How e-discovery and digital forensics can help tackle cybercrime

26 August 2021 12 min. read

More than 80 per cent of APAC organisations suffered a cyber-attack last year, and according to recent research, the region is touted to become the new “hot” target for cybercrime and information theft. A discussion with Eddie Toh, a partner at KPMG, and Amanda Fennell, an executive at Relativity, on how e-discovery and digital forensics play a pivotal role in all stages of cybersecurity.

With cybercrime on the rise, what are the key challenges companies face in responding to data breaches/other cyber-attacks and why do these challenges arise?

Eddie: Companies today are all aware cybersecurity is important, but not all are implementing what’s required to get to a baseline that can keep data breaches and cyber-attacks at bay.

Aside from cost, there is also the issue of capabilities in the company. This is typically the issue faced by smaller businesses who might not be able to dedicate personnel and resources to protecting this part of the business, as critical as they are aware cybersecurity is.

Eddie Toh, KPMG and Amanda Fennell, Relativity

Separate to that, there’s also a balance between what is considered a ‘nice to have’ versus a ‘must have’ for cyber threat monitoring and response tools, in addition to workforce capabilities. Even if a company meets a baseline for the needed data and cybersecurity requirements, this does not necessarily mean they are in the all clear. Every company is unique – and depending on its visibility, profile and vulnerabilities, it may need more than just baseline security capabilities to stay safe.

The difficulty in finding the sweet spot to balance cost and security needs is also the reason why companies tend to work with cyber advisors such as those from KPMG, to help them do what’s best with the amount of budget they are able to commit to.

Amanda: Low awareness and lack of overall cybersecurity investment, knowledge and preparation play a critical role in increasing a company’s vulnerability to cyber threats. Also, adversaries have more resources at their disposal than ever before and are deploying some of the most sophisticated cyberattacks ever seen. Imagine that each time we create automation to respond to an attack, the bad actors are out there employing these same tactics and the results can be staggering.

Asia is a hub for the investment in and trade of valuable digital assets – making it a goldmine for cybercriminals. If your company is in the business of housing valuable data (is there any other kind?), there’s inherent and increased risk that you need to be aware of and preparing for immediately.

Solidifying your company’s security posture is the most important thing you can do to effectively protect your data from outsider threats. Confirm that your organisation has defence-in-depth controls, which ensures multiple layers of defence are in place, partnered with significant investment in security across a multitude of domains and continual software and process improvements to best prevent, detect and respond to cyber-attacks.

My advice for companies that find themselves in the unfortunate situation of dealing with a cyber incident is to start with understanding what the threat is and then work backwards. In other words, ask yourself what you’re solving for and create a threat model to prepare.

Think about it like moving into a new house. The first thing you do is identify the ingresses and egresses. How many doors and windows do you have to secure? You then assess them. Does every door and window lock? You figure out how you can prevent something bad from happening, determine if you’ll be able to detect when something bad is happening, and if necessary, determine how you’d respond to ensure your home – and organisation – remain safe.

What is typically the journey of the data breach investigation? How do companies approach it and what should they do better?

Eddie: When a data breach is discovered, it is usually because employees find out or when an external party such as a customer or partner informs the company of a breach or compromise. An internal investigation will need to be carried out by the company for a preliminary assessment. This could involve verifying if the incident did happen, whether threat actors still in the network, as well as the extent and potential impact on business.

Thereafter, either the company’s in-house cybersecurity team or an independent third-party will be tasked to carry out further investigations.

The maturity of organisations in responding to cyber incident varies. Generally, cyber simulation exercises and cyber response playbooks help in dealing with such situations. More mature sectors, such as the financial services industry, often have incident response plans in place. In contrast, small and medium businesses usually do not have adequate resources or response plans to manage data breaches and other cyber-attacks.

A good understanding of the “do’s” and “don’ts” is crucial, as a company’s IT team might inadvertently overwrite or tamper with critical evidence while investigating the incident. This makes forensic investigation and containment challenging. Affected companies should always consider professional assistance, especially where resources are limited.

As part of wider investigations, digital forensic and incident response investigators such as those from KPMG will be appointed to analyse what has happened, the extent and impact resulting from cyber incidents. They also work closely with in-house or external legal teams to assist with regulatory or business partners’ requests. In case of reputational damage, the company may reach out to external PR firms for help in rebuilding its image.

Amanda: One area of the data breach timeline that we recommend companies continually tweak and refine is their disaster recovery plan. When a disruptive cyberattack shuts down your business, one of the most important next actions is ensuring you have a battle-tested disaster recovery plan in place to minimise disruptions and minimize the impact of the attack.

Being able to quickly and effectively get your operations back online safely following a breach, via a comprehensive disaster recovery plan that addresses all stakeholders, will help mitigate losses in revenue, customers and reputation. It also gives you a solid foothold to start building your security structure back stronger – and safer.

Does the recent move to make data breach notification mandatory (for those that impact 500 or more people) necessitate changes in how organisations respond to cyber-attacks?

