In the flurry of news reports of yet another high-profile brand being forced to admit its systems have been compromised, it is easy to forget that career criminals or spies may not always be the source of such attacks. To some organisations, the risks posed by disgruntled employees, bad leavers or contractors, even careless senior executives, could be greater than those emanating from external perpetrators. Worryingly, research by Carnegie Mellon University has found that malicious insider activity goes undetected for, on average, 32 months. Once spotted, the impact on reputation, customer base and share price may be considerable.
Companies must address high-risk security behaviours within the workplace, at all levels. One area that requires particular attention is the management of staff exits. Because the process is often regarded as an operational HR issue, the risk of losing digital information in the wake of 'bad' leavers is frequently nothing more than an afterthought. However, the Stroz Friedberg "On the Pulse: Information Security Risk in American Business" survey found that 51% of senior management and 37% of mid-level management admit to taking job-related emails, files, or materials with them when they have left past employers. Only 20% of lower ranking employees admit to having done so. There is nothing to suggest the picture is much different in the UK.
The ease by which information may be shared or, in some cases, exfiltrated by disgruntled leavers, has changed in recent years. Services such as iCloud, Google Drive and Dropbox, allow staff to easily move vast quantities of data off work devices. At the same time, instant messaging apps, including iMessage and Snapchat, offer the means to communicate semi-covertly even while using corporate computers. The reality of this highly connected workplace means employers must take steps to understand whether a departing member of staff represents a risk of data theft and if so, be prepared to investigate that possibility before key evidence is lost.
Establishing proof of the actions of a bad leaver or rogue employee can rapidly remove any doubt about their motivations and claims of innocence or of a simple misunderstanding. We regularly find that an individual leaver or entire teams have been communicating with their new employer and each other, well ahead of the move. Such communications are typically accompanied by the theft of documents, trade secrets, contact and price lists, alongside the tools required to easily replicate and harm their employer's business. Increasingly, even emails are becoming antiquated, with teams using online file sharing services to share documents, alongside social media to plan their movements and defection.
This is where digital forensics comes into play. When a user accesses the internet, copies files to the cloud or a memory stick, sends webmails, burns DVDs or prints documents, he or she leaves a forensic trail for the experienced investigator to follow. Even highly computer literate users often have little idea of the digital traces their actions leave behind. This is especially true with smartphones, tablets and even specialised encryption and deletion tools, which are often used by those attempting to cover their tracks.
If possible, the investigation to identify telltale traces of data exfiltration or a planned defection should start before a suspect is aware he or she is under scrutiny. Take, for example, the case of one individual who used a company mobile phone for communicating about a forthcoming defection. The employer did not want to alert the member of staff by taking the phone for analysis for fear that suspect would then destroy other relevant information. Instead, the investigators analysed the phone's data by retrieving a copy of the phone's synchronisation onto the employee's computer, which could be examined without alerting the individual. The incriminating SMS messages found as a result of this analysis, then led to other sources of information which were preserved before the employee knew he was under suspicion.
Mitigating the risk of becoming a victim of malicious insiders requires an appropriate balance to be struck between deterrence, technology, security, culture and management accountability. However, most organisations have limited experience in addressing such threats, which could lead to drawn-out and costly litigation. To manage such risks, organisations must develop a digital forensic investigation strategy that works hand-in-hand with the wider cyber security strategy.
Julian Parker is a managing director in the London office of Stroz Friedberg, an investigations, intelligence and risk management company.