As we know, workplaces have drastically changed their approach to data storage and connectivity to adapt to the emerging digital landscape, a process which has been catalysed by the recent pandemic. We are now experiencing less rigid work hours, more employees working from home, and a general increase in the use of IT systems to accommodate this shift. This means a more cloud centric approach to storing data, an increasing volume of sensitive data on these systems and greater access to confidential information. The inherent risk associated with this change is that there is now a greater potential for the unauthorised distribution of sensitive data. To demonstrate this point, recent survey has shown that the average Australian worker changes jobs every 3.3 years, which equates to 2 million job changes per year within the Australian workforce.
Of the people surveyed, 25% of departing employees confirm that they are taking company data with them when they leave. More worryingly, 85% of the people surveyed have taken data that they created and don’t feel that that there is anything wrong with this. From this data, it is clear that more proactive steps need to be taken to protect company information.
The Traditional Digital Forensic Approach
The current approach when an investigation commences following an allegation of employee misconduct is to follow the traditional Digital Forensic approach. From a Digital Forensic perspective a legally defensible workflow must be implemented to firstly identify the incident and the computer systems of interest, then to preserve the relevant data and its integrity, extract data where relevant to make it readable, analyse the data and present the findings. This workflow ensures the evidentiary provenance of the findings and ensure they are identified and communicated with rigor and accuracy.
One common challenge in the traditional Digital Forensic approach is attributing the suspected behaviour to an individual retrospectively. Digital Forensic practitioners might say that something occurred on a computer, but verifying who performed the action is more of a challenge. Additionally, the traditional approach usually requires the escalation of an incident so that the person of concern’s devices can be collected and analysed. This means that the information may be at risk of being unrecoverable, either due to intentional removal of evidence or as a result of the length of time that has passed since the incident occurred. These challenges call for a more proactive solution to Digital Forensic investigations which supplement, not replace, the traditional workflow.
The Proactive Digital Forensic Approach
Such proactive methods currently exist and supplement the traditional process by being implemented prior to the escalation of an incident. The new, proactive approach allows information to be captured from the person of concern’s computer in real time, based on highly customisable rulesets that are designed to send alerts on specific user activity relevant to the investigation. For example, if an individual is suspected of using a Microsoft Chrome incognito window to send confidential data to their private email address, this information can be collected from the endpoint through the generation of alerts and screenshots in real time. The information collected is specific to the URL visited, the network data and the browser used to execute this activity. It can also collect screenshots of the users actions, providing a definitive link between the person of concern and the action.
In scenarios where an incident has occurred, this technology is able to confirm the user activity of concern without the individual being aware, thus increasing the likelihood of retaining critical evidence if the individual attempts to cover their tracks. The technologies focusing on capturing specific activity is also very effective for identifying key issues quickly, without having to review large volumes of complex data and digital traces. The proactive approach can also deliver a result in real time enabling action to be taken more quickly and a more cost effective resolution to be achieved.
The Legal Framework
Often legal action associated with digital fraud or misuse involves proceedings for freezing the defendant’s assets (insofar as they are relevant to the fraud or misuse) and obtaining search orders of the defendant’s premises (including all digital records). There is a high threshold to obtain these orders and the better the strength of the applicant’s evidence the easier it will be to obtain this relief.
As noted above, investigators are often faced with the reconstruction of digital activity to determine who undertook that activity to create admissible evidence of an act. This requires a reconstruction of events and files. Use of technology that captures a defendant “red handed” in real time in a digital breach is a useful tool in many respects including:
- removing the need of the Court drawing inferences as to what actually occurred;
- strengthening the evidence required to discipline employees or take legal action; and
- providing a real time capture of the conduct, step by step, which makes denial difficult for the defendant and thus will aide in the speed of judgments or settlements given the strength of evidence
A question often asked is the legality of such technology. However, a properly drafted IT or digital policy together with an acknowledgement of the user on each log on can address that concern.
The deterrent factor cannot be overlooked either. Given each user acknowledges that all key strokes are recorded it will limit the amount of digital fraud and misconduct. Furthermore, counterparties will be comforted that you have such technology to prevent misuse of their data, funds or assets. This itself may also be a valuable point of differentiation in tenders.
Click here to view the on-demand webinar on 'Prevention beats cure: how innovative digital forensic technology mitigates the effect of malicious employee behaviour within an organisation'.
Johnson Winter & Slattery