Digital forensic investigations into employee misconduct

What happens when an employee leaves your business? Are they taking sensitive data with them? What about if they have been fired or retrenched?

According to a recent survey from secure communications software brand Biscom, more than 1 in 4 respondents say they took data when leaving a company. Of those, 85% report they take material they have created themselves and don’t feel this is wrong, while 15% of respondents said they are more likely to take company data if they are forced out of their job. Of course, these are respondents who admit they’ve taken data. The real figures are probably much higher.

Why? When asked by Biscom,  95% of respondents said that this was possible because either their company did not have policies or technology to prevent data stealing, or that if companies did have policies in place, they ignored them.

In decades past, if an employee wanted to leave with data they would most likely need to Xerox hundreds of pages of sensitive data or client contact details.

Today, it takes only moments to copy enormous files into a Dropbox folder or on to Google Drive, not to mention simply emailing files to a personal email account. Taking files is nearly effortless.

With the Protection of Personal information Act (POPIA) in full effect and customers expecting their sensitive data to be protected at all costs, businesses are increasingly paying attention to how they can keep external threat actors (aka hackers) out of their networks and systems. Unfortunately, employees are an equally big security hole – even if it’s not always deliberate.

Biscom’s survey tells paints a story that we are very familiar with at Cyanre: although there are significant security risks that come from stealing data, a majority of survey respondents reported that they didn’t see it that way. Employees believed doing so was not malicious despite taking sensitive information – including customer lists, company strategy documents, and financial data – simply because they didn’t see how using that data was harming the company or customers. In fact, this may be one reason why data theft is so prevalent among employees – there’s no feeling of wrongdoing. The problem is that if that data falls into the wrong hands, there can be reputational, regulatory and competitive repercussions for the business.

Workplace misconduct

Unfortunately, workplace misconduct can take many forms, and is much more than simply taking sensitive data. Examples include the misuse of computers or internet access, media stalking, the misuse of social media channels, anonymous or harassing email communications, and of course, malicious actions by an employee who is leaving the company or who intends to do harm, and the theft of company data, including company secrets, IP or confidential information.

The role of digital forensics in identifying misconduct

At Cyanre, we regularly advise our clients to ensure that they have proper digital separation policies in place that digitally preserve an employee’s digital accounts and footprints, and ensure that all data is erased from any personal devices.

However, it is also important to be able to track employee activities if there is any suspicion of misconduct.

Digital forensic investigations can identify employee misconduct and possible culprits, detect the source of lost funds, as well as help recover losses.

It’s important that businesses do not undertake these investigations themselves. Digital forensics is a specialised industry that requires digital forensic as well as legal expertise – workplace investigations can provide a solid defence to legal challenges raised by dismissed or disgruntled employees if conducted appropriately. If data has been stolen – and potentially released or handed over to competitors – this becomes particularly important.

Let’s review what an investigation of this nature would entail.

  1. Collecting digital evidence

The collection of digital evidence is one of the most important initial steps in an investigation. Having a reputable computer forensic investigator involved in the early stages of an investigation can avoid jeopardising data, and ensure a defensible outcome, which means that the evidence can be used in a legal case and is admissible in court.

Securing this data as soon as possible is crucial – particularly if a system has been compromised. An investigation will track which devices are relevant to the investigation and data will be preserved by creating a read-only forensic image. This will include servers, desktops and laptops, cloud storage, mobile phones, tablets, iPads, and portable thumb drives and hard drives.

It’s critical to understand that this data isn’t only what you see – it includes any data that has been deleted by the user and any cyber activities they have taken. This is the core of digital forensics – uncovering exactly what has happened in a system and any actions taken, which is why it’s so important to track and preserve devices.

Backup copies or ghost images, which IT personal often generate, are not true forensic images.  While these backups are critically important to perform for the purpose of data recovery, they only contain current data that the user can ‘see’ and not the digital forensic data required to piece the entire puzzle together of actions taken and which data has been created and deleted..

  1. Reviewing email evidence and collaboration platforms

Emails are still the main form of communication workplace, but more and more workforces are relying on team chat channels and collaboration platforms such as Zoom, Teams and Slack. This data is stored across multiple devices including computers, laptops, tablets, mobile phones, workplace servers and the cloud (particularly when we talk about collaboration platforms). Digital forensics identifies and extracts existing emails, deleted content and can track entire chats through collaboration communication channels.

  1. Collection of data

Once all relevant data has been identified and secured, software tools are used to analyse and extract data relevant to the investigation. This recovery of data includes the retrieval of images, documents, emails, chat logs, text messages, WhatsApps, social media and internet usage history and even call logs. This data includes when documents were created, altered or deleted, as well as any devices that have been connected to a computer or laptop.

How we can help

If you have critical staff leaving your organisation or you need to exit a critical person, contact us to assist you with conducting it safely and securely.

Link to this blog: