Insider Threats: Using digital forensics to prevent intellectual property theft
Bachir El Nakib
Don't let departing employees leave with valuable intellectual property. Use digital forensics in daily workflows before they resign and in exit interviews to prevent IP theft rather than potentially be involved in litigation after they're gone.
A friend of mine, who holds a senior role for a well-known software company, asked my opinion about an HR matter. The company was in the process of firing an employee for cause, but it suspected that he might also take, or already had taken, intellectual property (IP) from the business. Given that IP is the lifeblood of a software company, this was obviously a concern. I said that the company could use digital forensic methods to review the employee's computer or device to see if he's walking out the door with company data, and that it was easier to tackle this before he leaves. My friend took this message to the company's leadership team. An interesting — yet possibly short-sighted — message came back: "We trust our employees not to take company data with them when they leave."
President Ronald Reagan, while discussing U.S. relations with the Soviet Union, famously would quote the Russian proverb, "Trust, but verify." When it comes to retaining valuable intellectual property, organizations would do well to use that proverb as a mantra.
Common methods employees utilize to remove IP
In July 2015, the FBI, in collaboration with the National Counterintelligence and Security Center, launched a campaign to educate businesses and industry leaders about protecting trade secrets and intellectual property. The campaign focuses on external threats from foreign-threat actors engaged in corporate espionage, but it also highlights the need to develop insider-threat programs.
Most organizations now store this type of IP electronically, and employees access it with company or personal digital devices. Therefore, investigation teams must have access to — and training in — enhanced digital investigative methods and tools. Because most fraud examinations focus on establishing if, and how, someone did what they're suspected of doing, they must learn fraudsters' common methods to remove sensitive information:
Personal webmail accounts, such as Gmail or Yahoo.
Portable storage media; USB flash drives are the most common.
Instant messaging programs (including social media programs such as Facebook and LinkedIn).
Cloud storage such as Dropbox or iCloud.
Accessing corporate systems via remote sessions.
Personal devices (allowed by "bring your own devices" policies).
Email exchanges between work accounts and secondary email accounts.
Taking pictures of IP with personal phones or cameras.
You can significantly reduce the risk of data exfiltration or leakage by using digital forensic practices during corporate investigations and exit interviews. These practices include techniques and tools designed to capture, analyze and evaluate digital data as evidence, plus identify if something happened, what happened, when it happened, who caused it to happen or was involved, and evidence to prove it.
Before we go any further, I recommend that you first consult your legal counsel before you institute any digital forensics procedures to monitor your employees. (See the section, "Five considerations before investigating an employee's digital activity" below.) Of course, any investigation that you conduct on an employee might result in legal action and potential litigation. You might have to testify in court, so communicate your actions with other stakeholders involved and document everything.Organizations are now seeing the value of embedding these practices into their daily workflows. They're using them proactively to prevent IP theft rather than potentially be involved in litigation after the fact. In-house forensic staff or external companies can assist with HR, security and privacy needs prior to — or even during — exit interviews to quickly analyze data before staff members leave for good.
How to use digital forensic practices
Following are practices that you can incorporate into your everyday work routines.
To ensure that evidence isn't permanently deleted, companies can periodically image the systems and devices of employees who have access to company IP. This safeguards any evidence, which might be required at a later date.
Exit interviews help you learn why employees are leaving and find ways the company can improve. However, you can also use them to help determine if departing employees might have taken company IP with them. HR staff can ask questions to learn more about where employees kept company data and if they took it home — and, if so, on what devices and when. While the interview is being conducted, and if warranted, digital forensic practitioners can discreetly review the employees' company-owned device(s) — personal devices with a warrant— to look for any indicators of IP theft. (Check with your legal counsel to determine limits in your jurisdiction.)
If an organization discovers that an employee has left with company data, it can use digital forensics to determine when they took it, how they stole it, who they might have shared it with and other important elements. Digital investigators can then cross-reference areas of evidence and build a timeline of the facts.
We recently worked an investigation in which a company suspected a senior employee of some wrongdoings. The company fired him, and he returned his laptop two days later. We looked for evidence of the company's suspicions. To our surprise, we discovered that the suspect had forensically wiped the laptop prior to returning it to the company. If the company had periodically preserved the data on the laptop and then performed a real-time review during the termination process, it might have ensured that any evidence was protected and available for investigative purposes.
What can you do?
As a fraud examiner you should be an integral part of this process. Your input and expertise is vital because you might see different patterns and suggest other methods, which could help examine broader fraud matters in your organization.
A good starting place is to look for behavioral clues that someone who is likely to remove or copy IP from the company might exhibit. One of our clients recently told us that an employee — suspected of leaking IP to a third-party — had been exhibiting odd behaviors for some time, but it didn't take any action. The FBI provides some of the more common behaviors to look for in employees:
Take proprietary information home via thumb drives or email without authorization.
Inappropriately seek or obtain proprietary or classified information on subjects not related to their work duties.
Are interested in matters outside the scope of their duties — particularly those of business competitors.
Remotely access the computer network while on vacation, sick leave or at other odd times.
Disregard the organization's computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches or downloading confidential information.
Work odd hours without authorization, or are notably enthused about overtime or weekend work or unusual schedules when they can easily conduct clandestine activities.
If our client had acted upon its suspicions earlier, the company would've saved time and resources in launching a full investigation and pursuing civil litigation.
Spend some time with your organization's IT department to understand the variety of devices and systems it issues to employees. Learn about the technology controls in place, and the information your organization keeps and for how long. Does it have retention policies for computer usage? Does it keep log files? If so, how long?
