To investigate and prevent data leaks, HR needs to be aware of technology and how it’s integrated in the work environment.
If employees are an organisation’s most valuable asset, the second most valuable might be data (it’s even more valuable than oil). That’s mostly because ‘data’ describes so much and is the foundation of knowledge. Client lists, product designs, personnel information – it’s all data. It’s increasingly precious and, terrifyingly, it’s never been easier to lose control of.
Humans are so seamlessly and comprehensively connected to one another through our devices that we rarely think about just how vulnerable that can make us. And the same goes for companies, but they need to start being more aware, because without the correct structures in place it can really hurt them.
Stan Gallo, a Partner at KPMG Forensic and former Queensland Detective, shares an example. Imagine an employee sends themselves a sensitive file so they can work on it at home. It’s too big for the company email so, without thinking twice, they use their private Dropbox account.
“If the appropriate data governance policies aren’t in place, then the organisation has no right to access those accounts without either the user’s permission or a legal order,” says Gallo.
“The permission may not be a problem if the user’s doing it with the right intention. But, if the user’s is taking intellectual property quite deliberately and they refuse permission, then, from an investigative point of view, you have no right to access that information.”
Accidents can happen
In 2014, a Federal government employee accidentally leaked the personal details of almost 10,000 asylum seekers. It did not go unnoticed by journalists.It wasn’t a politically motivated act, it was a simple error caused by a lack of understanding both of the application and the protocols for uploading documents securely.
Gallo explains that in such situations, when information contained in the electronic document is meant to be published publicly, organisations must be aware of the extended capability of applications. “These electronic files can contain embedded private and sensitive data within the document, including information which is supposed to remain confidential. This type of thing can happen when a user saves a file which has content derived from separately linked source data. The application asks whether you want to embed the data and if you click ‘yes’, rather than ‘no’ it is included, but not obviously visible. The issue is compounded when the file is uploaded in a non-secure format – if the file was secured it would not have included the embedded data.”
Those simple mistakes caused a media furore loud enough that the then Prime Minister, Tony Abbott, had to answer for it.
The whole thing could have been avoided with user training coupled with appropriate controls and protocols. To prevent such mistakes, and ensure they can be remedied quickly if they happen, Gallo recommends a few things:
- Adopt a privacy by design approach when thinking about the sensitivity of information and considering IT infrastructure including such approaches as ‘bring your own device’ to work (BYOD) policies.
- Consider the implications of the connectivity of personal devices and online storage facilities which can connect to the work network and applicable user access controls.
- Have rigorous governance, education, onboarding policies, procedures and user access controls for staff.
- Educate staff about the importance of not flippantly dealing with private and sensitive information, and personalise this lesson.
This last point can be powerful, says Gallo. “It helps people understand that the attitude and approach they adopt at work can be reflected at home. Get them to think, ‘If I compromise my PC or my phone, what does that mean for me and my family?’
“When people start to think, ‘This could affect me or my own personal information or bank accounts, or the safety of my children.’ That’s when they take notice and start to internalise it and say, ‘Okay, now I know that forcing me to change my password every six weeks is not just something that IT does because they’re a pain. I understand it, and I can, for example, explain to my children why I make them log on individually.”
Prevention is always better, and more cost-effective, than reacting to breaches.
Of course, training isn’t going to help you if someone wants to take company data for their own purposes. For example, sometimes disgruntled employees try to leave their organisations taking valuable intellectual property (IP) with them for use elsewhere.
“One example that was quite malicious, was at an organisation where HR had seized the laptop and the work phone of an employee. The employee had uploaded the data to Dropbox and it had synchronised across a number of their personal devices. There was a long, drawn-out legal battle to recover the data. And during that time, of course, the person could just copy it from their home PC to another drive, so controlling further distribution becomes a further comlication.”
In this example, the critical data was pursued and was subsequently identified on the server of a competitor, who stated that they were unaware of its presence.
“The competitor had to then consider their own environment, ‘Okay, now, we’ve got a situation here. This puts us at legal risk.’ They committed to deleting the data and did so, but their normal backup processes had already captured it, further complicating the issue.”
That means that technically the competitor could access that data whenever they want, and (the company that had its data stolen had to trust it wouldn’t). The competitor couldn’t just delete all their back up files, as backups are a critical part of information security. Ultimately an agreement was reached whereby should a restoration of data from backups be required, the organisation would not restore the offending data. And, over time, the data would wiped as newer backups overwrite older ones.
So what began as an employee letting data sync to his private devices became, in Gallo’s words, “a long-winded, expensive legal battle that also drew a second company into the mess.”
But what can you do to prevent a committed employee from purposefully taking data they shouldn’t?
It’s not simplistic and you need a structured approach, Gallo says. You can take precautions, such as carefully controlling access to internet-based and external storage devices. You can also embed stronger user access controls and activity monitoring. If that’s too onerous, you can proactively log questionable activity, so if someone accesses sensitive data, IT systems capture it and it can be checked to determine if it’s suspicious behaviour or not.
Another, more advanced method involves HR expertise. Generally, bad actors have some sort of grievance with the company, says Gallo. If it’s a senior employee with access to highly sensitive projects or IP, once they have signalled a desire to leave (or are being dismissed) it’s smart to start capturing forensic images of their devices.
“Often we see that their laptop or their phone is returned, the person walks out the door and the devices are wiped and then repurposed to a new employee. And then, a month later, you suspect that all this IP is gone, and the devices have already been wiped and repurposed so you then need to go back and try and recover deleted data to find out what’s happened. If the deleted data has been overwritten, recovery will not be possible.”
Cutting edge behavioural analytics can provide information about which employees are more likely to leave, and can also detect other unusual activity. When a staff member who usually logs on twice a day, has four hour sessions, and uses a gigabyte of data suddenly starts logging on more often, for longer, accessing valuable data they would not normally need and downloading high volumes – that should raise a red flag. Combine that with other information – for example, they’re on a performance improvement plan, are disengaged at work or actively conducting online searches around extraction of data assets – and you may have the hallmarks of someone with malicious intent.
There’s some other advice Gallo offers for those dealing with a malicious employee, or handling the devices seized from problem employees.
- Remember that some portable devices can be wiped remotely. You might have secured their work iPhone before they left, but if it’s connected to their Apple account (for example) they can still clear its contents before you can look at it.
- Get the right advice – data from a wiped phone may be recoverable from an automated backup on the user’s laptop.
- Consider proactive forensic preservation of devices of significant employees.
- When seizing work devices, do it immediately and do not allow the person to go through it and ‘remove personal files and photo’s etc’. Personal files can be returned to the user after preservation if agreed.
It all goes to show how almost every role is becoming a digital role. Data breaches occur as a combined result of both people and technology. As such, the security of private and sensitive data is best served through the collaboration of HR and IT. If they do so, they can not only help uncover data breaches, they can also come to a better understanding of how to prevent them.