Data is becoming a highly valuable commodity. The publication of more than 250,000 leaked classified cables from US embassies around the world has caused a worldwide diplomatic crisis. Whilst this scenario is relatively rare it is indicative of the growth in data theft cases around the world. Recent figures from the UK High Court show that the number of cases involving employees taking confidential data from the workplace has risen by 313 per cent in the last year alone.
The recession has meant employees are increasingly looking for ways to earn more money or take clients away and deal with them direct for themselves. Along with the ever-increasing power of devices to store enormous amounts of data in smaller and more concealed designs, it is not surprising that we have seen a spike in cases before the courts.
For about £20, you can buy a USB stick which is about the same size as a cigarette lighter, and which probably has the memory to store an entire client database with pricing information, order dates, policy renewal timings, email addresses, and phone numbers, all nicely ordered and in searchable format. It only takes minutes to download this information, be hidden in a pocket, and then removed from the client’s premises without anyone knowing.
However, to do so would, of course, be illegal. What constitutes confidential information is a complex topic. Whilst information which can be readily found on the internet is obviously not confidential, lists of details of clients and suppliers, pricing structures, secret processes and so on is generally protected by law. Yet often it is far too late to worry about the legal niceties once the information has fallen into the wrong hands – the damage has all been done. Preventing this happening in the first place is clearly a priority for all businesses.
SMEs should consider conducting an assessment of who has access to what information. Usually, it is the more senior people who have access to the most damaging information, but that is not to say that much more junior or secretarial staff can also have access to information which could be very damaging indeed for an employer.
Other useful strategies open to SMEs involve disabling CD Rom drives, and only allowing authorised USB devices in computers. It is possible to set computers to alert you if foreign devices are being used so that people are unable to bring their own USB devices in and use them undetected.
Furthermore, checking an employee’s laptop or PC and mobile phones can be a useful way of detecting adverse activity once they have left. For example, have there been a number of telephone calls with clients which look suspicious? Perhaps there are clients your particular employee has not dealt with for some time and they are being systematically called to alert them of an impending move. Or can these calls be justifiably explained?
Businesses can also retrieve crucial data from an employee’s PC such as looking at when information has been downloaded. Establishing patterns can be very useful when building a case of breach of confidentiality or good faith, and they can often be difficult to explain away.
If in any doubt, it is usually worthwhile instructing a forensic expert to undertake an examination of any electronic devices. Information which may have been deleted can often be forensically recovered, and can prove crucial in establishing liability in any subsequent legal action. There is nothing more powerful than retrieving incriminating emails or documents where often candid discussions have taken place which the employee has assumed has been erased forever when pressing the delete button. If in any doubt, it is usually best not to touch any equipment for fear of interfering in the data recovery process which might dilute the strength of any results.
This article was first published on www.smeweb.com