Eddie: The introduction of regulations and laws, such as Europe’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and Singapore’s recent amendments to its Personal Data Protection Act, have thrown the spotlight back on data breach notifications around the world.

The mandatory data breach notification law in Singapore has influenced the way companies approach cybersecurity and data protection. Companies are now putting more attention into protecting business and client data, and how to react and recover from a cyber incident.

This raises a number of questions that local businesses should ask:

  • Do we have an incident response plan?
  • What are the security controls we have in place?
  • Do we test the process regularly?
  • Based on this process, do we have an understanding of the real risks of material harm?
  • Does our team have the capabilities to limit impact in the event of a breach?
  • How is the notification threshold triggered? For instance, through policy-based qualifiers, or a process where senior executives take a call?
  • Have we determined what information is important enough to require notification in terms of regulatory and commercial protection requirements?
  • How can we ensure that any gaps identified as a result of a breach will be adequately fixed?

Against this backdrop, we are seeing more clients coming forward to request cybersecurity reviews or audits, and to seek advice from us to fundamentally change the way they think and plan for cybersecurity.

Amanda: Our viewpoint is that new regulations should not change the way security is done, because if strong security measures are in place that meet those high standards already it shouldn’t matter. At Relativity, we're not just thinking about how our company stays ahead of privacy requirements, but how the security and design of our products supports our customers and their compliance with the GDPR.

How do e-discovery and digital forensics help facilitate a quicker recovery from a data breach/cyber-attack crisis? What are the key benefits for companies?

Eddie: Digital forensics is a process where you take a deep, hard look at evidence and available information. It is a fact-finding exercise – looking at the footprints the attacker has left behind to understand what the attacker has taken or accessed. It helps businesses understand the impact of the breach.

With a growing number of incidents around business email compromise (BEC) involving the unauthorised access to emails, there are advantages to leveraging e-discovery to uncover the impact of such access. This includes access to business sensitive information and/or to personally identifiable information (PII).

E-discovery, on the other hand, is the electronic aspect of identifying, collecting and producing electronically stored information in response to a request for production in a lawsuit or investigation. Let’s say if the CEO’s email account is compromised. The CEO usually has access to business sensitive information, perhaps even customer records.

This is where e-discovery can help to simplify the process of assessing the importance of the information accessed by the attacker, and to also determine the PII that has been accessed. It is particularly important for emails and other unstructured data, where it’s difficult to know the number of exact data breaches.

What are the steps organisations should take to protect their data and be better prepared for cyber-attacks? What are the technologies they should invest in and why?

Amanda: Overall, companies will need to enhance efforts to update their legacy systems and adopt modern ways of buying, developing and implementing technology in order to be better equipped to manage a cyber-attack. If companies didn’t see the value in cloud solutions before 2020 and the work-from-home paradigm shift caused by the Covid-19 pandemic, they likely do now.

As many businesses were forced to quickly make the shift to remote work, cloud and software-as-a-service (SaaS) proved their utility, versatility and scalability many times over. This practical demonstration will continue to accelerate the adoption of cloud and SaaS going forward. Additionally, integrated AI and machine learning tools and capabilities that augment a company’s security posture will become increasingly important for cost and time efficiencies.

Eddie: Organisations should know what data is important to them in order to protect it – client information, business/partner information, company sensitive information. It is up to the organisations to define what we call the ‘crown jewels.’ They also need to determine how to govern this data – think about who can access the data, how to protect and manage the lifecycle of the data.

In terms of accessing data, many technologies can help with governance, as well as in defining access levels and permission rights; these tools and others can help the company manage the data lifecycle from creation to destruction.

KPMG has been a frontrunner in expanding cloud capabilities for professional services in the region. We are the first company to offer RelativityOne, a cloud solution, in Singapore. E-discovery services have been a key driver of growth for our firm. With a platform on the cloud, organisations can upload data wherever they are, using their given credentials. They can also access PII and business sensitive information across geographies which can be critical in managing and anticipating cyber incidents.

As the boundaries between the digital world and physical blur, organisations need to understand the threats they face, how to defend against them and how to respond quickly and effectively if something happens. We offer a wide range of cyber services that address companies’ concerns.

These encompass maturity and risk assessments, threat modelling, vulnerability assessments, penetration testing, compliance audits, threat hunting, red or purple teaming, cyber security exercises, incident response and training.

Amanda: Creating and improving your organisation’s security posture is a team effort. No one tool or one person can be responsible for ensuring your data remains safe; it takes every employee, every system, every application to be in sync and aligned with your mission. The task can be daunting but it’s not one you’ll go at alone. Many outside parties, like Relativity’s Calder7 security team and our partners at KPMG are here to help.

Eddie Toh is a Partner and Head of Forensic Technology Asia Pacific at KPMG in Singapore, while Amanda Fennell is Chief Security Officer and Chief Information Officer at Relativity.