After almost 20 years of doing computer forensic investigations, and specializing in investigating data breaches and IP theft, I have realized a few things. Hackers are here to stay and those employees you trust the most can hurt you the most.
Let’s start where most organizations are mistakenly focused, hackers.
Hackers are malicious but most are only looking to steal usernames and passwords but some do try to steal personally identifiable information (PII) to sell or they are looking to run some other type of scam with the stolen information. Rarely, do hackers steal data to create a competing product or service.
Yes, hackers cause harm. They steal identities; people fall for their scams. Hacks have been a daily occurrence for some time now. Most firms spend a lot of time and money trying to prevent them and have a budget set aside for investigating them.
But when we look back, what is the real cost to the organization of a hack? Google “cost of a hack” and you will find countless examples of what it costs organizations. But the numbers are all different. The real answer is that nobody knows. Realistically, unless you are part of some of the largest breaches in the world, the cost of a hack does not create a very large dent on the organizations profit and loss statement. The “official statement” says, sorry we were hacked, change your passwords and move on.
The Departing Employee
This is my favorite person in the company. They are leaving for that new job. Why did they get that job? You guessed it, because of what they did at your company.
Organizations as a whole are still a trusting bunch. “Oh, my employees would not maliciously take information with them.” We hate to be the bearer of bad news – they will and it is probably happening a lot more than you realize. In the thousands of cases we have done over the years, I can count on one hand the number of times during an investigation where we didn’t find the employee stealing intellectual property (IP) and taking it with them.
If the departing employee left to start their own competing business or worse yet – went to your #1 competitor – more than likely they have taken some of your IP (think customer lists, pricing data, product development details, business planning details to name a few) with them to help them hit the ground running. It is time to start an investigation to see what they took.
When do you pull in legal? It all depends on the organization and if legal is in-house or not. But most pull in the legal team after it has been identified that IP may have been taken. Another key question when pulling in the legal team is to ask “do you have an experienced legal team to help you during the investigation?”
The “experienced legal team” is a delicate subject, but it must be brought up. While the organization is going through the investigation, it cannot be stressed enough: make sure your legal counsel – both inside and outside counsel understand the technology, the terminology and the forensics process.
Beware of what I refer to as the “Legal Tech Lawyer”. These are attorneys from firms that got their experience from going to a few conferences and listened to a few webinars yet consider themselves experts in technology cases. In addition, beware of outside counsel that does not have any actual experience in conducting cases that had computer forensics examinations in the area of IP theft.
Having an experienced legal team; especially experienced outside counsel that understand the process and what forensics technology can and cannot do will cost more per hour than an attorney that doesn’t, but in the end, it will be worth it. Not understanding the life cycle of an investigation; the differences in terminology, understanding the limitations of technology and what to ask for during the investigation will most likely cause the organization to incur additional downstream investigation fees because the investigation is not streamlined. Uneducated attorneys are less likely to ask pertinent questions, will have to do additional research to understand what they need to have done, may ask for things to be done that are not necessary, or miss finding critical evidence that is germane to your case. All of this will likely result in increased legal fees.
Legal expenses tend to be a very large chunk of the total cost of an IP theft investigation. Choosing the right attorney (s) is critical not only to the success of your investigation; but also to keeping your costs from spiraling out of control, especially when you are going after a temporary restraining order (TRO), and requesting access to both their home and “new work” computers.
Your New Hire
Let us introduce you to your most expensive hire; the new employee that you just hired away from your #1 competitor. The employee that took IP from their previous employer, who brought IP with them and is currently using that IP in their new job with you.
You didn’t ask them to steal IP from their previous employer, but they did. You hired them because of their experience and their past contacts and connections. They told you they can help you beat their former employer; what they didn’t inform you about is they are bringing data with them that will be housed inside your walls.
This data now resides someplace on your network. It could be a little, it could be a lot. For example, maybe they took a PowerPoint presentation. They changed a few words and logos and now your next project is the exact same project they were working on at their previous company. They shared a copy with their boss. Their boss shared it with their boss who presented it at the national sales conference. You get the picture.
