Right now, someone within your company may be accessing confidential corporate information either dishonestly or by accident.
In the news virtually every week, you read about large, well-known companies suffering from the loss of sensitive corporate information at the hands of employees. Given that Human Resource departments often hold the key to valuable corporate and employee information, the risk of data breaches presents unique challenges for HR.
Fortunately, through simple and effective internal threat management procedures, HR can help prevent employee information leaks from happening to their company. These procedures will protect employees' most confidential and valuable information from being exposed to unauthorized parties.
- Be aware of where critical employee information and corporate data are located and who has access to them.
- Develop an acceptable use policy for all employees that outlines appropriate use of corporate assets and employee information. The policy should also outline the company procedures when a violation takes place.
- Consistently enforce policies and procedures.
- Regularly review and revise existing policies to ensure all necessary policy changes and additions have been addressed.
- Ensure your company has an internal incident response plan and the appropriate resources in-house to handle an incident of employee information or corporate data loss or access by unauthorized employees or outsiders.
What Not to Do if a Data Breach OccursIf the worst should happen and your company does experience a situation where sensitive data is leaked or lost, don't fall prey to common mistakes such as turning on an employee's computer to check around. Turning on the computer or any electronic device involved may destroy potential evidence.
Here are ten common ways a computer forensics investigation is compromised. Company employees:
- Boot up the computer. Turning on a computer that's relevant to a case can overwrite sensitive files that may be important to your company's case and change important time stamps. Compromised computers should not be used at all and should be stored in a secure location until it can be handed over to a computer forensics expert.
- Turn off a relevant computer. If a computer is running at the time it is discovered to be relevant to a data breach or investigation, it should be powered down in a way that will be least damaging to potential evidence. The only person that should turn off a suspected computer is a certified computer forensics expert, or an IT employee under the supervision of such an expert.
- Browse through the files on a computer. Resist the temptation to snoop, even with the best intentions. HR may know exactly where to look, but it's the act of looking that causes problems for retrieving untainted evidence. Browsing through files may cause file times to change which may make it impossible to tell exactly when an important file was deleted or copied from your company's network.
- Fail to use a computer forensics expert. Your company's IT department is not a computer forensics department. In fact, asking the IT staff to conduct even routine checks into a system's files can destroy potential evidence. A professionally trained computer forensics expert should be retained for the handling of all sensitive data.
- Fail to involve all parties. In-house counsel, IT staff, and every business player involved with the case should be included when conducting electronic discovery. Failure to involve all parties can result in overlooked or lost data.
- Fail to learn the lingo. Even tech-savvy support professionals may become confused by the expanded vocabulary used by computer forensics experts. It pays to become familiar with the new language.
- Don't make a forensics image of the computer(s) involved. Imaging is the process in which you create a complete duplicate of a hard drive. This is done for the purposes of copying a complete and accurate duplicate of the original materials, with no risk of flawed or overlooked data.
- Copy data in "cut and paste" or "drag and drop" methods. It is true that you can buy an $80 external USB hard drive and copy your data to it. However, this process does not preserve the unallocated space (where deleted files reside) and will change the file times and other data on the files that have been copied out.
- Wait to preserve the evidence. The longer a computer is in operation without any preservation, the more likely that the data that is relevant to your company's situation may be permanently altered or overwritten. Always preserve your electronic data the moment you believe that litigation is possible.
- Fail to maintain a proper Chain of Custody at the time of collection. Not documenting who had access to the electronic evidence after the alleged incident can lead to problems down the road. Opposing parties can poke holes in the collection and preservation process. They can argue that the data could have been altered on the device while the computer was not securely stored and unused.