The introduction of smartphones and cloud-based platforms has revolutionised the way business is conducted in Australia and throughout the world. Greater accessibility has promoted a faster pace of business. Emails and business proposals can now be drafted and sent while lounging at home, not just at your desk within “office hours” and the trend is clearly towards device and data portability.
Rise of the Data Thief
Increasingly, we are being called to address situations where employees (and contractors) have misused business data, and huge amounts of it! Misuse of company records is not new, however modern processing speeds allow massive quantities of data to be transferred rapidly and in a variety of manners. In the space of a few minutes an employee might be able to transfer into the cloud millions of business records. Compare that to the 20th century trick of secretly slipping a file into a briefcase!
Most IT defences are outward facing, preventing external hackers and attacks on your servers/websites. Turning those defences in towards the business to create robust protections (blocks and 24/7 monitoring regimes) are beyond the resourcing reach of most organisations. They can also come at a significant operational disadvantage by restricting what information your staff can access therefore possibly hindering them in doing their job. It is a balancing act.
The reality is a lot of businesses only discover their vulnerabilities after their data and documents have walked out the door with a key member of staff. A few examples of the issues we’ve managed over the last few months demonstrate this problem:
• Days before an employee resigned they uploaded into an iCloud account the entire history of the business’ customer sales data from the Salesforce App on their iPhone. The data was then transferred onto another Cloud account. They then attempted to hide their actions by deleting records. We found a complete history of their actions in the iCloud backup.
• An employee, out of hours and in the month leading up to their resignation, remotely accessed the business’ database and downloaded it on mass to a personal computer. A short while later the employee left to work for a direct competitor.
• The common garden variety of misappropriation (which we deal with on almost a weekly basis). An employee who has resigned inserts a USB key into the computer and transfers the employee’s alleged “personal information” or they send bulk emails containing a range of attachments to their Gmail and proceed to try to delete the evidence. It is not uncommon for files to be renamed prior to being transferred (E.g. FY2016 Budget.xlsx becomes BirthdayInvite.xlsx) to attempt to hide the content of what is being moved outside the business.
As you can see the extent of misuse of data is only limited by imagination.
What Can You Do?
Act fast! Prevention is better than a cure. There are a number of basic tips that can be considered to reduce the risk profile of data & document misappropriation.
Tips to reduce risk
(a) Disable & block certain Apps on mobile devices
Invariably most smartphones come out of the box with iCloud, Drop Box or Google Drive. These are cloud based platforms that allow the user to copy parts of their phone’s data into the cloud or backup the entire phone data into the cloud.
(b) Block external device uploads
Consider limiting the ability of files to be transferred from various business devices to external drives, such as USB keys or Backup Drives.
(c) Set up restrictions in email via IT system rules
Most email systems allow an administrator to create a variety of rules that operate without the employee being able to disable them. Just be careful that you comply with workplace surveillance laws and policy. Consider implementing email IT rules within your office email system such as:
i. a rule to prevent certain files from being emailed from your system. E.g. a rule that prevents FY2016Budget.xlsx from being attached to an email. ii. a rule that automatically bcc’s senior manager into an email if it contains more than say 3 attachments or has specific file name types as attachments.
(d) Dummy entries in database
Consider including several dummy entries into your sales database that can act as a red flag to data theft. Consider including aliases, (relatives or friends if you are a small business or trustworthy service providers if you are a large business) as “clients” and include their address and email address. If any of these people get a letter or email from a competitor then it is probable that your database has been compromised and the letter/email will thankfully tell you who may have your database.
A key requirement, is to have a compliant Workplace Surveillance Policy and evidence of it being announced and promulgated. Without such policy, any review of any employee’s email account and web usage during their employment is likely to result in any evidence obtained being inadmissible in Court, meaning the whole case could fall over.
However, once the alarm bells have started ringing, it is extremely important to act quickly and try to size up the issue to try to reduce the risk of the data and documents being copied and distributed to multiple locations, platforms and persons It is important to assess the following:
• Can we demonstrate that the employee had an obligation to protect the business data/documents? Keeping up to date contracts with express obligations to maintain confidentiality, protect intellectual property and records are important.
• Do we have clear and convincing evidence that the employee has breached her/his obligations to the business in relation to the management and protection of the data? This is critical. We invariably recommend partnering with a forensic IT organisation to review your systems, scope the data/document transfer history and pinpoint exactly where it has gone and by whom.
• Is the data business critical and/or cause serious loss & damage to the business? This question will determine the extent to which the business ought to weigh in and pursue an Anton Pillar Order (essentially an order of the Supreme Court to conduct a search of a residence or other specified premises) or an injunction preventing the employee or ex-employee from having any dealings with or transferring the data.
Nothing peaks the attention of an ex-employee as to the seriousness of the situation than when there is a knock on their front door at 8:00am and they are served with an Anton Pillar Search Order authorising an immediate search of their house for various electronic devices. Any suggestion that “there’s nothing you can do” is far from true. In a world where social and commercial interactions are increasingly digitally based, maintaining the proper controls and use of digital information by your staff can be critical to your competitive edge and brand protection.