Thursday, March 28, 2024

march, 2024

How to Avoid Internal Data Threats – And Investigate Them When You Can’t

The rise of technology has created endless new ways to get things done – we can chat face-to-face with friends or colleagues across the globe, ask digital assistants like Alexa what’s next on our calendar or the weather in some remote corner of the world and tell our car to automatically park itself or even take over driving entirely. But with all those conveniences comes more data – a lot more data – and thus, more data security risks.

The Theft Resource Identity Center found that more than 47 million records were exposed in the United States in the first nine months of 2018, and businesses make up 46 percent of those affected. It’s true that many external hackers target businesses through phishing emails, insecure Wi-Fi networks and malware attacks, but such external hacks are not the largest threat to your company’s data. To paraphrase that classic horror film line: the data theft is (more likely) coming from inside your office! And from those you least expect: your employees.

Nearly 75 percent of breaches are caused by insider threats, according to SecurityIntelligence. While some of those data thefts are driven by malicious intent, many employees simply don’t understand the harm in taking and repurposing company data, or they may feel that certain data is fair game or theirs to take, especially when leaving a company.

To ensure your company data stays safe, it’s important to create and regularly communicate clear policies explaining who owns the company’s data, how employees are expected to handle, store, use and protect that data and what happens to data upon an employee’s exit. Written policies, communication of clear expectations and routine reminders will go an incredibly long way in helping deter such inside data thefts.

Knowing first what data there is to protect

You can’t get started protecting your data if you do not have a full understanding of all the various types of data created and utilized within your organization, where files are saved and who has access to what. And because it’s relatively easy for employees to use an ever-increasing number of smartphone apps, websites and other resources – oftentimes without the company knowing – you should use employee questionnaires, and follow-up interviews where appropriate, to ensure that all primary sources of company data are identified – whether officially sanctioned or not.

Just because an employee uses an unofficial or non-sanctioned data resource doesn’t mean the data isn’t valuable or your company might not still be held responsible for protecting it. Burying your head in the sand and ignoring such activities will only lead to more costs and increased risk. It’s also a good idea to repeat that process from time to time to ensure that your data mapping remains current.

The time investment to create and maintain that process will more than pay for itself in the long run. It not only will help you better plan for and recover from any data breach, data loss or other catastrophic data event, but it is certainly worth the money you’ll save should you suffer a data breach in the future. Ponemon Institute found that in 2018 the average data breach cost $3.86 million due to legal and regulatory activities, technical investigations, loss of business and more.

Only once you have a handle on your data can you begin establishing truly effective company directives to keep your data safe and secure.

Creating a powerful deterrent with clear policies and simple practices

The easiest way to prevent employee data theft is to work proactively, beginning with your new employee onboarding process. Especially for data-centric companies, data security should become part of your corporate culture, and there’s no better place to start enforcing that than on a new employee’s very first day. Employees should understand up front how much your organization values and protects its data and how seriously the organization takes data protection and security responsibilities. That alone will go a long way in helping to deter employee data theft.

New employees should sign a specific agreement addressing data security, whether as part of their employment contract or as a standalone document. It should state exactly who owns what data and the expectations around the use, protection and security of that data. And you should be sure those policies encompass data created not just at the company on company devices, but anywhere on any device, even on personal devices, as long as it has any connection to the company or its business. And of course, that agreement must include a confidentiality clause that, among other things, has the employee acknowledge that company information may not be taken or shared at any time during their employment or upon their departure from the organization.

If you have the capabilities in place, let your new employees know that your IT team can access, monitor and wipe company data from any device – including their personal devices. If you don’t have those capabilities in place, you should. Indeed, most modern enterprise solutions, like Microsoft’s incredibly popular Office365 offering, have those functions built in.

Once the employee has signed all the required documents, you can then grant them access to company data, but even then, only to the systems and data needed to perform their role. Adopting such a need-to-know approach to data access within your organization limits the amount of sensitive data compromised if an employee were to steal anything. Role-based data access can be tricky to manage at times, but at the very least, you should implement such controls over your most sensitive data.

And remember, data security doesn’t stop with the new hire process. Throughout employment, the company should provide regular training on its data security protocols and remind managers and employees on approved methods of data handling. Random policy testing or drills can also be useful in helping keep data security at the forefront.

Of course, the numerous technological solutions to protect your data from outsiders will help protect your data from bad-acting employees as well. Data protection and security solutions such as encryption and two-factor authentication can be just as effective in stopping employee data theft as it is in preventing outside bad actors from gaining access to that sensitive information too.

Clearly, the best way to deal with employee data theft is to prevent it from occurring in the first place. The right data security policies, practices and protocols, combined with onboarding, routine education and exiting employee emphasis on those issues, will help greatly reduce the likelihood that an employee will steal data in the first place.

Detecting & investigating potential data theft

Even with the best of prevention and protection, employee data theft can still happen, so detection efforts are also key. To help detect such events as early as possible, teach your managers and other employees how to recognize signs of potential data theft. And make sure employees are comfortable coming to their supervisor with such concerns, or create an alternative way for them to do so (some companies allow for anonymous alerts).

