I recently had a chat with a friend who is fairly senior in a large, well known software company. Someone in the company was being fired for cause, and my friend and other co-workers suspected that he may take, or already had taken intellectual property (‘IP’) from the business. Given their line of business, this was a concern. I mentioned that digital forensic companies can easily take a look at an employee’s computer or mobile phone and try to see if they are in fact walking out the door with company data and said that it was easier to deal with this type of thing before the person leaves, rather than waiting until they are gone. This message was taken to the leadership of the business, and in return an interesting, yet possibly short sighted, message came back, “We trust our employees not to take company data with them when they leave.”
In July 2015, the FBI launched a campaign to educate businesses and industry leaders about protecting trade secrets and intellectual property. While this campaign focuses heavily on external threats from foreign threat actors engaged in corporate espionage, it also mentions the need for companies to develop insider threat programs. Studies have shown that up to half of employees who have left their jobs keep confidential company information, either deliberately or unintentionally. When considering the deliberate aspect, it’s noted that there are several motivating factors; financial reasons being the most common, with typical IP usually falling into the following categories:
- Customer Information
- Business Plans
- Operational Information
- Staff Information
- Trade Secrets
- Proprietary Software
IP of this nature used to be paper based, however a majority is now digital. It’s now stored electronically and accessed with with the many digital devices we use on a daily basis. This has resulted in the need for enhanced methods and tools to be available to the teams charged with conducting investigations. Since most investigations focus on both establishing if, and how, someone did what they are suspected of doing, knowledge of the common methods used to remove sensitive information will be vital to today’s investigative professional. Some of the more common methods include:
- Use of a personal webmail account, such as Gmail or yahoo;
- Use of portable media, USB’s being the most common;
- Instant Messaging programs (including social media programs such as Facebook and LinkedIn);
- Cloud storage such as Dropbox or ICloud;
- Using a secure website;
- Accessing a work computer via a remote session;
- Personal devices (commonly seen as part of B.Y.O.D initiatives) without the necessary corporate safeguards
- Email exchange between a work account and a secondary email account; and
- Taking pictures of IP with a personal camera or phone.
One of the approaches used to mitigate the exfiltration of such data involves digital forensic practices during corporate investigations and exit interviews. These practices employ techniques and tools designed to capture, analyze and evaluate digital data as evidence. The purpose typically being to identify if something happened, what happened, when did it happen, who caused it to happen or was involved and what evidence exists to prove it?
Companies are now seeing the value of embedding these digital forensic practices into their operational workflows. They are using them proactively to prevent IP theft before it happens, rather than potentially being involved in litigation after the fact. In-house forensic staff, or external companies can assist with HR, security, and privacy needs prior to, or even during exit interviews to quickly analyze data before the staff member leaves for good.
What Can You Do?
As an Internal Investigator, you should be looking to become an integral part of this process. Your input and expertise is vital, and you may start to see different methods and patterns which would assist with broader fraud matters in your company.
The best starting point is the IT department within your company. Spend some time with them to get a better understanding of the devices and systems that are issued to employees, what data they can typically access, what they can do with it, and how that can be achieved. Learn what technology controls are in place, what information your company keeps and for how long. Are there retention policies for computer usage? Are there Log files kept and for how long? Help build the “Who”, “What”, “Why” and “When”;
- “Who” has access to proprietary company information? Who do you suspect is taking data?
- “What” information do they have access to? What avenues do they have access to in order to take company data (i.e. does you company allow the use of USB devices)?
- “Why” would someone take company data with them?
- “When” do you think this happened?
o Most often employees start to take company data a month prior to leaving
Where possible, be proactive rather than reactive. Make programs like this a part of corporate culture and adapt security, acceptable use, or other related policies accordingly. Be transparent and let employees know that their systems are being monitored, and activity on those systems may be looked into at a deeper level when they are leaving the company. Simple steps like these can help you switch your investigative posture from post to pre-incident, and therefore save your employers the money and resources needed for any civil litigation.
This takes us back to the quote at the beginning of this article by Ronald Reagan, “Trust, but Verify”. Placing trust in your employees is an important factor in not only attracting, but also retaining talented individuals, and for encouraging a positive and collaborative corporate culture. The initiatives suggested above should not be used as a “big brother” style monitoring tactic, but more just to verify that important and often privileged information is not walking out the door as your employees leave to work somewhere else. To further explore some of the considerations that should be made when investigating employee activity, please see our other blog post “Investigating an employee’s digital activity”.