HOW TO DETECT DATA THEFT BY EMPLOYEES

04.03.2024

Vorschaubild: datendiebstahl-durch-mitarbeiter-so-weisen-sie-es-nach-2 Data theft by employees is a serious threat to companies of all sizes and in all industries. We present our IT forensics service, which helps companies identify suspicious activity, collect evidence, and uncover the facts of the case. Learn how to protect yourself from internal threats and what steps are needed to prove employee data theft. Employee data theft is a serious accusation and should not be taken lightly. Initial suspicions can often arise from unexpected customer inquiries, where customers wonder where certain information came from or what certain requests are all about. As a company, you should react calmly and take the appropriate steps. With the IT forensics service from Trufflepig Forensics, you can find out whether data has actually been stolen, which device was used, and to what extent.

Reasons for data theft

The theft of company data by employees can have a variety of motives:

  • Lack of appreciation and dissatisfaction: A common reason for data theft is a lack of recognition and appreciation on the part of the employer. Employees may feel that their achievements are not being properly recognized, leading to frustration and dissatisfaction.
  • Competitor offers: When employees receive offers from competing companies, they may be tempted to take sensitive company data with them in order to gain an advantage with their new employer. This can include information about customers, business strategies or other valuable data.
  • Client takeover: Employees who want to change jobs and take clients with them may be tempted to steal client data and information materials to facilitate the transition. This data can then be used by the new employer to strengthen the client relationship.
  • Alarms and monitoring systems: Companies often use security information and event management systems (SIEM) to detect suspicious activity. Alarms are triggered when an unusually large amount of data is downloaded or deleted, which can indicate possible data theft.
  • Ransomware attacks: In some cases, data theft can also occur in connection with ransomware attacks. An employee could delete data in order to blackmail the company or steal it in order to sell it later or use it with another employer.
  • Employee turnover: When employees leave the company, they may take with them data that they collected during their employment. This may include confidential business information or customer contact data.

How IT forensic experts proceed

Forensic investigation usually begins with an initial suspicion, which serves as a legitimate reason for the investigation. During the investigation, evidence is collected that provides insights into what actually happened. For example, it can be determined that at a certain point in time a USB stick was connected to a computer, which files were accessed on it and which user was logged in at that time. This information makes it possible to develop a consistent story based on multiple data sources and showing strong correlations that indicate the activities of a particular user.Trufflepig Forensics carries out a careful process during forensic investigations that ensures compliance with the so-called “chain of custody” (chain of evidence). This process is crucial to prove and defend a complete chain of custody of evidence in court. The following steps provide an insight into the Trufflepig Forensics approach:

  1. Receiving the device to be examined: When a device to be examined arrives at Trufflepig Forensics, it is usually handed over by a courier or an insured shipping service. The device is accepted with a signature and confirmed by an authorized person who can later act as a witness in court.
  2. Forensic evidence: The device is then subjected to forensic evidence. This includes removing the hard drive and inserting it into a so-called write blocker. A write blocker is a device that ensures that no write access can be made to the device. This makes it possible to read the data without modifying it. Write blockers are also used in law enforcement and ensure the integrity of the data.
  3. Creating a forensic image: The experts at Trufflepig Forensics create a forensic image of the hard drive. During the copying process, a cryptographically secure checksum (hash) is created to ensure that the data remains unchanged during the copying process. This process is carefully documented, including the creation of photos and reports.
  4. Decrypting encrypted disks: In the event that the disk is encrypted, Trufflepig Forensics often works in conjunction with the company responsible for the encryption. This may involve using recovery keys or administrator passwords to decrypt the disk. Once the hard disk is unlocked, forensic analysis can be carried out.
  5. Forensic analysis: The actual forensic analysis is carried out in specially developed programs that work independently of the operating system. These programs are designed to search for specific information that is of interest in a structured way. The results are stored in databases and serve as a basis for further investigation.
    It is of the utmost importance that the forensic investigation is carried out carefully and objectively, without jumping to conclusions or prejudging. Trufflepig Forensics places the highest importance on the integrity and accuracy of the evidence collected, as well as on compliance with ethical and legal standards. This ensures that the results of the investigation are both fair and legally valid in court.

Preventing data theft

To make data theft more difficult in companies and to avoid such a situation in the first place, Trufflepig Forensics recommends a number of measures and best practices that can be applied Use of proxies and traffic filters: Companies can use proxy servers and traffic filters to ensure that no data flows through unauthorized cloud applications. This helps to control and monitor the flow of data.

  • Centralized data storage: Sensitive data should be stored centrally, rather than on employees" end devices. This makes it easier to manage and monitor the data and reduces the risk of data leaks.
  • Terminal servers and remote access: Employees can access centralized data via terminal servers without downloading it to their local devices. This minimizes the risk of data loss and makes it easier to control data access. Thin clients and security systems: For particularly high security requirements, thin clients can be used that run a small operating system on a server. Access is via encrypted signals and often requires the use of smart cards for authentication. Screens can also be photo-secured to prevent the photographing of screen content. Logging and recording: To prove that data has been stolen, it is crucial to implement a comprehensive logging and recording system. Cloud service providers with strong logging can help detect and document suspicious activity. Long-term data storage: It is advisable to store data logs and protocols long-term, ideally for at least a year or more. This makes it possible to trace activities and identify suspicious incidents, even if they are only detected after some time. Furthermore, forensic investigations help to uncover security gaps in the company and prevent future data theft. It is important that companies take proactive measures to boost their employees" trust, reduce dissatisfaction and protect sensitive data appropriately to prevent data theft by employees. Do you suspect that you have been the victim of data theft? Contact us today!