skilled in personal interviews, especially if they have a law enforcement background. They might have contacts in law enforcement and are often experienced in conducting investigations. Even if they are not particularly computer literate, their experience can be useful in the overall conduct of the incident response effort. In fact, they might bring insights to the process that a purely technical response might overlook.

Public relations should also be kept informed if there is any chance that knowledge of the incident might become known. If the employee is terminated or if the decision is made to prosecute the employee, public relations personnel should prepare a statement for the press. The statement does not necessarily have to be released, but timely preparation can prevent a hasty reaction later when the details of the incident have leaked. Managing the public details of the incident can be even more crucial to a company's reputation than managing the technical details.