Friday, January 2, 2015
Digital Forensics – A Great HR Resource! (Guest Blog for Inspiring HR)
Original Post Date: July 23, 2014
By: Patrick Siewert, Owner & Lead Forensic Examiner, Professional Digital Forensic Consulting, LLC
If you normally follow this blog, you no doubt know Inspiring HR’s line of business and the employee management services they offer to small business owners. My line of work and expertise in digital forensics is somewhat different. Some would say vastly different. This blog is intended to shed light on how Digital Forensics can benefit the HR systems and processes any business has in place. My goal is to help bridge the gap between Human Resources and IT.
Full disclosure: I am not an IT professional. I'm a retired Detective. However, I had the fortunate experience of bridging the gap between the legal community and IT as a Digital Forensic Investigator for a number of years. I gained some excellent training and experience in that role.
What is digital forensics? In a nutshell, we look at data in the purest form possible to try and determine if an incident has (or has not) taken place involving a computer, smart phone, tablet, etc. And, if evidence exists of an incident, we compile that data and present it in a format the helps “put the pieces of the puzzle together”. In law enforcement, we would use this skill set for any number of crimes ranging from embezzlement to child exploitation. In the business world, a digital forensic expert may be used to help solidify a case for disciplinary action involving misuse of company computers or to help prove that a former employee stole intellectual property before leaving and going to work for a competitor.
Small-to-medium sized businesses often have executives and managers who wear multiple hats. In fact, it's not uncommon for a smaller start-up to have one person who deals with account management, IT and Human Resources. And while companies such as this may not have the full-time staffing to deal with issues like information security, misuse of company networks, data breaches or intellectual property theft, rest assured these issues are ongoing within companies at all levels.
What tends to be most lacking when facing an information security breach is the policy in place prior to an incident. I urge every company to get the proper employee management tools, such as new hire agreements and a handbook in place, to minimize risk as much as possible. After all, an ounce of prevention is worth a pound of cure.
But what happens when an incident takes place? For example, let's say the Acme Construction Company has an office employee who is using his down-time to gamble online on the company computer. (Don't laugh! Things like this happen all the time). The Manager at Acme discovers that the employee is engaged in this activity and decides that it is against his company policy and culture and wants to terminate the employee. But, there may be an underlying challenge to consider: How does Acme minimize the risk of the soon to be ex-employee challenging the company for wrongdoing (aka legal challenge/lawsuit)? Should an HR decision maker call in the IT gurus to help prove the case? Sounds like an HR issue, right? Well, it's not that simple and may require a more global approach.
IT and information security professionals often don't have the requisite training and expertise to conduct these types of investigations while preserving the evidence. This is the point at which Acme should call in a digital forensic examiner to help build the case against the employee. Through incorporation of best practices, a digital forensics specialist can acquire the data on the employee's work station and bring that data back to a lab to conduct a thorough examination. This will likely include internet history, email history, document history and even deleted data. Yes, deleted data! This can help a company illustrate how long the activity has been ongoing and pinpoint exactly how much company time has been spent on the activity. Be warned. A digital forensics specialist may not always find what you want them to. Sometimes a thorough investigation may prove there is no issue at all.
This illustration is very basic and, as you can imagine, could get much more complicated if the issue involves embezzlement, hacking or theft of intellectual property. Regardless of the scope of the incident, companies of all sizes need to bear in mind three basic principles when dealing with suspected misuse of digital assets:
1) Make sure your company has a signed Acceptable Use Policy for all company-owned computers, cell phones, tablets, etc. for all employees. This "ounce of prevention" goes a long way toward preventing litigation down the road after disciplinary action takes place (including termination).Template policies, that can be customized further specific to your own business, are available through many HR professionals.
2) As soon as wrongdoing is suspected, isolate the digital media (computer, tablet, smart phone, etc.) involved in the incident and lock it down as much as practicable. Ideally, if a work station at an employee's desk is suspected, request that IT seize, secure and replace the work station after hours when the employee is not present. Seek HR guidance on what steps are necessary to follow when an employee inquires as to why the work station has changed or is being investigated.
3) Don't assume your IT staff knows how to retrieve digital evidence in an acceptable format for presentation at an administrative hearing, deposition or court hearing. Evidence-based practices are always the best option for seizure and collection of data that may be used in later proceedings.
In summary: Lock down the suspected device(s), call in a digital forensic professional and don't try to conduct your own examination. The digital forensic expert offers the benefit of impartiality, which you may not be operating under as a manager or owner of a company who just discovered your employee is stealing from you.
Seems a little overboard? Not when you consider that when employees get disciplined or terminated, emotions begin to factor in and that's when lawsuits and labor complaints are filed. Will your mind be more at ease if you take all the appropriate steps available before discipline or termination? As opposed to sitting in a deposition wishing that you had?The name of the game is to minimize risk. That takes teamwork! HR, IT and a Digital Forensic Expert can work in concert to help respond more effectively, should some form of an information security breach occur.