Organizations may support applications on a regular basis and still lack the experience necessary to investigate breaches originating from such applications. For example, Microsoft SharePoint contains many intricacies and complexities that would frustrate employees trying to gather data if they are only familiar with SharePoint's day-to-day administrative tasks.
Evidence collection is another skill set that often requires the help of outside forensic investigators, since most companies do not have the resources to keep trained forensic investigators on staff and license the software necessary to do an investigation.
* Internal suspects: Outside experts should be considered when insiders are suspect. Recent data shows one-third of breaches are caused by insiders, such as unhappy employees, workers with alternate agendas, or those duped into committing a crime through social engineering.
When insiders are suspected, internal IT and the security staff may have a conflict of interest in providing an adequate breach response. Rather than preserving evidence, those complicit could remove it. Others may hide evidence out of sympathy or loyalty to those involved. In these cases, it is best to turn to outside help to avoid placing employees in an untenable position where they must choose between loyalty to company versus friends and colleagues.
* Attorney-client privilege: Internal communications following a breach are potentially damaging during litigation because it is a crisis situation and emotions may be running high. In the quest for answers, some will point fingers, and this may prove harmful to an organization in the discovery process. Even seemingly benign statements, taken out of context from the breach, can prove detrimental to an organization.
If litigation is anticipated, it might be prudent to engage a law firm known for conducting the breach investigation. Doing so protects communication under the sanctity of the attorney-client privilege so that it is not subject to discovery. This privilege also extends to any outside experts that have been hired, such as consultants, technical advisers or computer forensics experts, should they coordinate and communicate with the attorney rather than the organization.