When an employee leaves – even if you don’t suspect the employee stole data – you should follow specific steps on the employee’s last day at the company:

  • Hold a formal exit interview, and remind the employee of the data security and confidentiality agreements signed at the outset of and/or during employment, providing copies of those agreements.
  • Collect any company-owned devices, such as computers, tablets, phones, external hard drives, thumb drives and backup discs, making sure that you have any passwords that may be needed to access those items.
  • Have the employee sign an agreement stating all company-owned devices have been returned and that the employee does not have any copies of company-owned data on personal devices.
  • If possible, analyze the employee’s personal devices that had access to company data or systems to verify that the remote-wiping process successfully completed and/or destroyed that data manually.
  • Disable the employee’s access to all computer systems, networks, cloud providers, phones, applications, etc.
  • Retrieve the employee’s security access cards, keys and parking decals.

It’s important to  carefully and thoroughly review your company’s data security policies, practices and expectations during the exit process – just like you did during the new employee onboarding process – and to maintain routine organization-wide training and refreshers. Not only will these policies become a part of the company’s culture, but when it does come time for an employee’s exit, the expectations will have been made clear, and again, that alone will make it less likely to become an issue. Simply put, people are less likely to steal when they know someone is watching.

Upon the employee’s exit, it’s good practice to retain an exiting employee’s data and devices for at least 90 days, giving time not only to make proactive determinations as to the disposition of that employee’s devices and data, but also to allow any potential data theft to come to light. The time will also help ensure that no knowledge transfer is lost due to a device being prematurely repurposed.

Of course, if, during the exit process or after, there becomes any suspicion of data theft, then the device and data hold should be extended until the matter is resolved, or at least until those resources can be properly preserved and the data defensibly collected. No one should alter, investigate or even turn on any device or look at any data until that preservation is completed.

Some companies will even take preservation steps on a broader basis. While not practical for every exiting employee in most organizations, with especially sensitive positions like senior executives, inventors, programmers, sales people and others who have access to especially sensitive, trade secret or other highly confidential information, some companies will also create a forensically sound duplicate of an exited employee’s company-issued devices before wiping and reissuing them, and then store the preserved data for up to several years. While more costly and time consuming, such imaging will preserve items that normal data retention efforts may not, such as deleted files, log files and other critical system information that could provide evidence of improper activities.

Each company must decide for itself what roles within the company deserve such heightened efforts and what specific approach works best for them. Last year, for example, Tesla suffered a major hit when a former technician stole several gigabytes of data and leaked it to the press, costing the company business and profits as well as damage to its reputation.

To ensure all that evidence remains admissible in court, should an action arise to such a level, it’s important that imaging be done by a trained and certified individual (many firms have IT or IT security staff trained for such standard imaging). A case can be foiled entirely when an otherwise well-meaning technical person (not trained in evidentiary handling or computer forensics) just takes “a quick look around” to see what happened or what data was stolen.

Once everything is preserved, an examination of the subject data and devices can turn up various types of evidence that could indicate potential data theft or other wrongdoing, such as:

  • Large or unusual data transfers, especially of confidential files.
  • High levels of activity outside normal business hours or concentrated in the period before the employee left the company.
  • Recently accessed or connected external storage devices such as USB keys or external hard drives, sometimes including evidence of what was copied to or from those devices.
  • Recently added or deleted software, especially ones with data maintenance or wiping capabilities.
  • Newly upgraded or downgraded software.
  • Proprietary company files residing on a device that should not have access to them.
  • Files from a software program that does not reside on the device, such as CAD files.
  • A significant increase in outbound emails.
  • Personal email account usage and log-in remnants.
  • Cloud drives, FTP services or other indications of external data transfers and storage.
  • USB port recently connected to personal devices.

The discovery of any one or more of those activities should trigger an immediate effort to recover the potentially compromised information and further investigation, either of which  may lead to other legal claims and remedies. The longer you wait, the greater the chance that essential data will be lost and the organization that much more damaged.

Regardless of the employee’s intentions – whether purposefully stealing data or simply believing he or she was the rightful owner – you should be prepared to confront the employee with sufficient evidence of data theft. Usually that leads to the quick return or deletion of the stolen data, but if the employee refuses, litigation may be required.

Establishing data protection policies may not be at the top of your to-do list, but it has a huge effect on the outcome if you suspect that an employee is stealing data. Create company protocols and enlist a forensic team now to save yourself time and money on possible – and likely – internal investigations in the future.

BIA

Brian Schrader
Brian Schrader
Brian Schrader, Esq., is president & CEO of BIA, a leader in reliable, innovative and cost-effective eDiscovery services. With early career experience in information management, computer technology and the law, Brian co-founded BIA in 2002 and has since developed the firm’s reputation as an industry pioneer and a trusted partner for corporations and law firms around the world. He can be reached at [email protected]

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

1,595FansLike
0FollowersFollow
24FollowersFollow
2,892FollowersFollow
0SubscribersSubscribe

Latest News