Help build the who, what, why and when:
Who has access to proprietary company information? Who do you suspect is taking data?
What information do they have access to? What access to avenues do they have to take company data? For example, does the company allow the use of USB storage devices?
Why would someone take company data with them?
When do you think this happened? (Employees most often begin to take company data a month prior to leaving.)
Five considerations before investigating an employee's digital activity
The tools and methods for conducting internal investigations are usually well-defined, but you should be aware of the grey areas of examining employees' digital activity or use of the organization's network. Take these steps first:
1. Get permission from organization
The organization might suspect foul play and has asked you to investigate an employee's digital footprints, but you must fully understand what's permissible before you do anything. Just because the staff member allegedly was using a company asset, that doesn't always translate to an open invitation to review everything they've been doing.
Before you begin your investigation, obtain a formal request from the organization and an appropriate sign-off from management, ensure HR is involved and keep all communication relative to the request. Again, keep legal counsel involved from the outset because the matter could end up in court, and you'll need to prove everything you did and why.
2. Check company policies
Familiarize yourself with organizational policies and procedures. Focus on those that detail what an employee is allowed to do — and more importantly, not do. What material deals with activity monitoring or reviews? Have all employees — and specifically the one you're investigating — read the policies, participated in awareness training and signed off on their understanding?
3. Determine compliance requirements
Depending on the business of your organization, you might find you're obligated to obey a rule that might either limit your ability to directly review activity or put your company's compliance status at risk should you proceed.
Several of the more common compliance frameworks are focused on security, so you might want meet with your information security teams. If your organization has a risk-and-compliance function (or similar), they might be able to highlight any areas of concern.
Check to ensure your review doesn't compromise the organization's good standing. If the employee's role grants them privileged access to highly confidential data such as payment card numbers, personally identifiable information or financial information, there's a risk that your activities might result in compliance issues. For example, you might locate payment card and transactional data and duplicate it to present as evidence. That action, while well intended, might be in a contravention of a policy or control that you've agreed to adhere to because you're moving the data outside of a controlled environment.
Check to see if the employee had access to federally classified data. If that's above your clearance level, you might need to call in someone with appropriate credentials to handle that data. You might not intend to review any of that data, but you might ruffle feathers if you just request a copy of it or the access to the system that holds it.
4. Check privacy laws and legislations
Don't jeopardize the validity of your findings. Consider local, regional and national privacy laws and legislation before beginning any employee fraud examination. Legislation is usually relevant to the location in which the work is being performed. For example, if your main office is in Toronto, Canadian privacy law won't necessarily apply if you're reviewing employee user activity in your Germany regional office. The German Bundesdatenschutzgesetz (BDSG) — a federal data protection act — has strict guidelines on what an organization can and can't do with employee data contained on work systems (including the transferring of any data outside of national borders).
5. Focus the scope of the investigation
Clients often ask us to find "anything of relevance," but we don't readily agree to that request without first knowing the facts. For example, if a staff member is leaving an organization, and it believes they might have stolen confidential intellectual property then it can determine the exact digital forensic methods and tools it needs to use to determine what they did and how they did it.
Network and system logs will show general activity; an in-depth forensic review of the systems and devices the employee used could provide a granular view of what they did. Sounds like great news? Beware of the challenges. Your review could take weeks or months if you look at everything the employee did. It could also take you down a path that has nothing at all to do with the original request.
Have a rationale for everything in your fraud examination, and be clear on the evidence you seek. For example, in an intellectual property theft case you ideally want a list of the data the employee is suspected of removing and the time period in which they allegedly stole it. If the data is vast and is just contained in one mode — such as a database, a spreadsheet or an email file — learn the common terms, phrases or language it could contain and the time frame surrounding those terms.
Knowing all of this will speed up the examination, help your legal counsel know that you aren't embarking on a witch hunt (which can be a common argument by the defense in legal proceedings) and let you discover the facts more effectively. If you believe the organization's scope is too broad, collaborate with management to explain why you need to focus on a defined list of objectives.
Trusting and verifying minimizes IP loss
Place proactive programs like this in the center of corporate culture; adapt security, acceptable-use policies and other related policies accordingly. Be transparent and let employees know that the organization is monitoring their systems and might deeply examine their activity when they're on their way out. Simple steps like these can help you switch your investigative posture from post- to pre-incident and therefore limit the needed resources for any civil litigation.
This takes us back to Ronald Reagan's quote at the beginning of this article: "Trust but verify." Placing trust in your employees attracts and retains talented individuals and, of course, encourages a positive and collaborative corporate culture. However, even though organizations can misuse these digital forensics practices as "big brother" monitoring tactics, you must verify that important and often privileged information isn't walking out the door with your resigning employees.
Ryan Duquette, CFE, CFCE, is the founder and partner of Hexigent Consulting Inc. in Oakville, Ontario, Canada. His email address is: email@example.com.
You’ve learned how to stop fraudsters from hacking your smartphone. But do you know how to determine whether each mobile recording you make is legal?
The coming storm
In this column, we discuss “big data,” a common term that refers to both the volume of data and the technology that’s necessary to effectively analyze and utilize that data. We address the nature and character of big data, its challenges, approaches to working in a big-data environment, many of the options available to professionals and the role of academics in educating young fraud examiners in the new technologies.
You’ve heard of the big-news breaches: Target, Home Depot, JPMorgan Chase, Michaels. Large and small organizations allow porous online systems to jeopardize their customers and diminish profits. Find out how cybercriminals use infectious malware to infiltrate web browsers and steal identities and personally identifiable information.