How to prevent departing employees hacking your company from the inside
by Jason Park
November 27, 2018

In today’s data-driven world, cyberattacks occur almost daily, leaving many construction business owners to worry that an external hacker may target their business’s data. But what most owners don’t realize is that their biggest threat is actually internal—their own departing employees.

According to Osterman Research, one in five employees uploads sensitive and confidential data to an outside cloud, specifically for the purpose of sharing it with others. Further, a survey by Biscom found that 87 percent of employees who leave a job take with them the data they created at that job, and 28 percent take data others created. Among the majority who reported having taken company data with them, 88 percent took corporate presentations and/or strategy documents; 31 percent took customer lists; and 25 percent took intellectual property.

On the Front End

So, what can construction companies do to ensure their data is safe after employees leave? First, business owners must understand what they are trying to protect before they can stop anyone from exposing it. As such, you must determine exactly what data you have and where it is stored. In as much detail as possible, map out where your organization’s data is located, who has access to specific files, when each file was created and/or modified, and where each file is stored. Then, you can begin to proactively secure it by:

  • Establishing employee access levels to sensitive and confidential data based on role, function, need to know, etc.
  • Including confidentiality provisions about ownership of sensitive, confidential and trade-secret data in employment contracts
  • Requiring each employee to sign a document stating that they have read and agree to each policy
  • Encrypting sensitive and confidential data in transit, at rest and in use—regardless of its location—through an encryption platform that’s integrated with your existing systems and workflows
  • Requiring two-factor authentication for sensitive content
  • Properly managing mobile devices and laptops, allowing yourself the ability to remotely wipe every mobile device that may contain company data
  • Frequently reminding of and training employees on data policies and procedures to reinforce that the data belongs to the company and of management’s intent and right to monitor
  • Introducing and using policies to monitor and audit employees using any resource with access to corporate data
  • Updating and training managers frequently so they are aware of the various data risks involved when employees leave

 

 

These steps can significantly help to mitigate the risk of employee data theft; however, you can’t prevent it altogether. So, you must take extra precautions once an employee is let go or gives his/her notice.

Before They Leave

On an employee’s last day, obtain custody of their company-supplied computer(s) and mobile device(s), as well as external hard drive(s), thumb drive(s) and backup disc(s). If the employee had the ability to use a personal device for work-related tasks, analyze the device and remove all company-related files, emails, texts, etc. according to the policies set forth. Also, collect company credit card(s), security access card(s), key(s) to the building, and parking tag(s) or decal(s).

During the exit interview, ask the employee questions about their future plans for employment to help determine the potential risk of intellectual property (IP) theft. Remind the employee of the confidentiality agreement he/she signed upon being hired and have him/her sign a document stating that he/she has returned all company data and have not retained a copy of anything. When the employee leaves, don’t forget to disable his/her access to computer systems and networks, phone and voicemail systems, cloud providers, customer relationship management (CRM) platforms, etc.

Before Issuing Used Devices

Before issuing the employee’s computer, tablet and/or phone to another employee, a forensically sound copy of the computer’s hard drive should be made. Companies that fail to complete this step significantly hinder their ability to prosecute IP theft. Be sure to have licensed or certified personnel or vendors handle the process, called “imaging,” which goes beyond what an IT backup can do. It not only copies active files, but also deleted files and fragmented files, and it preserves unallocated space on the drive.

This data collection is conducted with the aid of a write blocker—a read-only hardware device that allows your certified vendor to acquire information on a hard drive without the possibility of accidentally damaging the contents. The procedure should be repeated for all departing employees’ hard drives, flash drives, USB drives and mobile devices. And it should encompass all platforms and files accessed by the employee—not just emails, databases and conventional documents like Microsoft Word files, but also games, messaging apps, browser histories, social media networks, cloud platforms and more.

Once you have a forensic image of a device, which should include hash verification and detailed logging of files (including password-protected and encrypted files), you can make additional forensic images in case your forensic team needs to perform further investigation and analysis of the files. If anything happens to the copy as the forensic team works on it, they can always go back to the original image and make another copy. In addition, if you suspect a departed employee stole company data, your team can use the working copy to look for unusual activity, such as:

  • File transfers involving a high volume of copied files or specific, confidential files moved to another device or cloud account
  • Proprietary files residing locally (like a downloaded customer list from your CRM)
  • CAD files on a computer that doesn’t have the CAD program
  • Unusual after-hours, weekend or holiday activity
  • Significant increase in outbound emails
  • Recently added or deleted software, such as a disk-wiping tool
  • Recently upgraded or downgraded software and/or applications

In the Event of Suspicion

If needed, a forensic team may be able to recover deleted files, expose hidden files and even recover temporary files, such as data that was copied to another storage device. Depending on your company’s setup, it may also be smart to check the server back­up tapes and remove them from rotation so they are not overwritten.

If an investigation shows suspicious activity, these actions will provide the information you need to decide how to proceed. Many times, if someone is confronted with evidence of copying files, he/she simply returns the files and puts an end to the discussion. Other times, it escalates and requires litigation. If your forensic team is associated with an e-discovery company, your vendor will be able to facilitate the entire process of collecting, analyzing, filtering, reviewing and producing the data.

When dealing with electronic data, time is of the essence. According to the 2018 Thales Data Security Report, nearly 9 in 10 companies plan to increase cybersecurity spending this year. If you want to protect your company’s data, you should follow suit. Just remember that not all threats are external. Insiders know where you keep your files, what’s important and how to access them. Consider working with a team of forensic and technology experts to ensure your data stays safe.