This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Connectivity sting: How social media and the cloud enable team defections

Feature
Share:
Connectivity sting: How social media and the cloud enable team defections

By

Julian Parker and Vijay Rathour explore how to tackle team defections organised in social media and the cloud

It is the stuff of nightmares. Your top dealmaker has just left and, with the rumour mill in overdrive, there are suggestions that the entire team is poised to beat their path to a new boutique practice, joined by a clutch of l?ongstanding clients.

While the evidence may not yet be available, there may be good reasons to take action. With the legal aspects expertly covered, identifying the digital evidence available is where too many firms continue to go wrong.

Managing workplace defections in the social media age is an increasingly complex challenge. The proliferation of ?new technologies and services – which has seen the blurring of hitherto private and professional personas – means that social media platforms like LinkedIn, Twitter and Facebook have become part of our daily lives.

Overlay the emergence of cloud-based technologies – where data is kept somewhere in the ether (often by a third-party) rather than on the firm’s own physical server – and it is clear that the challenge of securing the integrity of data becomes evermore complex. Against this backdrop, digital forensics has had to make significant advances.

People move between businesses: it’s a fact of life. In the current environment, it could also be argued that the interconnectivity of today’s workforce will naturally lead to an increase in mobility. As Generation Z, at the heart of the social media-connected world, make their way into the workplace, this trend is unlikely to come to an abrupt halt.

However, more communication means more information – good and bad. More information means more potential choices and comparisons with others about ?the workplace.

The explosion in social media and mobile communications has increased the threat to firm data, with such information often being used by ‘bad’ leavers. In reality, it is now far easier, in most firms, for an individual to steal data.

Cloud-based solutions such as Apple iCloud, Dropbox and Google Drive allow data to be invisibly whisked off work devices and synced with a personal computer at home or even within a competitor’s offices.

As a result, tracing anything as old fashioned as a USB stick that is full of confidential documents is often taking second place to discovering who was doing what with whom where and when.

Laptops and desktops remain key to investigators and often provide a rich source of evidence. In some cases, these may hold years of internet history, log files, cached and deleted information, alongside network activity.

While such information could provide valuable insight and evidence, cutting-edge technology is playing a greater role in retrieving data. Nowadays, long-deleted text messages, emails and files, and even the physical location of a portable device at specific points in time, can be laid bare.

However, mobile devices bring their own complications, as individuals may have both work-owned and private devices. Access to the latter poses a particular challenge, which can only be interrogated by the backing of a court order or a mutual agreement, which is highly uncommon.

A further challenge has emerged in the guise of staff using their own smartphones and tablets in the workplace. Bring your own device (BYOD) policies have increasingly broken down the barrier between what employees are allowed to do with work data that is hosted on their personal devices.

As a result, there is evidence to suggest that individuals are increasingly treating their employers’ data as theirs to use and abuse once it is on their ?personal devices.

 

Investigating defections

  • Aim to catch a defector at an early stage to secure the strongest evidence

  • Consider implementing proactive monitoring of internal and external networks

  • Ensure individuals’ digital reach and the firm’s data landscape are fully understood

  • Deal decisively with bad leavers to limit the fallout and reputational damage

  • Monitor for any unusual behavioural, out of hours working or emailing of unknown email addresses.

 

Reacting to threats

Most law firms’ awareness of and readiness for threats, in the case of data theft or staff poaching, are directly linked to actual experience of such an event. Where a firm has not suffered painful defections, it is common to find that data is poorly controlled.

This is especially true in smaller firms, where the IT function is limited or sometimes outsourced. Access to data is often not well controlled, logs are not always maintained and controls are sometimes not even activated. It is not uncommon to find that crucial logging, easily and readily available to the business from within its IT infrastructure, has simply never been activated.

Protection of data is always a compromise between practicality and a total lockdown. For example, the best way to prevent attacks on a network is to be offline – but doing so would be impractical for most businesses. Users need access to data and the ability to save, copy and take it away from the office, for perfectly legitimate reasons.

Therefore, decisions about how data is controlled needs to balance the potential risks against the required usage.

There are some simple steps every business can take to minimise the risks to its data. Sensible security measures include the monitoring and control of data access. They can also include ‘locking down’ desktops and laptops by restricting how users can copy data from their PCs. A business may decide to have USB ports and CD/DVD services on their PCs blocked, to prevent copying.

