Get Help Now!
+44 (0) 13 7273 6640
Free Online Quote
Have You Heard
Dispel the largest data recovery myths.
Find out here >
IT policies are a topic few people get excited about. Who can use the big colour printer? Can they use it to print flyers when their cat goes missing, or is it strictly for work purposes only? What if it’s the office cat? Surely that’s a grey area.
However, in today’s wintery economic climate everyone should be interested in saving money, and keeping computer use policies up-to-date could potentially save you money when it comes to investigating instances of suspected intellectual property theft, fraud and computer/internet misuse. Particularly so, where it is suspected that evidence may be contained on devices such as company laptops, mobile phones, tablets and other such devices.
It is vital to have a robust, well-communicated policy dictating the use of company systems, electronic devices and the transfer of company information making the necessary caveats governing the acceptable use and transmission of data. This policy should not stand alone, but should be part of every employment contract.
It is equally important that the policy be continually updated – along with non-compete and non-solicit agreements - to reflect changes in company technology, equipment and evolutions in the outside digital world.
Training should be conducted on a suitably regular basis or when the policy is updated and must be documented thoroughly. If an employment dispute regarding the theft of data ever does develop, taking these steps will demonstrate that the company underwent significant efforts to ensure compliance with the policy.
When an employee is suspected of wrongdoing, it is likely that their computer will be looked at. To preserve the data in its original form, it is vital that a company employs the correct techniques to extract and piece together key evidence in order to determine a clear chain of events leading to event in question.
Often, evidence of wrongdoing may not manifest itself until months after an employee has left the organisation, perhaps when a sales manager has reason to believe that an ex-employee has been taken client data or business plans with him to his new employer. For this reason it is imperative that organisations have a way of investigating an archive of the ex-employee’s system and user behaviour in the days or weeks prior to his departure. However, imagine the frustration of in-house counsel when they realise that the suspect’s laptop has been issued to a new user after IT wiped the hard drive clean.
There are several options to mitigate this risk, and depending on your situation any one of them could be right for you:
Put the entire laptop in a sealed bag, and lock it in a safe: A popular option for the forensically aware. While the internal battery holds, it’s still possible to ascertain the accuracy of the system clock if an accurate timeline of events is required. Few companies can afford to have a room of laptops locked away indefinitely, so a retention period must be chosen. However, what if the employee left on good terms and any deceit is only discovered at a later date? Too short a retention period and you won’t cover investigations not started immediately, and too long and you’re wasting a large proportion of a device’s two or three year life span with it gathering dust.
Swap out the laptop’s hard disk: Nearly all of the evidence to be found on a laptop will be found on the hard disk, so why not simply remove that? For around £50 your IT team can purchase a new hard disk, reinstall windows (as they almost certainly would have anyway) and put the laptop straight back to work with a new user or as a spare. All one needs to do is label the disk with the user’s name, user account and date of leaving and then seal it in a bag that can be locked away somewhere securely. If it later becomes apparent that forensic analysis is justified, independent expert investigators can assist with the forensic examination of the drive.
Call in the experts: Third party forensic experts can either attend your site for a forensic extraction or arrange collection of the device. If a legal issue is anticipated, this limits your risk with a fixed outlay and minimal impact to your staffwho need to focus on the running of day-to-day business.
You may consider paying particular attention to those employees whose access to the company’s intellectual property presents the most risk for its theft. ‘Imaging for Preservation’ ensures that you have a copy of a hard drive stored for future use if needed. It also means that you can put an ex-employee’s computer back into company circulation knowing that a complete copy of its history is available in archive. This can include scope for the covert imaging of a current employee’s machine as a pre-emptive measure should you think that he or she may be currently engaged in wrongdoing.
Companies are routinely performing this process for key positions/departments which are considered to be of particular risk to protect themselves against the following scenarios:
In these scenarios a copy of the hard drive is available to perform a post-event investigation, if required. A forensic investigator will consider:
Why can’t I just get IT to copy the files off?
The lack of external cost is attractive, but the data would almost certainly be deemed not to be forensically sound. Although the intention is genuine, most IT departments are not equipped with the necessary tools or expertise to perform intricate computer forensic examinations and extract this valuable evidence without compromising its quality. Even just a ‘small poke around’ can be enough to overwrite or destroy it and the entire validity could be called into question if issues such as chain of custody and security of data are not addressed. Would your IT personnel be comfortable giving evidence in court? There is also cost attached to lost time, and IT-style disk images can incur costs for extra storage requirements.
Whatever your approach, it is important to understand that there is no one size fits all method – it does not make sense that you adopt one approach for every level of employee. A receptionist leaving for maternity leave and a sales director asked to leave under a cloud are two opposite ends of the risk spectrum, and any forensic readiness plan and itsassociated response should of course be proportionate.