Rogue employees using photocopiers and email services to steal data

Forensic investigator Nick Klein says companies should hold on to employee data after they leave

Rogue staff members can use a mix of techniques to walk out the door with sensitive data, warns forensic investigator Nick Klein.

Klein, who runs Klein & Co and teaches forensic courses for SANS in Asia Pacific, spoke to Computerworld Australia during the RSA Asia Pacific & Japan conference in Singapore.

“The most common thing we find is that people aren't set up to deal with the issue of IP theft,” he said. “Even companies that have security programs in place are still not well prepared to deal with the issue of someone taking information from them.”

He added that most companies don’t find out they have lost data until the rogue staff member has left and gone to a rival firm.

Klein warned that rogue employees will do anything to get sensitive information ranging from photocopying documents to copying information into their Google Mail email account.

“It’s tricky because companies are using Gmail or other [cloud] email services as part of their normal business operations. It’s getting harder to investigate [IP theft] because people are sending all of these services out to the cloud,” he said.

“The question we ask people is: If you have Google Drive, what kind of backups do you have? Executives look at their IT guys and say, `We’ve got backups, right?’ And the IT guys will reply that they haven’t implemented that yet.”

Klein added that some people get “very sophisticated” and bring in their personal laptop with a separate disk so they can copy information. Others use encryption methods to try and avoid leaving a digital trail, which will lead back to them.

However, the risk from the rogue insider could be reduced if companies did more to stop the problem before it began, he said.

“One of the most obvious is to secure the data of employees when they leave. Every company has a process that they put a person through when they leave. They hand in their security access card, give back their laptop and do a final time sheet,” said Klein.

“Why not include in that check-list something that says [how do you] secure the person’s data [when he/she leaves]?”

For example, companies should make copies of ex-employees' PC data, email box, smartphone and shared network drive before this data is wiped.

“Hold on to the data because you might find that you never need it, and that’s great, or you might need to go back to it to see what conversations the ex-employee has had with clients,” he said.

For example, the company might find out that the person has gone to a competitor who is suddenly undercutting it on tender bids for projects. If they hold on to the ex-employee’s data, they can go back and find out who he or she was talking to.

“These are things that companies can do that don’t take a lot of effort or cost a lot of money,” added Klein.

Hamish Barwick travelled to RSA Conference APAC & Japan as a guest of RSA

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia