The employee will then offer a next employer this IP or will use it to start a competing business. Cases of IP theft have risen during the recession, which means organisations need to have in place sound employment contracts and policies which are routinely reviewed and can justify subsequent action to prove wrongdoing.
A company's electronically stored information (ESI) is likely to be stored in a variety of devices, all of which have the capacity to store large amounts of data. Laptop/PC's present the most obvious and frequently used method of data storage but employees are also utilising other means of data storage such as USB memory sticks, tablets, digital cameras, iPod/MP3 players and Smartphones, all which can pose serious difficulties for a company trying to ensure a secure environment.
Most employees will have easy access to one or many of these devices and used with the wrong intentions, are capable of breaching company policy and pose a potential security nightmare. Many cases of data theft occur when an employee leaves or plans to set up a rival business, taking with them important customer information and company sales data.
When an employee is suspected of wrongdoing it is likely that their computer will be looked at. A well-meaning manager or HR team member will typically ask their IT team to 'take a look' to retrieve the evidence of wrongdoing. Although the intention is genuine, most IT departments are not equipped with the necessary tools or expertise to perform intricate computer forensic examinations and extract this valuable evidence without compromising its quality. Even just a 'small poke around' can be enough to overwrite or destroy it, this in turn can then jeopardise the entire case. Imaging the hard drive is the first step. The computer must not be switched on.
This process of 'Imaging for Preservation' ensures that you have a copy of a hard drive stored for future investigation if needed. It also means that you can put an ex-employee's computer back into company circulation knowing that a complete copy of its history is available in archive. This can include scope for the covert imaging of a current employee's machine as a pre-emptive measure should you think that he or she may be currently engaged in wrongdoing.
Companies are now routinely performing this process for key positions/departments which are considered to be of particular risk to protect themselves against the following scenarios:
- An employee leaves, deleting company information that may be useful or 'mission critical' to the business
- An employee leaves and six months later starts a new business in competition and corporate clients start to defect.
- An employee is dismissed, claims harassment, bullying and unfair dismissal.
Employees are becoming much better informed of their rights and if the investigation is performed incorrectly then it is often the company that can be shown to be at fault and an employment tribunal could ensue. Should the results of your investigation be questioned by an employment lawyer, your company may easily find itself accused of evidence tampering, discrimination and wrongful dismissal.
It is vital to have a robust, well-communicated policy dictating the use of company systems, electronic devices and the transfer of company information making the necessary caveats governing the acceptable transmission of data.
It is equally important that the policy be continually updated to reflect changes in company technology, equipment and evolutions in the outside digital world. For example, the recent furore about compromised LinkedIn accounts raised questions about whose information was actually at risk: the individual LinkedIn account holder, or the company they work for. Training should be conducted on a suitably regular basis or when the policy is updated and must be documented thoroughly.
From a technical standpoint, the challenge arises as one attempts to balance the protection of sensitive business information whilst still providing employees with access to information required to fulfil their working responsibilities.
Companies should consider their readiness to deal with computer forensics investigations when faced with a potential case of IP theft. This involves having roles and responsibilities assigned internally; including ensuring someone is able to give authority to proceed with an investigation and who is allowed to communicate to questions from the media.
When faced with a data theft incident, employing the correct practices the first time are crucial in helping organisations to defend their position and protect what belongs to them. A small investment which equips key staff with the knowledge and understanding of how to respond to a relatively rare but complex situation could make all the difference to the outcome of your case.
Graham Jackson, business development consultant, Kroll Ontrack
