What you should be advising your clients if they suspect an employee is stealing company data:
Isolate any electronic devices the employee may have used with immediate effect -computers/laptops/tablets/smart phones.
Attempt to retrieve the device(s) from the employee to allow forensic imaging to be carried out – a common excuse is that the IT department require the device(s) to implement ’software updates’.
DO NOT turn on the device as this may damage or change metadata and render the evidence unusable.
Instruct an independent forensics expert to make a forensic image of the device. This is a ‘true’ copy of the device at that time and any subsequent investigations will be undertaken from the image. The device(s) can then be used again. This procedure only requires 1.5 hours of imaging time per device and can be done after working hours to minimise disruption.
Instruct the expert to retain copies of the forensic imaging until further notice, pending any further investigation.
Ensure that any subsequent investigation is undertaken by a suitable qualified expert.
What you should be looking for if the matter progresses to an investigative stage:
Extract all user generated data including emails/Word documents/PDFs and spreadsheets.
Think about providing your chosen forensic expert with good keywords to limit the amount of data which will need reviewing and make the results more responsive.
Instruct your chosen expert to recover deleted data from unallocated space if you feel the employee may have permanently deleted relevant data. Time/date stamps won’t be recovered and you may only recover fragments, however it may be sufficient to pursue the matter further.
Consider what other mediums the employee may have used to remove valuable data or contacts, such as cloud based storage, data transfer to personal email accounts and the use of USB devices.
Internet search history – what has the employee been searching for? Have they been regularly accessing personal emails for example?
Prevention is better than a cure – how to advise your clients on data theft prevention:
Adopt a more robust approach to company IT security policies. Forbid the use of external USB devices, access to cloud storage, personal email and social media accounts.
Ensure that your client knows what to do should they have suspicions about one of their employees – isolate the device(s) and have forensic images taken.
Ensure that all personal passwords used by the employee are provided to the IT department, including pin codes for mobile phones and tablets.
BYOD (Bring Your Own Device): if your client allows an employee to use their own phones for business then be aware that, should they leave, they have business information such as client details and IP for their own use in the future. Ensure security policies are in place.
Consider LinkedIn contacts. As a new trend, do you have a policy in place to protect your clients who are connected with an employee under suspicion?
Consider using a forensic expert to formulate a Forensic Readiness Plan (FRP).
To speak with a member of the criminal team, please call 0161 797 8123 or fill out a contact form.