However, simply locking down and monitoring systems through access controls and logging is not always the answer. The effectiveness of such measures should be assessed before they are implemented, so that potential weaknesses can be identified.

For example, a conventional log may prove that a firm laptop or desktop computer accessed a particular website, but not what was viewed. Or, it may show that a user accessed a particular client ?file, but not what was done with ?the information.

At the point at which security and defensive measures run out of useful and evidential information, computer forensics may be the only way to follow the data trail.

Investigating threats

Establishing proof of a wrongdoer’s actions can rapidly remove any doubt about their motivations and claims that they were acting innocently.

Often, defecting teams have been communicating with their new employer and each other well ahead of the move. These communications are typically accompanied by valuable electronic documents, trade secrets, contact and price lists and the stolen tools required to easily replicate and harm their ?ex-firm’s business.

Increasingly, even emails are ?becoming antiquated, with teams using filesharing tools like Dropbox and Google Drive to store firm documents, and Twitter and Facebook to plan their movements and defection.

This is where digital forensics comes into the picture. If a user can access the internet, copy files to the cloud or a memory stick, send webmail, burn DVDs or print documents, he leaves a forensic trail for investigators to follow.

Even highly computer literate users have little idea of the digital traces their actions leave behind, especially when using mobile devices like BlackBerrys ?and iPads to transmit data and ?specialised encryption tools to attempt ?to cover their tracks.

Social media tools like Twitter and LinkedIn are becoming so ubiquitous in the office environment that their use can be taken for granted, even though they could be used as an illegitimate conduit for external communications and the transfer of data to competitors. A forensic review will enable the various points of weakness and vulnerability to be investigated, identifying telltale traces of a data or security breach.

If possible, this process should start before the individuals being investigated know they are under scrutiny. Catching a defector at an early stage often produces the best evidential results, as the individual may not yet be aware of what is about to unfold. In addition, investigators can also consider monitoring those who remain in place, which allows for a broader array of investigative tools to be used.

When faced with this situation, it is important to keep in mind that it is often the individuals who remain – but are planning to leave – that are the weakest link. A defensive and investigative strategy could, therefore, provide the time required to persuade them that they are better off remaining with the firm.

In a highly interconnected work environment, a strategy aimed at targeting just a single laptop or desktop used by a departing individual could leave the firm significantly exposed.

Investigations should ensure the individual’s digital reach is understood. ?By knowing where he can go electronically and how he gets there, a map of his potential sphere of digital activity can be created.

The investigation will also need to establish the firm’s data ‘landscape’, including where key data is held, how it can be accessed, any controls and what they record, in addition to how users communicate, both internally and externally.

By overlaying the subject’s sphere of digital activity with that of the firm, investigators will be in a much stronger position to find even the smallest evidential nugget or anomalies.

For example, in a recent investigation it became apparent that an individual leaving the firm was actively using a mobile phone for communicating details around the forthcoming defection.

However, the firm did not want to alert the member of staff by taking the mobile phone for analysis. Knowing that the phone was a key piece of evidence allowed the investigation to focus on where else data from the phone may be held.

In this specific case, a synchronised backup copy of data from the phone was located on a PC elsewhere, which subsequently produced copies of incriminating SMS messages.

As ever, humans, rather than technology, are typically the weakest link. Spotting changes in behaviour could, therefore, allow firms to take steps to prevent or limit the damage, or even work with defecting teams to win back their loyalty. Taking the right steps when a potential defection has been uncovered is crucial to a successful outcome.

Dealing effectively with bad leavers is key to limiting the potential fallout and longer-term reputational and commercial damage. However, in their quest to ?unearth evidence, many organisations fail to put in place a digital forensic strategy that can withstand scrutiny, both externally and internally.

The collective memory of the workforce has a significant effect on the thought processes of potential wrongdoers. The knowledge that an attempt to steal data or people from the business is met with a robust response, including often costly and painful litigation, most certainly helps to limit the occurrences of wrongdoing.

 

Protecting valuable information

  • Strike the right balance between practicality and a total lockdown of systems

  • Implement and enforce robust social media and IT policies

  • Monitor and control access to data

  • Review current usage of cloud-based solutions

  • Ensure access rights are appropriate and mobile devices encrypted, particularly personally-owned devices

  • Implement strong policies if individuals use both work-owned and private devices

 

Julian Parker is a managing director and Vijay Rathour is a vice president at digital risk management and investigations company Stroz Friedberg.