NZ Incident Response Bulletin – February 2025

The Growing Need for Digital Forensics and Incident Response (DFIR)

The 2025 State of Enterprise DFIR Report from Magnet Forensic highlights a crucial reality: organisations across industries are facing an increasing volume of cyber incidents, internal investigations, and regulatory compliance challenges. Despite this, many leadership teams underestimate the strategic importance of DFIR in risk management and governance. With cyberattacks evolving rapidly, the ability to quickly respond, contain, and recover from incidents has never been more critical. Yet, 71% of DFIR professionals report challenges in performing remote investigations, especially in today’s hybrid work environment. At the same time, organisations are struggling with internal obstacles such as budget constraints, tool integration issues, and cooperation gaps between DFIR teams and IT. To address these pressing challenges, the authors suggest that organisations take a proactive stance. Investing in an incident response (IR) retainer ensures they have the necessary expertise, tools, and resources to respond effectively when (not if) an incident occurs.

The Key Findings: A Call to Action

1. Incident Response is a Business Imperative, Not Just an IT Issue

Cyber incidents, particularly phishing and malware-infected endpoints (including ransomware), continue to dominate the investigative workload. More importantly, regulatory compliance investigations are rapidly increasing, highlighting the need for digital forensics expertise in ensuring adherence to legal and industry standards. By outsourcing IR, organisations gain access to experienced DFIR professionals who can:

  • Rapidly respond to cyber incidents to minimise damage.
  • Provide forensic expertise to support cyber insurance claims and regulatory obligations.
  • Identify root causes and strengthen security postures based on lessons learned.

2. The Value of Third-Party Expertise

The report underscores the increasing reliance on third-party forensic service providers, with 49% of in-house DFIR teams outsourcing at least some investigations. The top reasons cited include the need for impartial investigations, excessive case volumes, and cost-effectiveness. An IR retainer provides the best of both worlds:

  • Immediate access to external expertise without delays in contract negotiations.
  • A cost-effective model compared to hiring and maintaining an in-house DFIR team.
  • Unbiased investigations that ensure credibility in legal and regulatory matters.

3. Remote Work and Mobile Device Challenges

Remote work has introduced significant forensic collection challenges. The report reveals that 71% of DFIR professionals find remote acquisition difficult, while 65% note an increasing reliance on mobile devices in investigations.

4. Internal Barriers are Preventing Effective Incident Response

Despite the growing threats, many DFIR professionals face unnecessary internal challenges. An IR retainer helps eliminate these barriers by ensuring:

  • Predefined budgets for forensic services, preventing delays in incident response.
  • Access to integrated forensic platforms that streamline investigations.
  • A collaborative approach where DFIR and IT teams work seamlessly to mitigate threats.

The Business Case for an Incident Response Retainer

Organisations that proactively prepare for cyber incidents are better equipped to minimise financial, operational, and reputational damage. An IR retainer offers:

  • Faster Response Times: Immediate expert support in the critical early hours of an incident.
  • Regulatory Compliance Assurance: Expert guidance on breach notifications and forensic evidence handling.
  • Cost Savings: Avoiding the high costs of ad-hoc incident response services.
  • Enhanced Cyber Resilience: Continuous readiness through threat intelligence and response simulations.

Conclusion: Don’t Wait for a Crisis – Be Prepared

The 2025 State of Enterprise DFIR Report makes one thing clear: cyber incidents are inevitable. The difference between a well-managed incident and a catastrophic breach often comes down to preparedness. Investing in an IR retainer is not just a security decision; it’s a strategic business move that ensures resilience, compliance, and cost efficiency.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.