The COVID-19 pandemic caused massive disruption to the working practices of corporate Australia, commencing with a sudden and substantial increase in remote working in March 2020 as lockdowns were implemented. With this shift, enterprise IT was being asked to rapidly enable and support millions of users in leaving the highly controlled “rockpool” of corporate systems for the open water of cloud-based collaboration tools and personal devices. Within a few short weeks, the safeguards that many organisations had carefully built to maintain their critical IP in singular, securely stored instances were changed. Sensitive data was suddenly spilling out into the depths—multi-instance, synchronised and available on the personal mobile phones and laptops of staff working at home.
Had organisations had the time to configure the new devices and tools appropriately, these tools and personal devices could have been installed as part of the rockpool, but with IT teams working at such short notice and under such immense pressure, a balance had to be struck between the usual supervisions and controls that help prevent and detect IP crises and that of the need to accommodate the “new normal.”
As we fast forward to today, it appears that the corporate working environment may be permanently changed. In March 2021, the Australian Bureau of Statistics (ABS) reported 41% of Australians were working from home at least once a week—nearly double the numbers prior to March 2020.
Those organisations who have not yet knowingly experienced data loss through online collaboration tools may be under the false impression they’ve miraculously avoided a crisis. However, as the pandemic in Australia loosens its grip on personal mobility and the economy recovers, there could be new and emerging insider threats—including current staff who are considering the value of the critical IP they have access to for personal gain, or future business ventures.
The Australian privacy regulator—the Office of the Australian Information Commissioner—has reported that the number of data breach notifications increased in 2020, and the number of breaches resulting from ‘human error’ rose by 18% in the second half of the year. This is a stark reminder that insider threats—both malicious and inadvertent—have increased in frequency and severity during this period of increasing remote work and must be addressed to protect IP.
In addition to insider threats, organisations are also facing increased regulatory risk relative to data exposure and IP loss. During our observations of organisations experiencing an IP crisis, management often find themselves facing pointed questions from regulators, especially when the data breach involves personal information. The crisis may further highlight flaws in data management, or the over-retention of personal data, which can lead to regulatory action such as investigations, enforceable undertakings, civil penalties or unwanted media attention and public criticism.
Recovering exposed IP and preventing future loss often requires an in-depth investigation, and investigations into the loss of data from corporate collaboration solutions are becoming increasingly commonplace among enterprises in Australia. Common issues our team has encountered in recent months include:
- SharePoint Downloads. At many organisations, remote employees have found downloading or synchronising SharePoint data to their local devices too convenient and tempting to resist. Unfortunately, this practice can result in leakage of critical IP. The good news is that in most cases, the SharePoint system (when properly configured) is logging every action. During SharePoint investigations, our team has been able to quickly establish a remote connection to the client’s Microsoft 365 environment and harvest detailed user logs, which list activity such as Access, Download, Sync, Send and Share. While these logs can be large and difficult to manipulate, forensic tools can provide a visual depiction of user activity over time to inform investigators and support clear, fast case resolutions.
- Email Forwarding. Email forwarding rules are often used to exfiltrate data. While external threat actors have sophisticated means for utilizing email forwarding to breach a network, insiders’ approaches are usually more straightforward. Often, insiders looking to take IP will forward emails, wholly unaware of the logging functionality of their corporate email systems. They may simply establish rules to forward emails to their personal account, but make no attempt to cover their tracks, making it easier for investigators to follow their trail.
- Apple iCloud Backups and Sync Data. Bring your own device (BYOD) remains a popular choice for mobile device users in the workplace in 2021. A potential pitfall of this approach is that many users are encouraged to use their personal device account (such as an Apple ID), which synchronises data to the cloud and then to all devices associated with that account. When BYOD solutions are configured correctly, organisations can effectively manage and control their IP. However, in recent investigations we’ve seen numerous instances where appropriate configuration is outside the expertise and budget of many organisations. As a result, past employees are often left unsupervised to simply download corporate data onto their new post-employment device. Poor BYOD management has enabled sensitive communications, contact details and client or prospect information to simply walk out the door.
- USB Devices. It’s a classic data egress technique that remains popular today—plug in a USB memory stick, drag the files over, then pull it out and walk away. However, with the post-COVID-19 rise of BYOD, the source device has changed. Staff are no longer connecting USB devices to just their corporate device; they’re increasingly connecting them to personal devices enabled and authenticated as corporate collaboration tools. As such, personal devices are an increasingly integral part of IP theft investigations.
In recovering from an IP crisis, the key is to adopt a flexible, multi-disciplinary approach. These crises are frequently multi-faceted, requiring multiple disciplines including cybersecurity, digital forensics, privacy and strategic communications, to wage an effective response. Plan ahead so that you’re not trying to find the right people in the midst of a crisis. In the end, fortune favours the prepared. Review current governance and implement a proactive, preventative approach to close known gaps, identify and address other risks and improve processes. In the wake of COVID-19 and the changes it has instigated, enterprises may not be able to bring all their IP back to the safety of the rockpool—but it’s not too late to deploy the life rafts and patrols, and prepare for the next big wave that hits.