The Inside Job
Ben Fielding, Kroll Ontrack
Historically, when it comes to data protection and security, most companies have traditionally focused on the implementation of boundary security technology, such as firewalls, to protect their data from external threats. The real concern however, is that the modern threat lies far closer to home. In fact it could be sitting at a desk next to you or in the office across the room.
More cases of data theft are arising from insider infiltration. With a myriad of portable storage devices with ever-increasing capacities that whilst in use, arise minimal suspicion.
It is widely understood that in the current climate where employees may not be sure of their job security, white collar crime will rise. A recent study by Prefix IT showed that those leaving their job appear to be the biggest threat with a staggering 65% of employees admitting they would consider stealing data when leaving their job. These and similar findings are forcing many organisations to consider the capability of their exit policies to deal with this threat.
Exit Strategies
With a sharp increase in the rate of redundancies and rising levels of unemployment, the exiting employee might feel that taking data such as sales leads, contacts, pricing or other business plans may put them in the best possible position when seeking future employment. Partner that with the relative ease that modern technology allows for the transferring and copying of data, an organisation without a sound plan in place to respond to a data threat could be leaving itself dangerously exposed.
Organisations have for a long time implemented policies which both indicate an ‘acceptable use’ of company data and provide direction on how portable storage devices may be used. These policies are often stated to be ‘supported’ to some extent by technical means but in many cases rely largely on the good nature of employees to behave appropriately. Whilst trusting in staff is commendable, it is not by any means a defensible method of protecting a company’s intellectual assets and in fact, could be considered professionally negligent. With this in mind, there are several steps that a firm can take to address the need to protect sensitive business data and ensure that they can swiftly respond to a data threat.
Readiness Review
The first of these is a Readiness Review which assesses an organisation’s preparedness to deal with incidents that require the gathering and preservation of digital evidence. The ability to deal with digital evidence effectively and efficiently has many advantages from lessening the impact of an investigation on the organisation, to providing it with protection and evidence that withstands legal scrutiny.
An assessment of any existing protocols, procedures and policies is made to ascertain a company’s ‘readiness’ to react to a data threat. The reviewer will meet with key staff to gain an understanding of how the organisation would typically react given a situation where there is a suspicion of wrongdoing. Any previous investigation that the organisation may have carried out will also be considered. This is likely to assist the reviewer to identify best practice, or alternatively, missed opportunities. The reviewer can then highlight key areas for remedial action and any necessary training requirements. A comprehensive readiness review will increase the likelihood of the organisation being successful in gathering the required data (and hence gaining the right electronic evidence, or obtaining the right protection) when the call for action comes from the IT, legal or HR department.
First Responder
Ensuring that key staff are adequately trained to ‘secure the scene’ is vital in the early stages of an investigation where a forensic copy or ‘image’ of the suspect’s computer environment is required for further forensic analysis. The first rule of computer forensics is isolating and securing the evidence. This must be done in a manner which does not tamper with any fragile digital evidence such as metadata. Metadata is most easily understood as the ‘data about data’ for example, characteristics or attributes pertaining to a particular file (name, size, file type, last opened, location) and is often vital in ascertaining whether or not a particular file has been copied, opened or modified by a particular user at a given date and time. Even an action as simple as turning on a suspect’s computer can destroy that vital evidence.
Training staff in a role recognised as ‘first responder’ puts an organisation in the best possible position to obtain crucial evidence by providing guidance on how to ensure evidential integrity. Successfully securing the evidence requires that appropriate understanding and working practices are in place to cover such a complex event where there is often only one opportunity to correctly extract key evidence.
Management Awareness
Senior management are also becoming progressively more aware of their responsibilities when faced with an electronic investigation. Management are constantly reviewing and updating critical business plans, such as disaster recovery and business continuity plans, and it is increasingly accepted that with the vast majority of our business activity conducted in the electronic domain, computer forensic readiness should be no different. Training management to be aware of their legal requirements and practice guidelines assures that they apply the best approach to managing an electronic investigation that will withstand legal scrutiny.
Businesses must also assess their current data policies and controls to ensure that they remain applicable as the nature of our working environment changes. With more organisations allowing for flexible working schedules, employees are able to juggle their home and work commitments simultaneously by ‘working from home’. This, however, is coupled with a need for employees to move data across locations and between PCs. Organisations must manage the difficult paradox of allowing employees offsite access to data whilst also controlling that this same data is not at risk of being copied or transferred for use which it was not intended for.
Firms might also consider examining their exit policies as a strategy to combat data theft. Imaging of a hard drive provides a forensically sound copy of the activity that has taken place on an employee’s system. This strategy may be employed across the entire organisation or to key positions or departments considered to be a higher risk, for example, the sales department.
Best Practice
Approaches such as these are proving successful across a variety of business sectors as many companies realise that in the current economic climate, their survival may very well depend on their ability to protect their intellectual property. Recent news reports featuring high profile public data leakages have further fortified the argument of investing in sound data protection techniques to both tighten controls and minimise reputational damage. At a time when every penny counts, the best investment a business can make is the one which keeps it in business.
Ben Fielding is a Computer Forensics Client Manager at Kroll Ontrack, working out of the London office.
Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.
Copyright 2007 Kroll Ontrack, Inc & Kroll Ontrack Legal Technologies Ltd.
