In order to prosecute Cyber Crime successfully you need proof. This can be difficult to provide, unless your organisation's information systems have adequate controls and audit capabilities.

For advice on collecting evidence see Recording Evidence of Incidents (Information Security), and Collecting Evidence of an Information Security Breach.

• Lack of a clear trail of evidence when investigating cyber crime may prevent you taking legal action against suspects, and allow the perpetrator(s) to initiate further attacks.

• Contact the law enforcement agencies if you believe a crime has been committed.
• Gather evidence to prove malicious intent, especially if the suspects are organisation staff.

• The security of your information systems may be compromised by the investigations of law enforcement agencies.
  
  e.g. In some countries, legislation grants law enforcement agents access to cryptographic keys, or to the unencrypted contents of data previously encrypted.
  
  The Regulation of Investigatory Powers Act, enacted in 2000, provides such powers to UK law enforcement agencies.
  
  The Council of Europe - Draft Convention on Cyber Crime, released in late 2000, proposes even greater investigatory powers.

• Seek legal advice as a priority.
• Consider how to best support the investigative process with minimum breach to your Information Security.
• Where cryptographic keys have been revealed and the relevant data submitted, arrange for the keys to be changed at the first available opportunity.