In recent years, employers have become increasingly vulnerable to resentful employees misusing or stealing electronic data. John Holden looks at how employers may be at risk and how they can protect themselves.

As more and more businesses rely on technology for essential processes, it is no longer enough for them to think only in terms of controlling access to physical documents.

Modern technology allows for the transfer and/or exchange of huge volumes of electronic data in a matter of minutes. Unfortunately, this means that a disgruntled or departing employee can easily destroy, steal or misuse valuable proprietary information. He/she may even choose to pass on commercially sensitive data to a competitor, leaving his/her former employer potentially exposed to a loss of profit and/or costly litigation.

The internal risk

Employees often wrongly believe that the work they do on their employer's computer and the information stored on it belongs to them. But in most situations the information and data stored on the computer belongs to the employer, even if personal in nature.

Some employees would not hesitate to remove business information using portable storage devices, such as memory sticks or even mobile phones, or by burning data to CDs or DVDs. If it is not possible to remove data physically, they might email it to a personal account, such as Hotmail or Yahoo.

Businesses sometimes find that a vindictive departing employee has deleted or destroyed data and, on occasion, gone to extreme lengths to wipe all information from a computer or other electronic device. There have even been cases where equipment has been physically damaged.

Prevention better than cure

Businesses can safeguard their electronic data by introducing and enforcing policies that cover:

  • information security
  • practical acceptable usage
  • custody and physical handling of electronic devices.

It is vital that all staff are aware of the requirements that these policies place on them.

When it goes wrong

The demand for forensic technology services grew largely out of the need to recover and rebuild computer records and data for use as evidence in criminal proceedings. Such capabilities are now becoming a necessity in employment disputes and commercial litigation.

The following two examples involve the misuse of data.

Cracking the case

Two company directors were discussing staff bonuses via email. Attached to the email was a Word document listing the proposed bonuses. The file was encrypted with a password known only by the two directors.

An IT manager saw the email and decrypted the Word document. Having read it, he approached one of the directors to express disappointment at his bonus payment compared to that of others.

Our Forensic Technology team examined the IT manager's computer and found that he had used password cracking software to access this information. The IT manager resigned shortly after the investigation.

Retrieving the rights

A software programmer was tasked to write a specific software program for resale to the human resources departments of medium and large companies. However, having realised the potential value of the program, the programmer destroyed and falsified records on his employer's computers so that it would look like he owned the rights to the software.

Our Forensic Technology team recovered data from the programmer's computer which revealed the fraud and protected the employer's rights to the intellectual property.

Initiating recovery

In both these cases, the immediate isolation and preservation of all electronic devices connected to the investigation was extremely important. No-one should be allowed to work on a computer that might contain valuable evidence as they could render the evidence unusable, even through their efforts to identify and preserve it.

Employees subject to investigation should not be allowed to access electronic information in case they attempt to destroy and/or alter evidence. If there is reason to believe an employee is hiding electronic devices and/or information at home or on other premises, an appropriate search and seizure order should be considered.

Bringing in the experts

Forensic technology experts operate as private investigators in cyberspace. They can retrieve data often deemed irrecoverable by other IT professionals, such as uncovering user profiles, deleted data (even data deleted by reformatting or overwriting a disk, or destroying the equipment) and records of web surfing. Bringing in experts at the initial stages of an investigation ensures the best chance of maintaining data integrity for evidential purposes.

When involved in an investigation, forensic technologists typically start by imaging (the process of making an exact duplicate) the hard disk drives to preserve the original data forensically.

Using a flexible approach and consultation at every stage, forensic technologists can ensure that only the most relevant work is completed during the investigation process, providing clients with the data they require to pursue their case successfully at a proportionate cost.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.