Digital Forensics – A Great HR Resource!
By: Patrick Siewert,
Owner & Lead Forensic Examiner, Professional Digital Forensic Consulting,
LLC
If you normally follow this blog, you no doubt know Inspiring
HR’s line of business and the employee management services they offer to small
business owners. My line of work and
expertise in digital forensics is somewhat different. Some would say vastly different. This blog is intended to shed light on how
Digital Forensics can benefit the HR systems and processes any business has in
place. My goal is to help bridge the gap
between Human Resources and IT.
Full disclosure:
I am not an IT professional. I'm a
retired Detective. However, I had the fortunate experience of bridging the gap
between the legal community and IT as a Digital Forensic Investigator for a
number of years. I gained some excellent
training and experience in that role.
What is digital
forensics? In a nutshell, we
look at data in the purest form possible to try and determine if an incident
has (or has not) taken place involving a computer, smart phone, tablet,
etc. And, if evidence exists of an
incident, we compile that data and present it in a format the helps “put the
pieces of the puzzle together”. In law
enforcement, we would use this skill set for any number of crimes ranging from
embezzlement to child exploitation. In the business world, a digital
forensic expert may be used to help solidify a case for disciplinary action
involving misuse of company computers or to help prove that a former employee stole intellectual property before
leaving and going to work for a competitor.
Small-to-medium sized businesses often have executives and
managers who wear multiple hats. In
fact, it's not uncommon for a smaller start-up to have one person who deals
with account management, IT and Human Resources. And while companies such as this may not have
the full-time staffing to deal with issues like information security, misuse of
company networks, data breaches or intellectual property theft, rest assured
these issues are ongoing within companies at all levels.
What tends to be most lacking when facing an information
security breach is the policy in place prior to an incident. I urge every company to get the proper
employee management tools, such as new hire agreements and a handbook in place,
to minimize risk as much as possible.
After all, an ounce of prevention is worth a pound of cure.
But what happens when an incident takes place? For example, let's say the Acme Construction
Company has an office employee who is using his down-time to gamble online on
the company computer. (Don't laugh! Things
like this happen all the time). The Manager
at Acme discovers that the employee is engaged in this activity and decides
that it is against his company policy and culture and wants to terminate the employee. But, there may be an underlying challenge to
consider: How does Acme minimize the
risk of the soon to be ex-employee challenging the company for wrongdoing (aka
legal challenge/lawsuit)? Should an HR
decision maker call in the IT gurus to help prove the case? Sounds like an HR issue, right? Well, it's not that simple and may require a
more global approach.
IT and information security professionals often don't have
the requisite training and expertise to conduct these types of investigations
while preserving the evidence. This is
the point at which Acme should call in a digital forensic examiner to help
build the case against the employee.
Through incorporation of best practices, a digital forensics specialist
can acquire the data on the employee's work station and bring that data back to
a lab to conduct a thorough examination.
This will likely include internet history, email history, document
history and even deleted data. Yes,
deleted data! This can help a company illustrate
how long the activity has been ongoing and pinpoint exactly how much company
time has been spent on the activity. Be
warned. A digital forensics specialist
may not always find what you want them to.
Sometimes a thorough investigation may prove there is no issue at all.
This illustration is very basic and, as you can imagine,
could get much more complicated if the issue involves embezzlement, hacking or
theft of intellectual property.
Regardless of the scope of the incident, companies of all sizes need to
bear in mind three basic principles when dealing with suspected misuse of
digital assets:
1)
Make sure your company has a signed
Acceptable Use Policy for all company-owned computers,
cell phones, tablets, etc. for all employees. This "ounce of prevention" goes a
long way toward preventing litigation down the road after disciplinary action
takes place (including termination).Template policies, that can be customized
further specific to your own business, are available through many HR
professionals.
2)
As soon as wrongdoing is suspected, isolate the
digital media (computer, tablet, smart phone, etc.) involved in the incident
and lock it down as much as practicable.
Ideally, if a work station at an employee's desk is suspected, request
that IT seize, secure and replace the work station after hours when the
employee is not present. Seek HR
guidance on what steps are necessary to follow when an employee inquires as to
why the work station has changed or is being investigated.
3)
Don't assume your IT staff knows how to retrieve
digital evidence in an acceptable format for presentation at an administrative
hearing, deposition or court hearing.
Evidence-based practices are always the best option for seizure and
collection of data that may be used in later proceedings.
In summary: Lock down the suspected device(s), call in a
digital forensic professional and don't try to conduct your own examination. The digital forensic expert offers the
benefit of impartiality, which you may not be operating under as a manager or
owner of a company who just discovered your employee is stealing from you.
Seems a little overboard?
Not when you consider that when employees get disciplined or terminated,
emotions begin to factor in and that's when lawsuits and labor complaints are
filed. Will your mind be more at ease if
you take all the appropriate steps available before discipline or termination? As opposed to sitting in a deposition wishing
that you had?
The
name of the game is to minimize risk.
That takes teamwork! HR, IT and a
Digital Forensic Expert can work in concert to help respond more effectively,
should some form of an information security breach occur. 