Kroll Ontrack's Ben Fielding examines the challenging paradox of how to manage company security while keeping employee privacy policies intact

The infiltration of computers and other electronic devices in almost every aspect of our working day presents a considerable challenge to ensure employees are properly protected while at the same time ensuring that company policy is adhered to, data and intellectual property (IP) is secure and both financial and reputational damage to the company is avoided.

Management teams have the arduous task of balancing the needs of the company with the rights of the individual and one of the greatest threats to both is the spectre of an investigation into:

- IP theft;

- computer and email misuse;

- bullying, harassment, discrimination or misconduct;

- fraud and theft; and

- contractual disputes.

Electronic storage types

A company's electronically stored information is likely to be stored in a variety of devices, all of which have the capacity to hold large amounts of data. Laptop computers present the most obvious and frequently used method of data storage, but employees are also utilising other means of data storage such as USB memory sticks, secure digital (SD) cards, digital cameras, iPod or MP3 players and digital photo frames, all of which can pose serious difficulties to a company trying to maintain a secure environment.

To really understand the power of these devices and the risks they pose, consider that just 1GB of storage capacity equates to roughly 30,000 pages of data. Moreover, many of these devices are widely, easily and cheaply available. Most employees will have easy access to one or many of these devices and, if used with the wrong intentions, these devices are capable of breaching company policy and pose a potential security nightmare.

Employee investigations

The typical response to an investigation into IP theft, computer misuse or fraud is to ask someone in the IT team to 'have a look' at the employee's computer to confirm what the suspect has done. This is in fact the first mistake in performing an investigation, as an action as simple as starting up a laptop can alter date stamps and other important metadata (most easily understood as the data about data) that could potentially destroy crucial evidence. What is more, 'having a peek' could leave your company open to accusations of tampering, bullying and, worst of all, discrimination.

The correction response

Ensure the correct team 
members are involved in the decision-making process and follow a pre-determined computer incident response plan that meets technical and legal requirements. Such a plan allows an organisation to respond to an incident while continuing to deliver normal day-to-day services. It also provides structure and detail for dealing with not only what actions should be taken when an incident is detected, but also what individual responsibilities should be in place.

A number of training courses are available to ensure an organisation's response is correct. These include:

- forensics for human resources – learn the legal issues, step-by-step incident response guidelines, common scenarios;

- first responder training – learn evidence handling, chains of custody and Association of Chief Police Officers guidelines; and

- management awareness training – bring together heads of departments to learn legal issues, policy versus practice and incident response planning.

Preventative 
measures

From the outset, organisations should ensure that they have policies in place detailing the acceptable use of company computers and other electronic devices and that these policies are updated regularly. They might include a clause for the use of personal devices where appropriate, such as home computers when working from home or the use of iPods or other personal devices (capable of storing sensitive information) in the workplace.

Other methods of restricting the leak of vital data include the use of encryption, making USB ports responsive to only approved devices, or disabling these ports altogether if this does not inhibit the smooth running of the business. Tiered or level access helps limit the right to use so that individuals can only access information or data that they need to in order to do their job. Restricting access to particular websites altogether or only allowing access during certain timeframes also helps to counteract internet misuse.

It is critical for the organisation to assess its preparedness to deal with incidents that require the gathering and preservation of digital evidence. Recent changes in UK data protection law have put increasing pressure on organisations to ensure the security of the sensitive information they hold, and the Information Commissioner's Office has already issued severe monetary penalties to companies that have shown negligence in protecting sensitive data.

Exit strategies

Imaging for preservation ensures that you have a copy of a hard drive stored for future use if needed. It also means that you can put an ex-employee's computer back into company circulation knowing that a complete copy of its history is available in archive. Companies are now routinely performing this process for key positions/departments that are considered to be of particular risk in order to protect themselves against the following scenarios:

- an employee leaving, deleting company information that may be useful or critical to the business;

- an employee leaving and six months later starting a new business in competition and corporate clients start to defect; or

- an employee being dismissed, claiming harassment, bullying and unfair dismissal.

In these scenarios, a copy of the hard drive is available to perform a post-event investigation, if required.

It is the technology – laptops, smart phones and USB devices to name a few – which allows organisations to work more productively and more flexibly, maintaining more mobility and allowing us to maintain a work/life balance. Yet this same technology puts us increasingly at risk for computer-related incidents. Executing the correct response procedures helps organisations to best protect themselves and their IP from the increasingly common insider threat. A small investment that equips key staff with the knowledge and understanding to respond to a relatively rare but complex situation could prove invaluable when defending your organisation's position and protecting your priceless assets.

Ben Fielding is manager of business development and computer forensics at Kroll Ontrack Legal Technologies.