Employee poaching: Taking control of data breaching

With fears of job uncertainty passing with the recession, employees are starting to gain confidence and are reassessing their career options. In addition to this, employers are on the lookout for top talent to aid their growth and market share, which is their main focus now that concerns over cash flow and survival are behind them.

Although the recovering economy is a positive sign, this also means that employees will be moving on to other companies. Businesses must be aware that when a member of staff leaves, there is always a risk that it will be more than just their physical presence leaving the company. It could be that important confidential data follows in their wake.

Inside knowledge

Without understanding the true implications of their actions, skilled employees who have been poached by rival firms can often take more than just their expertise to their new role. Looking to get a head start, employees on the move may also seek to make use of previous client relationships, inside knowledge, and confidential data, as well as try to convince previous colleagues to join them.

Technology makes this process much easier. In the ever-connected world we now live in, there are more routes to transport data and conspire with others. Bring-your-own-device (BYOD) policies and cloud-based computing are just some of the ways in which previous employees can both accidentally and purposefully share sensitive information.

Difficulties transpire in this area as there is no way in which a firm can control an employee’s social media or their private network of friends. What is clear, however, is that employees should not be sharing confidential content belonging to the firm. Even transferring data to cloud systems like Dropbox can muddy the waters if it is regularly used for genuine reasons relating to work.

There are a variety of steps an organisation can take in order to control this data breaching. This ranges from the implementation of certain technological measures to the introduction of various legal actions. These can be categorised into two distinct groups: steps to be taken as preventative measures before an employee is poached and those to be taken afterwards as responsive actions.

When it comes to proactive preventative measures, the first step firms can take is to closely monitor firewalls, proxy, and other network logs to identify unusual patterns of activity. These can often be a telltale sign of off-system communication.

This IT-based monitoring should also be extended to communications within the organisation. Although employees will rarely use their corporate email address for communications of this nature, it is certainly not unheard of. Any signs of unwanted communication with other organisations can easily be picked up, but firms should also be aware of their employees emailing certain documents to themselves.

Email is not the only communication medium that should be tracked. Instant messages, chat, and SMS messages could all equally contain sensitive information or data, and firms should try to keep a close eye on these platforms if they are able to.

Auditing actions

To gather this kind of information from their employees, organisations may also want to perform audits on individual machines. Not only does this allow firms to see what devices have been connected to the machine, but it also brings into play users’ internet activity. This can be very revealing, highlighting patterns of harmful behaviour, such as viewing the webpages of competitors or searching on job sites. Being able to identify which employees are most at risk of moving on can mean efforts to prevent data breaches can be focused, and HR can direct efforts towards keeping them on board.

Good information management is key, although it is often overlooked, as it can restrict and disrupt employees. The starting point is ensuring that confidential data is kept confidential and that only authorised people have access to it. Linked to this is the ability to audit actions, ensuring that all actions on a critical system (for example, customer relationship management) are logged and date/time stamped, so they can be tied to an individual.

Doing so allows an organisation to very quickly point the finger if information does go astray. Key functionalities such as ‘full export’ should also be strictly restricted, reducing the chances of a leak and the damage done if one does occur.

A key preventative measure that goes hand in hand with this is good IT security. This involves simple steps such as ensuring that there are no back doors into the network that employees can abuse, but can also stretch to a blanket ban on personal USB devices and web-based email and cloud services.

This range of monitoring, auditing, and security activities is crucial, and must be approached with caution and care. Organisations must respect the privacy rights of their employees and make efforts to ensure that they do not feel besieged. Making sure employees know their activities are being watched is often a good thing as it encourages professional practice, though too much and a toxic atmosphere can ensue.

Reactive action

When it comes to reactive actions following a data breach, a company should focus on the ‘ABC’ of successful investigation, namely:

• Act immediately and preserve any potential evidence;

• Bring in the experts; and

• Conduct a thorough analysis.

Step A means that any smartphones, tablets, or computers used by the individuals concerned should be taken out of circulation, not used at all, and have a forensic image of them taken as soon as possible.

This should also extend to network data associated with the user and the logs of key systems so that they can also be investigated. Failing to do so could compromise any subsequent investigation and restrict a firm’s ability to work out what information went missing, when, and at whose hands.

Step B suggests that professional forensic experts should be brought in to ensure that procedures are thorough and that the correct protocol is followed – which can make or break an investigation. Companies should also consider getting appropriate advice from specialist lawyers, who deal with such breaches on a daily basis and can provide expert advice on whether investigators or other professionals should be brought in.

Finally, Step C involves a thorough analysis of a wide variety of data. Internet artefacts, which can reveal the use of web-based emails, cloud services, and other forms of communication, should be the first port of call. Next, USBs and other external storage devices which have been connected to the system should have their contents – past and present – analysed where possible.

In addition, a picture of the files that have been downloaded on to such devices needs to be developed. Available log files should also be reviewed to analyse what the individuals did and when they did it. Finally, a more general search across the data should be conducted to identify any unusual activity that requires further examination.

By combining a comprehensive set of preventative measures with a quick and thorough response protocol, firms can go a long way to ensuring that they do not fall foul of damaging data breaches when people choose to move on.

If employees are poached by rivals, any attempts to share sensitive data can be spotted and prevented at an early stage with the right application of auditing, monitoring, and security processes. Should a breach be detected, swift and careful action must be taken, and, with the right application of the ABC of successful investigation, the damage done can be greatly reduced. SJ

Phil Beckett is a partner at Proven Legal Technologies