Now imagine this scenario. Their previous employer knows you have hired their employee and suspects that they have taken IP – lots of it. They hire a forensic company to look at the former employee’s work machine and they find IP was taken. They suspect you now have it. They want it back or eradicated and they want monetary damages.
The next thing you know, you are served with a TRO and litigation hold. You are getting sued by your new hires former employer for theft of IP. You know nothing about this, you didn’t ask them to take it, but they did. Courts are starting to open up the doors to allow forensic companies to investigate inside the “new company” to verify that the previous company’s data is or is not inside the new company. The Forensics Investigation Team has been allowed full access to email servers, network servers and storage, laptops and desktop, cell phones, tablets and cloud accounts that may have the stolen IP on them.
If that happens to you; more than likely your organization will be responsible for the cost of that investigation. If IP is found, the costs ramp up even further. The IP will have to be remediated and most likely the courts could issue some pretty large judgment against you. We have had cases where the judgment in 1 IP theft alone was upwards of twenty ($20) million dollars that the “new company” had to pay the “former company” because the departed employee took IP with them and used it at the new company. While judgements of this amount are not common, they do happen. It is becoming more common to get judgements against the new company of a few million plus all third party fees (legal, computer forensics, court costs, etc).
What Can You Do To Be Proactive?
- Have an appropriate IT budget to spend on and implement monitoring solutions that watch internal employees in how they use the organizations data. Whether it is device control, DLP solutions or BYOD technology – having monitoring technology is a must these days.
- Have current AUP (acceptable use policy) and any other corporate policies governing the use of corporate data. Nothing is more painful than learning that you allow employees to take whatever they want.
- Be consistent in enforcing those policies. Precedent is a big word in the legal community and I have seen many cases lost on precedent.
- Ask the right questions of legal team on their experience level in conducting forensics investigations.
- Get an experienced Digital Forensics team that understands IP theft considerations for departing and incoming employees.
How can you protect yourself?
There are economical ways to forensically determine what data and or IP was taken from an organization or brought into an organization. An excellent program will:
- Have a well-defined AUP covering both incoming and outgoing IP.
- Consist of defined computer investigation service packages that identify and report on employee data activity
- Be able to identify data that was taken from your network as well as brought in to your network.
Hackers are here to stay. Most companies are well prepared to defend against hacks and have budgeted for such an event.
Employees will also continue to take IP. It is not a question of if IP theft will happen, it is a matter of when and at what cost to the organization. Most companies are not as well prepared to investigate theft of IP. Nor have they budgeted for what the potential investigation might cost them or what the effects of a theft might be – loss of revenue, loss of clients, loss of productivity, business interruption – the list goes on and on.
Does an investigation have to break the bank to learn what IP might be taken? No, it does not. Investigations can be streamlined, simplified and be cost effective if an organization has the proper team and services in place prior to kick off of an event.
As to the initial question that we started with, “The hacker, the departing employee, the new hire. Which one can cost you more?” Stay tuned to future posts to learn, but I can tell you, it isn’t the hacker.
Newberry Group has services that can support all of your needs in these areas. Our experienced team can conduct investigations that cover both the departing employee as well as the new hire for a fraction of the cost that you could incur should the examples above play out. Our Departing Employee Program is a fixed fee program that consists of defined computer investigation service packages that identify and report on employee data activity. The packages vary as to scope and cost in order to provide you with a level of assurance proportionate to the value of the employee and the access that the employee had to your IP.
Our Incoming Employee Package consists of 2 services. 1st, it verifies that policies and procedures are appropriate so new employees understand that under no circumstances should any IP from previous employers be brought with them. 2nd, at a predetermined time (usually 30-60 days after the employees start date), we will check the new hire’s drive for signs of external IP. If data is found, you can take immediate steps to remediate the data before any litigation commences.
For more information on these services as well as other Forensic-related services we offer, please visit our website at www.newberrygroup.com or email us at email@example.com
Next Blog: Newberry Group’s Departing Employee Program.