Do you suspect an employee of data theft? Here are some steps to follow if you think a member of staff is stealing data.
What you should do if you suspect an employee of data theft or fraudulent activity:
Isolate any electronic devices the employee may have used with immediate effect -computers/laptops/tablets/smartphones.
Attempt to retrieve the device(s) from the employee to allow forensic imaging to be carried out – a common excuse is that the IT department requires the device(s) to implement software updates.
DO NOT turn on the device as this may damage or change metadata and render the evidence unusable.
Instruct an independent forensic expert to make a forensic image of the device. This is a ‘true’ copy of the device at that time and any subsequent investigations will be undertaken from the image. The device(s) can then be used again. This procedure only requires 1.5 hours of imaging time per device and can be done after working hours to minimise disruption.
Instruct the expert to retain copies of the forensic imaging until further notice, pending any further investigation.
Ensure that any subsequent investigation is undertaken by a suitably qualified expert.
What you should be looking for if the matter progresses to an investigative stage:
Extract all user-generated data including emails/Word documents/PDFs and spreadsheets.
Think about providing your chosen forensic expert with good keywords to limit the amount of data which will need reviewing and make the results more responsive.
Instruct your chosen expert to recover deleted data from unallocated space if you feel the employee may have permanently deleted relevant data. Time/date stamps won’t be recovered and you may only recover fragments, however, it may be sufficient to pursue the matter further.
If you suspect an employee of data theft, consider what other mediums they may have used to remove valuable data or contacts, such as cloud-based storage, data transfer to personal email accounts and the use of USB devices.
Internet search history – what has the employee been searching for? Have they been regularly accessing personal emails for example?
Prevention is better than a cure – how to advise your clients on data theft prevention:
Adopt a more robust approach to company IT security policies. Forbid the use of external USB devices, access to cloud storage, personal email and social media accounts.
Ensure that your client knows what to do should they have suspicions about one of their employees – isolate the device(s) and have forensic images taken.
Ensure that all personal passwords used by the employee are provided to the IT department, including pin codes for mobile phones and tablets.
BYOD (Bring Your Own Device): if your client allows an employee to use their own phones for business then be aware that, should they leave, they have business information such as client details and IP for their own use in the future. Ensure security policies are in place.
Consider LinkedIn contacts. As a new trend, do you have a policy in place to protect your clients who are connected with an employee under suspicion?