We are often approached by employers who have a feeling that a departing executive has been up to no good, but it is rare that they can say precisely what has gone on. Perhaps a major client decides not to renew a contract without any explanation, a junior team member resigns unexpectedly because he “just fancies a career break” or a competitor makes a change in tack which shows uncanny insight into your forward planning.
In all these situations, something just doesn’t smell quite right. On the face of it, there is nothing connecting the departing individual to any of the above and he (would you believe it) says it is all mere coincidence. So how can employers seek to bridge the gap between supposition and solid evidence in these situations?
The starting point has always been to dig around in the contents of the employee’s email account, work laptop, Blackberry or iPhone. But these days, sophisticated employees are generally alive to the fact that this is the first place an employer will look and so are cautious about the traces they leave on these accounts and devices. You may need to dig deeper and engaging a forensic IT specialist can be a necessary part of the evidence-gathering process.
Forensic IT specialists Control Risks talked to us recently about current trends in digital evidence and the steps that can be taken in their IT lab to piece together a picture of an employee’s wrongdoing. Here is a roundup of their top tips for digital evidence gathering:
- Think outside the box – occasionally, an employee will helpfully leave behind direct evidence of solicitation, etc. in an email, but rarely will you be so lucky. Even where there is no direct evidence of an employee’s breach, forensic evidence about an employee’s browsing timeline, keywords used in searches, pages they have viewed or printed, or Google map data, can help you piece together a chronology of their movements which can lead you in the direction of more solid evidence or at the very least enable strong inferences to be drawn about conduct.
- Look at all sources – even clever and cautious individuals can get careless or may simply be naïve about how closely you are watching them. The work email account might be squeaky clean but what are they saying in their Twitter feed? Who are they linking in to on LinkedIn? Perhaps they have been posting pictures on Instagram or Facebook with a great new restaurant they’ve been to – is that your client in the background? Is it near your competitor’s offices?
- Don’t forget about cloud activity – things started to get tricky when USB sticks meant employees no longer needed to take the risk of being seen walking out of the front door with large boxes of your confidential documents. One of our own staff was rumbled a number of years ago when, emboldened by his success in copying a substantial number of files undetected, he asked security to help load them into his car. Now, Google Drive, Drop Box, OneDrive, Flickr and other cloud platforms mean employees don’t even need to upload documents onto a USB or other plug-in device – it all happens on the cloud and this too is often something that forensic experts can trace.
- Keep everything intact – a cryptic email which appears irrelevant at the outset of an investigation may become a crucial piece of evidence once you build up a chronology and outline of events with which to give it context. Never discard anything which cannot be readily explained. When the employee’s laptop comes back clean as a whistle, check – when was it cleaned? Don’t just allocate it to another employee who may inadvertently destroy any possible evidence on it.
Above all, don’t be intimated by the complexity of the digital landscape. While poking about in it successfully may be beyond most ordinary mortals, it can be much more an open book for IT and forensic specialists. The range of communication platforms open to employees and the sheer volume of electronic data each of us generates in a single day can make the search for a smoking gun feel like a hunt for a needle in a haystack. But the upside to this is that there are now plenty of places to look for evidence of wrongdoing. Sometimes, drawing together fragments of evidence from multiple digital sources can draw the bigger picture into sharper focus, giving you the evidence you need to protect your business against unlawful conduct on an employee’s exit.
For more details about Control Risks’ forensic IT services please contact Gemma.O’Loghlen@ControlRisks.com