When business and IT employees think they’re under attack, they panic. They call all the wrong people, they start rebooting or unplugging computers, and in the process they often do more damage?either to data, business continuity or the organization’s reputation?than the intruder would have done. This is especially true when companies have installed intrusion detection systems, which generate false positives that security experts need to sort through for the real problems. "While it’s true that most companies may not know that they’ve been hacked, those who have taken a lot of precautions can find that they have hundreds of alerts," says Jay Ehrenreich, senior manager in the cybercrime prevention and response group at PricewaterhouseCoopers in New York City. "The question is, which are the ones that you really want to focus on, and how do you know for sure? That’s the next level of the problem."

The only way to prevent chaos is by establishing a clear incident-response plan, which explains whom employees should call when they suspect a problem, how and when this information should be shared with other employees or the media, and how the company will fix the problem. Most companies, though, are well-poised for a panic attack. Again, according to the CIO survey?a veritable guide to worst practices?only one-third of the respondents said they had a procedure for responding to a security problem.

Destroy The Evidence

Ed Skoudis, author of Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses and vice president of security strategy at New York City-based Predictive Systems, recalls several cases where evidence was stricken from a court case because it had not been adequately protected. In one especially memorable incident, a company that used a surveillance video to explain how a room was laid out inadvertently provided evidence against itself. The surveillance video showed that a safe containing evidence had been left wide open. "They weren’t locking the safe because they didn’t think what they had was important," Skoudis says. "You need to protect the information you gather." Even if you don’t need it for court, it can help you figure out what happened and how to fix the problem.

When investigating a security breach, a company should make a digital image of the relevant hard drive before doing anything else, like opening a file and changing its last access date. This image will include not only the files on the hard drive but also parts of the drive that contain evidence of deleted files. The original evidence must be locked up and have a clear chain of custody. Meanwhile, the image can be used for the forensics investigation.