Subscribe to Blog Updates

Investigating Employee Theft: Curiosity Kills the Evidence

Posted: 18-Nov-2015 03:00:00
Author: Jason Coyne


When a company director, manager or owner is informed that one of their staff may have stolen valuable company data, the first thing that often happens is that he or she bursts into IT and demands that laptops, email accounts, social media etc. are scoured to see what that employee has been up to.

If the correct steps are not observed then the process of securing company data, identifying the security breach and bringing the perpetrator to justice, could be the worst possible start!

Forward thinking organisations should already have evidence preserved in advance of a staff member leaving but whether or not this is the case, the fundamental rule to be applied in these cases is no different from any other crime scene - KEEP OUT!  

Employee theft

In the last 12 months, IT Group has seen a surge in instructions relating to ‘Employee Theft’ and it is clear that organisations are fearful about the potential theft of sensitive, intellectual property or similar critical data by employees.

This situation has been exacerbated by the use of mobile devices and in this era of BYOD the efforts made by a company in caring for their financial and confidential information should be re-doubled, yet seldom is this the case. A number of organisations are still only equipping themselves against the security threats posed by outsiders.

We are often instructed in cases where the employer suspects an individual of stealing confidential or sensitive information and documents including customer and prospect lists, trade secrets, financial trading information and employee records. It is often just before, or immediately after an individual has resigned or been made redundant. For some, the temptation to take assets from their current company proves too strong. 

There are numerous methods of transferring data using electronic means at the employee’s disposal and with the advent of BYOD, it may be that the employee has not needed to use their own PC. Common methods can include Email (sometimes their own account used on their own device), various Instant Messenger products, Social Media sites and file uploads to the various cloud based storage products.

Other obvious methods include physical media and the copying onto a Portable USB Memory Device or theft of the actual backup media itself.  These methods are relatively simple to monitor and yet rarely is this carried out adequately.

Typically, the motive behind data theft is the same - to gain an unfair competitive advantage in the setup of a new or competing business. For those individuals whose contracts have been terminated, it can often be a means of revenge against their employer. For some, however, it is simply a false sense of ownership (this is typical of those who hold senior positions and have access to ‘mission critical’ data or those who may have developed computer source code).

Investigating suspicions of employee theft

Employment tribunals are expensive and you don’t want to get this wrong. Courts are suitably picky and your opponent's expert will test that any evidence you present is forensically sound and will attempt to exploit any possible contamination.

If you suspect an employee of wrong-doing, your first instinct will be to fire up their laptop or computer and start poking around for evidence.

You might ask the trusty IT department to examine the laptop/computer and wade through emails and documents for evidence and they may make attempts to recover any deleted material using publically available software packages.

Stop! Step away from the computer.

Employees who steal data often leave behind a trail of digital evidence and you might not realise that by conducting your own investigation, you could be potentially ‘compromising’ the forensic trail.

If you have suspicions that an employee has stolen data, the first thing you need to do is call on the services of a forensic expert to preserve the evidence by obtaining a full forensic image. With a wealth of experience, knowledge and the appropriate forensic tools, IT Group is able to collect, analyse and preserve electronic evidence from a range of devices and we are regularly instructed in matters of IP theft and employee misconduct to assist in the identification and interpretation of digital evidence.

Combating employee theft

To successfully combat employee theft all together, organisations need to create a rigorous anti-fraud culture and set out clear and direct policies that are consistently managed by HR and others. 

All organisations should have standard policies in place for Computer Use and Electronic Communication, Bring Your Own Device (“BYOD”) and other computer related policies.

Organisations should also consider accreditation to one of the many security standards. IT Group is ISO9001 and ISO27001 Accredited meaning our management and quality systems are documented and our data security is managed to an internationally recognised standard.

However, policies alone can’t ensure that the appropriate controls are maintained. Training in basic data handling and security should be made available to all staff and regularly updated and should communicate to staff how to recognise warning signs in respect of employee theft/fraud, what to do if approached by a third party and how to report employee theft/fraud.

Blogs and Intranets should be used for topical reminders of the needs for security and the consequences when things are not done properly.

Preventative measures

For threats from outside, regular vulnerability scanning and occasional penetration testing are techniques to check the security of the perimeter but from the inside, this is of little use. It is often said that while preventing intruders getting in is important, it is even more important to prevent them getting out again. This is important for inside attacks as most data thefts are carried out by email or FTP transfer. USB sticks and portable drives are still used but they are easily traced with forensic tools to show when and where they were plugged in and of course, they are more visible.

Corporate edge protection devices can scan outbound email before it is sent to check for content and can be used to some extent to limit opportunities for data theft. A complete ban on any but the corporate email addresses helps to prevent data loss and just as a beat policeman has the effect of reducing street crime, so high visibility network scans and router logging analysis tends to reduce insider cyber threats from the use of Dropbox, Google drive and Skype file transfers.

For more information about IT Group and our digital forensics service, contact us on 0845 226 0331 or email

Related blogs: 

IT Forensics: Pinning Down Dishonest Employees

Share this article

facebook-yellow.png    twitter-yellow.png    Linkedin-yellow.png    pinterest-yellow.png    google-yellow.png