How employees can steal your sensitive data and try to mask the theft

You and your team have data that must be protected

No matter your industry, you likely have information somewhere, be it a smartphone or laptop, that is sensitive. Maybe it’s credit card transaction data, perhaps it is client contracts or applications, maybe it’s something as simple as a confidential document shared casually between coworkers.

What happens if one of your employees leaves and takes your entire client list or attempts to cover up mistakes by altering documents? The good news is that all of this can be traced.

To find out how, we talked with Chuck Snipes, a computer forensics examiner at DSi, one of the nation’s leading providers of advanced electronic discovery and digital forensics services. As a former cybercrime detective and consultant in outside investigations and criminal cases, he often serves as a testifying expert witness and has extensive experience in cybercrime investigations, digital evidence and data recovery.

In his own words below, he will explain why not even deleted documents are unrecoverable, how forensic specialists like him find altered data, and how to handle the tricky topic of employees using their own devices at work:

Anything typed can be recovered

Did you know that almost anything you – or your employees – type on a computer or device can be recovered? Sure, you can delete files, but digital forensic experts can retrieve fragments of documents and use them to reassemble the information. Scary, right?

It’s not always a bad thing. For example, sometimes employees take confidential information – such as contact lists, accounting spreadsheets with proprietary formulas or organizational documents – with them to a new job. As a worried business owner, you can rest assured. That information is often retrievable, even if the former employees rename or hide the documents, and it makes for sound evidence in court.

So, what do you need to know to safeguard your company’s data? Let’s take a look.

What ways can data be altered or deleted?

• The most common attempt to get rid of information is to rename a data file or change the file extension (i.e., from .doc to .jpg).
• One can also alter data by compressing the file and password-protecting it, which renders the file almost impossible to access without the password. Key word: almost.
• Those who are more technology-savvy might alter data by embedding text in a string of data or using encryption software.
• Regarding deletion, many think that emptying the recycle bin on their computers permanently discards unwanted data. That’s not actually the case. Even if you run a deletion program, data may be retrieved, especially if your company keeps a log of emails and data at the server level to retain a trail of communications.

How can digital forensic specialists find the altered or deleted data?

• Computer forensic consultants use a combination of sophisticated hardware tools, software programs, training and experience to retrieve and unlock data, including password-protected files.
• Even if users try to overwrite files on a hard drive, some fragments of the file may remain at other locations on the drive. Experts can take apart a forensic image of the drive and identify file fragments to reassemble the information.
• A lot of information is stored in computers, and forensic professionals can usually see what a computer was used for, when it was used, what documents were accessed and when, as well as changes to the metadata (such as the title, subject or authors).
• When a file is deleted, many people think it’s gone forever. It’s not. What’s erased is merely a pointer to the files, which tells the operating system to no longer include that information in file listings that the user sees. The content still exists on the hard drive until it is overwritten. This is also often true for items on mobile devices, like text messages.
• If a wiping program is used, it still can’t account for backup services, so forensic specialists can use software to detect if these wiping programs were installed and/or used. If so, backed up copies of the deleted file can be accessed.
• Even if the device is protected by thumbprint, forensic professionals can often access the corresponding iCloud account through legal process. The account typically has copies of everything.

What steps can you take to prevent employees from taking information with them when they leave your company?

• Create a written agreement that lists the owner(s) of the data and provides guidelines for what data can and cannot be taken by an employee.
• Be selective on who is granted permission to company data – and segregate your data for different levels of access privileges. Keep a detailed log in place that includes who accessed which computer or device, what was done while using the device, when it was done and more.
• Put written security guidelines in place that detail how data is to be stored and transmitted. Don’t forget to include guidelines for portable items that contain data, such as USB devices, laptops and smartphones.
• Create and enforce an information governance (IG) policy, outlining what data to preserve and how to maintain it. Your IG policy should also specify a defensible deletion process for the data you don’t need. Information can’t be stolen or mishandled if you don’t have it, so don’t collect and retain sensitive information that you don’t need.

Can employers collect business information accessed by employees via personal devices, and vice versa?

• Employers have the right to see what is on company devices. Yet, if a company wants to access personal information on company computers, it’s best to consult with an attorney before taking any action. To avoid complications, many businesses implement a policy that states there should be no expectation of privacy for anything accessed via a company-owned device.
• Company information on personal devices can be accessed by the company, too. And many businesses have employed a specific policy for dealing with the Bring Your Own Device (BYOD) phenomenon.

How can companies manage BYOD issues?

• Implement a data ownership policy that fully discloses company procedures and ramifications. For example, implement a policy that all devices must be controllable from within the organization. This grants the employer the right to monitor employees’ activities on the device, and it ensures that, should a device be stolen or an employee terminated, the IT department can remotely lock or wipe the device.
• Allow only devices that will actually be used for company purposes to connect to the corporate network.
• Ensure that all devices granted access to the corporate environment meet established security and policy requirements. For example, companies may require that portable hard drives or flash drives be inspected before leaving the premises to make sure no company data is removed from the building.

Creating and implementing a well-documented strategy for maintaining confidential information and having technological safeguards in place will make it much harder for an employee to steal data. In the event that an employee is able to sneak out data, the right logging and backup systems will enable forensic personnel to prove theft. When used as evidence in court, the proof of a theft may allow for retrieval of the information and sanctions against the person(s) who stole it.

The takeaway

Chuck Snipes outlines above the sensitive nature of data, and highlights just some of the ways experts like him can prove theft. If you suspect a former employee is or has accessed, altered, or taken data, you’ll need to call in the experts. Contact Chuck at DSi to find out how they can strengthen your position and keep your data safe.

Remember that everything typed, saved, altered, transferred, or deleted, isn’t gone forever – forensics experts know how to find it.

#DeletedData