"When we come into an incident, most people want to immediately fix it, they want it to go away as fast as possible," said Kurt Pipal, assistant legal attaché at the Office of the Legal Attaché for the FBI in the UK, speaking during panel on law enforcement and cybercrime at Infosecurity Europe 16 in London.
If possible, businesses should allow investigators to look into the breach before the evidence is destroyed.
"Understand where they hackers are in your network, let law enforcement understand that threat, and be able to give you tips on how these actors move through your network, then get them off it," said Pipal.
For Andre McGregor, a former FBI cyberspecial agent and now director of security at endpoint protection firm Tanium, suggesting to a breached company that they don't do anything is "one of the hardest conversations" to have in cyberlaw enforcement -- as the organisation just wants the hackers out of their system.
So as long as you're not actively losing data, you have some time to actively look at where the adversary is going," McGregor told ZDNet.
McGregor recalled an incident where a large company was the victim of a cyberattack: it acted quickly and only inflamed the situation.