- Who We Are
- News & Events
All too often, the outcome of a termination or separation of an employee results in offensive or defensive litigation on behalf of the corporation. Also too often, critical electronic evidence that can be used to help defend or prosecute these matters is lost during the off-boarding process of that employee. One of the first things an employer does when they hire a new employee is issue them a laptop, desktop and smartphone to perform their job. However, from that point forward, we never audit those devices to see what the employee is actually doing. We trust that our internal or external IT departments can "see" everything that employee is doing on that computer device.
The fact is that most IT departments have very limited visibility into employee computer use. In addition, if the employees have the ability to browse free Web-based mail accounts such as Gmail, Hotmail, Yahoo, Roadrunner, etc., it is very likely that if they want to do bad things that they know their employer does not want them to do, they will use these communication services as opposed to the corporate Outlook email system. Add access to social media, instant-message chat programs such as Skype and AOL Instant Messenger, and you have employees that could easily send your critical business intelligence out of your corporate environment to their home or to a competitor.
When looking at the employee pool for any size business, it easily resembles the shape of the well-known bell curve. Twenty percent of your employees on the left end are your "knuckleheads," or underachievers; 20 percent of your employees on the right end are your "rock star/rainmaker" employees. In the middle of the bell curve is the remaining 60 percent of your employee pool. This group is your everyday employees who are presumably doing what you think they should be doing.
The combined 80 percent of your rock stars and everyday employees are the individuals within your industry that you should be most concerned about when it comes to cyberscurity. These are the employees who your competitors want to hire away. Every security professional will tell you that 70 percent of all data breaches or theft of intellectual property occurs from within your organization! It is always the employee who you least expect and have given the most trust, access and privileges that is performing nefarious activities while at work. You can't know what you don't know.
Fortunately, the power of digital forensics can be used in a variety of ways to help manage and mitigate risks and liability before one of the situations occurs. Countless corporations employ digital forensic investigators internally to protect their intellectual property and make sure employees are not putting them at risk. Departing employees who have been stealing information or communicating inappropriately will attempt to clean up and delete their tracks upon separation. Digital forensic experts are able to uncover deleted information, deleted-deleted email, Web-based email, files contained on removable storage devices such as USB and CD/DVDs and other critical evidence to discover the key facts pertaining to the situation. This is often game-changing evidence.
Typically during the off-boarding process, the IT department collects all computer devices issued to the employee. A file copy of some of the employee's data "may" be captured. The computer device is then formatted or wiped clean, a new corporate image is placed on the device and it is reissued to the next new employee. This process completely destroys the ability to forensically recreate what the employee was doing for the weeks or months leading up to their separation. By creating a digital forensic copy during the off-boarding process, companies can properly preserve all the deleted data and escrow their ability to forensically review the users' activity at a later date. A forensic-grade copy is much different than an IT file copy in that it captures all the deleted data on the hard drive for future analysis.
In addition to forensically escrowing copies of certain employees' devices upon separation, corporations can periodically forensically review employee devices as part of an internal audit program. By using the power of forensics to "see" user activity that the IT department typically cannot see - such as deleted data, double deleted email, Web-based email and USB file access activity - they can be sure they know what they need to know about what employees are doing with their data. This type of proactive forensic program can work as a test on corporate security policies and systems to be sure they are performing as designed.
Michael McCartney is president and CEO of Digits LLC. www.digitsllc.com