Andrew Smith, Director of Computer Forensics Services, Orion Investigations Co., Ltd
I am a digital forensic investigator with nearly 17 years of experience. For the past 7 years I have been based in Bangkok. My role does not just include conducting forensic investigations but also to provide forensic training to the local market and to raise awareness of cybersecurity in general. I would like to share with you some of my experiences in the field cybersecurity and provide some simple tips that may prevent your company from becoming another victim of cybercrime.
With the push for a digital economy, Thailand 4.0 has meant that the issue of cybersecurity has been pushed to the forefront. Each year we continue to see a growth in demand for forensic awareness training and for forensic examinations. However, there is still a general lack of understanding about digital forensics and we continue to see companies making the same mistakes over and over again.
The most common types of investigations we deal with are the theft of company data by a rogue employee, internal fraud by a trusted staff member in a managerial position and wire transfer fraud. Wire transfer fraud is where someone has somehow gained access to an email chain between the accounts department and a 3rd party vendor. The fraudster will create an email address that looks almost identical to the 3rd party vendor and send an email requesting that when the invoice is paid, “please pay the money into a different bank account”. The fraudster will often provide a mildly credible reason for why the money needs to be paid into a different bank account. Once the money has been transferred it is often impossible to recover. How the fraudster gains access to the email chain can be very difficult to identify so it is best to train your staff that handle payments, how to respond to such requests.
If your staff receives a request to make a payment into a different bank account, they should do the following:
• Inform management of the request
• Speak directly with the company making the request to confirm if the request is genuine or not
• Train your staff that whenever they use a public WIFI that they do so using a virtual private network (VPN). This will keep their network traffic secure.
These simple tips could save your company from suffering a large financial loss.
In order to help prevent theft of company data consider the following points:
• Review which staff actually need the ability to connect USB devices to their company computer and restrict those that don’t
• Don’t allow staff to use their personal mobile phones for company business
• Don’t allow staff to use their personal email accounts for company business
In addition to the above tips, review your internal processes to make sure there is oversight for staff at all levels. Consider providing training to all staff on the latest cybersecurity threats such as phishing emails and ransomware.
When something does go wrong, management will naturally turn to their IT staff to begin an investigation and collect potential evidence. However, consider the following points:
• Usually the IT staff have not been trained in how to conduct a methodical investigation
• They are often unaware of the need to maintain a complete chain of custody from the collection of data stage through to producing a report
• Are unaware of all the potential sources of evidence
• Lack the specialist tools required to conduct a forensic investigation
• Lack experience in correctly interpreting the findings of the investigation
• Lack experience in preparing evidence and professional reports for court
• Inexperienced at presenting digital evidence at court as an expert witness
Companies often assume as long as the person conducting the investigation holds some type of IT qualification than this will be sufficient. Digital forensics is a highly specialized field and, as demonstrated by the points above, requires a forensic investigator with the appropriate qualifications and experience to conduct the forensic investigation.
Another important issue to consider is the experience of your legal team. Do they have experience of dealing with cyber-crime cases and do they have the technical understanding of digital evidence? Due to the potential complexity of cyber-crime cases the legal team will often have to work closely with the forensic investigator to ensure the best possible outcome in any legal proceedings.
Without doubt, the number of legal cases using electronic evidence will continue to grow. Also, as the number of forensic specialists in Thailand increases, we can expect to see electronic evidence that has not been handled correctly to be more robustly challenged in the court. If you are involved in legal proceedings where the other side is presenting digital evidence, you should consider hiring your own forensic expert to examine the validity of their evidence. In order to give yourself the best chance of success in any legal proceedings, make sure you use suitably trained forensic investigators and lawyers with the experience of dealing with electronic evidence.