CYFOR Blog

It’s common for departing employees to leave their employment to either join a competitor or set up on their own, stealing data in the process. Do you suspect departing employees of stealing data from your own business?

The protection of client data and intellectual property is a significant concern for businesses. However, it is common for departing employees to leave their employment to either join a competitor or set up on their own, stealing data in the process. Companies of all descriptions share the risk of potential data breaches due to the actions of former or departing employees. This isn’t helped by the fact that data held within most businesses is now electronic, making it easy to copy and steal huge amounts of information.

A study conducted by the Ponemon Institute identified that 59% of employees who either resign or are asked to leave, subsequently take confidential business information with them. The study also found that 65% of respondents admitted to taking proprietary and confidential data that could affect their former company’s business competitiveness and result in a data breach.

What kinds of confidential data do employees take, and why?

There are various reasons behind the type of confidential data taken by employees, which can often be related to the reason for their departure. Are they disgruntled, in the process of being dismissed or leaving for a competitor? They also may not be leaving at all and could be stealing data for financial gain whilst remaining in their current employment! In 2015, an existing employee of AXA insurance was jailed for stealing customer data that was then sold to a competing claims management company.

Types of data can include:

• Trade secrets and intellectual property;
• Company passwords;
• Private employee records;
• Customer CRM databases;
• Strategic business plans;
• Financial records;
• Email lists.

How do employees steal confidential data?

There are multiple mediums and approaches an employee can utilise to steal data from a company, such as:

External Storage Devices

Copying files to a USB storage device is one of the most common methods of data extrusion. External storage devices can hold huge amounts of data, are readily available and can be easily concealed. In 2015, fitness technology company Jawbone sued Fitbit in California State Court. They accused its rival of “systematically plundering” confidential information by poaching several Jawbone employees. These individuals downloaded Jawbone’s sensitive trade secrets and intellectual property such as business strategies and product information. According to court documents, thumb drives were used to download records, and programs were used to cover their tracks or erase system logs.

Smartphones

An obvious method of data theft is the use of a smartphone. Whether an iPhone or Android device, many smart devices have considerable storage capacities, with some modern phones even holding up to and beyond 256GB; more than enough storage to facilitate the exfiltration of confidential company data. Another powerful method of taking company information is to simply take photographs of the screens from other devices! This can evade traces of access on the mobile phone itself, proving difficult to uncover wrongdoing.

Email

Email transfer is another convenient and highly-accessible method for departing employees to syphon data.  An individual can send large amounts of sensitive data to a personal email account, circumventing their business networks. In 2017, the ICO (Information Commissioners Office) prosecuted an employee for stealing data by sending emails containing commercially sensitive information from a work account to a personal account. The employee sent details of 957 clients to his personal email address as he was leaving to start a new role at a rival company.

Cloud Storage Services

Cloud storage services such as Dropbox, OneDrive and WeTransfer can be utilised to great effect given they are remotely accessible by design. This allows for the data to be uploaded from, for example, a work computer and then accessed on third-party devices where the data could then be downloaded onto.

What can you do to protect your data?

Businesses can deploy basic data security methods to make it more difficult for disgruntled employees to steal confidential data. Steps that can be taken include:

• Employing a comprehensive set of policies and procedures such as an Acceptable Use Policy. This governs the use of all company assets and includes safeguards and policies that assist in the prevention of data theft.
• Remove ‘admin’ privileges from unnecessary employees on company networks. This restricts user access and privileges to those proportionate to their role and seniority.
• Restrict USB port access so external storage devices cannot be used to copy data unless authorised. This restriction should also be applied to CD/DVD drives.
• Consider deploying software that can block websites which may be malicious, are not required for business operations or may allow for easy, un-monitored transmission of data.
• Incorporate a Forensic Readiness Plan to ensure business continuity and effective incident management in the event of an employee data theft scenario.

Forensic Assistance

Technology and data security policies will help prevent casual data theft. However, a determined employee will still attempt to steal data, especially in circumstances pertaining to setting up their own business or leading to their own financial gain. If this occurs, digital forensics can play a vital role in identifying evidence of data theft prior to, and during legal proceedings. Computer forensics experts can find and evidence instances of an employee’s improper conduct utilising specialised software, hardware and techniques, including;

• Determining whether a removable USB storage device, CD/DVD or phone was used to download data;
• Identification of the make and model of an external device, when it was first connected and the last time it was used;
• Identification and recovery of deleted data;
• Uncovering an electronic audit trail of documents that were printed by the employee;
• Analysis of internet history to identify websites frequented by the employee that may constitute evidence;
• Forensically imaging (creating an exact, court-admissible copy of) the employee’s mobile phone and computer to identify, retrieve and analyse potential digital evidence for use in court proceedings;
• Pinpoint the GPS location and movements of a departing employee at specific dates and times by utilising cell site analysis.

Should you suspect departing employees of stealing data from your organisation then CYFOR can assist. Contact our Corporate Forensics Investigation team who will be able to advise on the best course of action to provide digital evidence in relation to your matter.