by Warren Kruse & Collin Miller - Altep on September 15, 2016
It might be difficult to count the number of eyes that see your company’s most sensitive and critical information on a daily basis. Often, having insight into that data is a necessary part of your employees’ day-to-day work. The thought is unsettling, but there is a real threat that people inside your organization might ultimately bring this knowledge with them to their next roles in competing organizations. So if you’re not sure whether employees may be abusing their access to cruicial company data, now is the time to get on top of it.
Fortunately, regular data analysis can help you identify leaks and prevent their consequences from coming to fruition. Here’s how your legal and compliance teams can get ahead of the risk.
1. Don’t get emotional.
According to CERT (and detailed in this book), more than 40 percent of insiders stole IP from their current employer to take to a new employer with whom they once competed. Additionally, in the 2014 US State of Cybercrime survey, 46 percent of respondents said electronic crimes perpetrated by insiders were more damaging to their organization than crimes committed by outsiders.
It isn’t just disgruntled employees who may hold onto sensitive information. Regardless of whether their motive is payback or simple career advancement, it’s important not to let your emotions run rampant in the event of a current or former employee’s data theft. You need to represent your company strongly, without becoming distracted by your own sense of unease with the circumstances. Don’t be offended; just be defensive.
Similarly, be careful to avoid tunnel vision in identifying risks. Both intentional and inadvertent data breaches can happen anywhere—including where you least expect it. Take employees’ reports of potentially suspicious activity seriously—even if they seem unlikely—and use due process to investigate them thoroughly.
For example, back in 2001, an employee at Lucent Technologies reported that a couple of their coworkers were “acting suspiciously.” The warning was vague, but Lucent took it seriously and began an investigation. Ultimately, they discovered that the employees in question had formed their own company—ComTriad—and were using stolen intellectual property from Lucent to develop their flagship software. They were ultimately indicted for their cybercrime.
2. Have sound forensics and discovery protocols in place.
Investigating a potential internal threat doesn’t need to stir a panic—in fact, it should be quite routine.
A proper departed employee protocol (DEP) often includes archiving a former employee’s data after collecting it from their devices. This is sometimes part of an e-discovery protocol, as well, as the data may be important in the event of eventual litigation.
Fortunately, much of this analysis can be performed in the same software your legal team uses for e-discovery. If your organization is familiar with this technology already and can plug into existing information governance and e-discovery protocols, you have a leg up.
As a preventative measure, you might consider including an analysis of recent activity in DEPs for those who had access to key information or intellectual property. This audit could examine recently accessed files or the connection of portable drives to their computer—both of which can be indicators of suspicious activity.
3. Embody an investigative mindset.
While traditional e-discovery may be focused on culling down data to get to the meat of a known matter more quickly, early-stage internal investigations can benefit from a more broad approach. It’s important to adopt the appropriate mindset during an investigation. Often, you find the information that rips open a conspiracy in small details, such as metadata (for example, “last accessed” dates).
Put simply, investigations are about opening the aperture of your perspective and looking at many different types of data; e-discovery is about zooming into the data that matters most from the get-go. In that respect, it’s also important to look at many sources of data holistically.
We recently worked on a case in which we were helping our client investigate an employee for known bad acts. The subject was using multiple accounts and aliases to communicate about his behavior. We knew his name, but we didn’t learn his “BigDaddy” username until we dug deeper—and we would’ve missed it had we not started with a bird’s-eye, analytical view.
Opening your aperture requires getting creative to make sense of the noise. Try letting forensic artifacts guide you to a starting point by, say, zeroing in on a piece of IP whose last accessed dates indicate a strong interest on the part of a recently departed employee, at the very end of his tenure. From there, let analytics open the conceptual lens for you.
For example, another of our team’s recent projects involved working with a client to investigate conspirators in their organization who were suspected of engaging in insider trading. We examined their data for clues related to this activity, but were coming up empty. The client’s team had identified email conversations between the people involved, but a team of reviewers had looked at everything and had never been able to identify anything suspicious. We tried again, using analytics to see what the software might find that human eyes couldn’t.
After concept searching with language that described stock exchange scenarios, we discovered that the employees were speaking in code. One would frequently send the other emails inviting him to his child’s upcoming birthday party. When the recipient declined the invitation, he’d ask what gift amount would be appropriate instead. The suggested amount indicated the number of stocks to purchase—so if the first conspirator replied asking for $35, the next day, 3,500 shares would move. It turned out, however, that the first conspirator didn’t have any children; it was all a cover for their conspiracy. For us, it was a prime example of how conceptual analytics can reveal threads that investigators might never see on our own.
Wearing the Investigator’s Hat
When it comes down to it, people simply don’t use the phrase “insider trading” when they’re actually committing insider trading. Aside from knowing how people in your organization are accessing important data, properly combatting insider threats requires a sleuthing mindset and regular data analytics. An internal investigation might mean learning whole new languages of subtext in conspirators’ dialogue, or digging into a data haystack to track down the one email Joe sends from his work email to his personal email amidst thousands he’s sent to his coworkers. It isn’t easy, and it takes time to build these habits. Do it right, and you’ll strike an effective balance between preserving your company’s best interests, monitoring company data without violating employees’ privacy, and having confidence in your team’s protection against insider threats.
Next time you find yourself performing this type of investigation, follow these tips, and think of it this way: if you don’t quite get a joke in a suspect’s email exchanges, examine the setup before you get into the punchline. You just might learn what’s so funny.
Warren G. Kruse II is a vice president at Altep. Warren spent 25 years as a law enforcement officer and then as a consultant on incident response, computer forensics, and e-discovery. He is the author of “Computer Forensics: Incident Response Essentials.”
Collin Miller is the Director of Riskcovery Services at Altep, and an experienced project manager and solutions architect. He has years of management experience and specializes in custom solutions for management of large data sets, both for investigation purposes and e-discovery needs.