Employee Data Theft: A very real problem
Laurance Dine, Kroll Ontrack
Large scale data security breaches are common headlines in the media. The recent reported case of a Government official leaving secret security documents relating to ‘Al Qaeda’ on a commuter train was a highly publicised security lapse, but most of us are unaware of the high levels of data that gets intentionally distributed on a daily basis by those who are working right under our noses.
Twenty five years ago, it would have been near impossible to walk out of the office door unnoticed with a huge metal filing cabinet full of client files, company strategies and sales data. But with significant advances in the ways in which we store, process and exchange information, the same amount of data can be duplicated in a matter of seconds onto a CD, USB stick or e-mailed to a personal e-mail address.
Consider the humble memory stick, today it typically holds 1GB of storage space. This equates to 30,000 pages.
Company Data
What would motivate an employee to take data? Many cases of data theft occur when an employee leaves or plans to set up a rival business, taking with them important customer information and company sales data. More prosaically, many employees consider files that they have worked with as their own and do not consider it to be theft. In a survey carried out by Prefix IT, 30% of workers (37 percent of men) believe sales leads/business contacts are rightfully theirs (The Business Continuity Journal).
Computer Investigation
When an employee is suspected of data theft it is likely that their computer will be looked at. A common error is for HR to get their internal IT department to undertake a computer investigation over the actions, timelines and trace the movements relating to the suspected theft. Although the intention is genuine, most IT departments are not equipped with the necessary tools nor the expertise to perform intricate computer forensic examinations and extract this valuable evidence without compromising its quality. Even just a ‘small poke around’ can be enough to overwrite or destroy it, this in turn can then jeopardise the entire case.
To preserve the data in its original form, it is vital that a company employs the correct techniques to extract and piece together key evidence in order to determine a clear chain of events leading to the transfer of data. Imaging the hard drive is the first step. The computer must not be switched on.
Finding the Evidence
The employee’s computer may not present the full picture. It is important for the computer investigation to determine the extent of the suspect’s access and use. What systems the suspect has access to and what means are used to access these? Can anyone else other than the suspect access these systems using the same methods? If so, can we determine who is responsible for any given action? Does the suspect work off several machines or just one? Do they have a personal drive? Is it possible that there are other people involved?
Much of the incriminating data may have been ‘deleted’ or masked by the culprit but remains embedded in the computer hard drive and can be extracted with specialised techniques and recovery tools. One misconception is that while it is possible to determine if data was copied onto a portable device, it is not possible to determine which files were copied. This can be done by forensic techniques.
Once recovered, the sheer volume of data can be overwhelming. Consider how many e-mails you send and receive, and files you have stored over the course of one year alone. Comprehensive systems with multifaceted search capabilities can significantly reduce the time spent on searching for incriminating e-mails and documents making the discovery of precious evidence a great deal easier, much more efficient and significantly less costly.
With continual developments in the storage capabilities of digital devices (PDAs, iPods, etc) making it increasingly easy for employees to transfer large amounts of data at the touch of a button, it is paramount that companies take the necessary steps to protect data and information being leaked to undesirable, external sources. The ubiquitous use of these digital communication and storage devices will only intensify the issue.
Well Constructed Policy
As always, a robust, well-communicated computer use and e-mail policy will help protect a company. However, if it is not widely communicated and enforced employees will continue to distribute data freely, whether intentionally to the detriment of the company or not. The same survey found that 44 % of employees were unaware of any policy explaining what can and cannot be taken home and as many as 63 % of workers believed employees ‘think nothing of taking things from the workplace’.
In the unfortunate event of data theft, it is critical for HR to ensure that the correct methods are employed for the preservation and protection of key forensic evidence. As the digital age continues to develop rapidly, so must the policies and practices surrounding how we manage and most importantly protect electronically stored information.
Laurance Dine is a Senior Computer Forensics Investigator at Kroll Ontrack in London.
Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.
Copyright 2007 Kroll Ontrack, Inc & Kroll Ontrack Legal Technologies Ltd.
