And most security analysts agree that it's not a matter of if a company will be attacked. They will be hit. It's just a question of when and how hard.
"Bad things are going to happen," says Kenneth Citarella, deputy chief of the Investigations Division of the Westchester County District Attorney's Office. "What are you going to do when it happens? It's a critical time. The worst thing is to find out that you screwed up and ruined evidence or otherwise ruined your chance of making things right. You've got to know what to do before it happens."
Firewalls, VPNs and intrusion detection software are heavy hitters in the security market. IT administrators, naturally, are constantly searching for new ways to keep intruders -- whether it be hackers or worms or viruses -- out of their systems. Where the plan falls apart is what to do once security is breached.
And it doesn't help the situation that there are very few clear answers.
Law enforcement agents, forensic experts and corporate security administrators have different goals -- so they also have different ideas about how to handle an attack. Should you bring the network down? Should you leave it running? Should you call the police in immediately?
Law enforcement agents generally recommend that you shut the machine in question down immediately. If it's a desktop or laptop computer, unplug it and lock it up.
Experts in the commercial world say IT should poke around a bit to figure out if the attack came from the inside or the outside; what part of the system was affected; was information changed or deleted; what's the extent of the damage? They say you need the answer to these questions to decide if law enforcement needs to be called.
There's no one agreed-upon answer.
"This disagreement... it's been a problem for a long time," says Chet Hosmer, president and CEO of WetStone Technologies, Inc., a digital security company based in Cortland, N.Y. "The key is to have some level of understanding before the attack happens. Have an action plan of what you're going to do. Portions of your system need to be working so you have tough decisions to make... You don't want to be making big decisions like that under fire. You have to figure out before hand what your plan will be."
Part of that plan should be deciding when law enforcement should be called in. Most security breaches go unreported. That means most attackers go uncaught and unpunished, fully capable of attacking again. Calling in law enforcement, however, can lead the company down a long, expensive and embarrassing path.
"Companies need to realize that an investigation and prosecution is going to be hard work -- for the company," says Citarella of the DA's office. "When you call law enforcement, know what you're in for... We will cost you money. Personnel and resources will be diverted from making your company money. You will underestimate the amount of evidence needed... When it comes time for a grand jury or a trial, all the plans you've made for your employees to work on projects or go to conferences go out the window.
"You are not going to control events," he adds.
And Citarella points out that once law enforcement is called in, the company can't simply send them away.
"Once you bring it to law enforcement, you cannot back out," he says. "You cannot call off the prosecutorial dogs."
But Citarella is quick to point out that security breaches need to be reported far more than they are today. And they largely are going unreported. A recent study by the Aberdeen Group, an industry analyst firm based in Boston, noted that reported security incidents are expected to top 200,000 this year. Aberdeen analysts say they expect the number of unreported incidents to hit 15.9 million this year.
"Getting even is wonderful," says Citarella. "And it generates more deterrence. Customers also feel better knowing you're trying to protect them rather than trying to cover something up."
Another key step -- both in handling an attack and in generating deterrence -- is to have a policy governing employee use of the corporate network, email, the telephone system and hardware. Every analyst interviewed says it needs to be made clear employees cannot expect any privacy in the workplace. Taking that step alone, eases evidence gathering and a digital investigation.
"You have to have a policy," says Frantz Sainte, president of STMC LLLC, an IT forensic service out of Stamford, Conn. "It has to say that employees have no right to access or data in the workplace. They shouldn't have any expectation of privacy."
Sainte, and other security experts, also advise IT administrators to have a pop-up window appear when the computer is being booted up. The window should offer a policy reminder that the employee needs to click on, and thus acknowledge, every day.
Here are some tips from law enforcement, industry analysts and digital forensic experts on how to plan for handling an attack: