Consider this scenario: You’re the CEO of an up-and-coming firm that helps manufacturers boost operational efficiency and performance. Thanks to your unique technology and processes, your business has thrived in recent years, landing significant accounts. However, last month, your leading sales manager, three top salespeople, and two key engineers left for a competitor.
And, perhaps not coincidentally, a major business opportunity you’ve been pursuing for a year fell into your competitor’s lap—an achievement attributed to your former team. You strongly suspect these departing employees took sensitive company documents, including client lists, pricing guides, contracts, and engineering plans. But how can you confirm this suspicion? In this article, we’ll explore potential issues around employee separation and discuss how a digital forensics specialist can assist.
Understanding Employee Separation:
Employee separation is inevitable for all that work within any organization. While most departures occur amicably, there are situations where employees take sensitive company information with them. This action poses a significant risk to the organization, potentially exposing confidential client lists, contract pricing, engineering documents, and other intellectual property. It could also lead to the leakage of sensitive corporate strategies and forthcoming business initiatives. It’s therefore crucial for companies to proactively address these issues.
Ideally, companies implement robust information governance policies and use a document management system that substantially limits the release of sensitive information. Yet, most small-to-medium-sized businesses lack the resources to employ these safeguards. In such cases, it’s critical to determine what company information may have been taken by a departing employee.
Leveraging Digital Forensics to Uncover Misconduct:
Digital forensics specialists, like those at Data Narro, are uniquely qualified to preserve, collect, and examine information. Utilizing specialized forensics tools, they can often reveal activities indicating miscount or theft of company data.
Below are some activities that we can detect, document, and validate. Our work follows established principles, ensuring our findings are accurate, defensible, documented, and admissible in court should it become necessary.
Document Access History: Digital forensics analysts can use the logs most operating systems keep to determine when files have been created, modified, opened, and moved. (What would you think if your employee generated and exported a client list from your CRM to his local workstation on his last day of work?)
Network Access History Analysis: By examining the departing employee’s network access history, unusual patterns or unauthorized activities can be detected. This includes monitoring file transfers, remote logins, and access to restricted network areas. Did your employee access Sharepoint and download the entire sales strategy folder? (What would you think if your employee downloaded an entire directory of sensitive contracts before he left?)
External Storage Usage: The operating system logs every time an external storage device is connected to a computer. We can identify specific drives connected to the computer and when. (What if you saw a massive transfer of documents to an external thumb drive in the days leading up to his resignation?)
Cloud Storage Activities: We can examine any interactions with cloud storage services to get a general sense of how the service was used by specific accounts. (What if you noticed the installation of DropBox and a subsequent flurry of activity on the day the employee quit?)
Internet Browsing History Examination: Reviewing the departing employee’s internet browsing history can illuminate any attempts to access unauthorized websites or platforms. (You would be surprised about how openly some employees use company time and resources to find a new job.)
Reviewing Text Messages and Email Communications: Analyzing text messages, instant messaging conversations, and email communications can identify discussions about misappropriating company documents. (Again, you might be surprised at how brazen employees can be when discussing their plans to bring information and other employees to a competitor, and the financial compensation they expect to receive.)
The User Activity Report:
Sometimes it’s a pattern of behavior, rather than a single obvious act, that suggests an employee has stolen company information or shared it with potential future employers. Data Narro can provide attorneys and companies with a “User Activity Report,” a comprehensive account of a user’s activities over a specific timeframe, including everything mentioned above and more.
Collaborating with Attorneys:
During the digital forensics investigation process, the involvement of an employment law attorney is critical. They ensure the investigation meets all legal requirements and privacy regulations, and can advise on the appropriate course of action based on the evidence collected. If strong evidence of misappropriated information is found, both parties can collaborate on a remediation plan.
Conclusion:
Employee separation can pose significant risks to companies, particularly when sensitive documents are taken without authorization. To manage this issue, digital forensics specialists provide crucial expertise in investigating and uncovering the actions of departing employees. Involving an attorney ensures compliance with legal requirements. The valuable information provided by forensics analysis can provide a company with evidence of misdeeds, providing them the leverage required to retrieve senstive documents and minimize risks to the organization.