Newsletter Announcement

Welcome to the third edition of Investigation Insight. This expansion of the Cyber Crime & Computer Forensics News focuses on broader issues relating to investigations, including forensics, analysis and fraud. You won't want to miss "From the Investigator's Notebook," which highlights the importance of preventing employee data theft through the use of USB drives. We hope you enjoy the newsletter.

In This Issue:

	From the Investigator's Notebook: USB Drives – The Portal to Employee Theft
	News & Events

From the Investigator's Notebook: USB Drives – The Portal to Employee Theft

Each year, employees are responsible for billions of dollars in intellectual property theft. These thefts do not typically involve complex physical breaks-ins or electronic hack jobs. Rather, they are usually fairly simple and unsophisticated. The most common method for employee theft involves the use of a USB drive to remove proprietary information, such as customer lists and formulas. The USB drive can be inconspicuously removed from the premises and later used to start a competing business or make a profit through sale of the data to a competing company.

Companies can mitigate this risk by modifying existing policies and procedures concerning the use of USB drives or implementing new ones. While senior management is ultimately responsible for this decision, they may not have the technical background and experience to determine which options best suit their business needs. Accordingly, it may be beneficial for managers to consult with a computer forensic expert or a knowledgeable internal IT employee in order to make informed decisions. In many circumstances, companies prefer to consult with neutral, external computer forensic experts, given their experience in establishing policies in similar environments.

One option to prevent employee theft using USB drives, and perhaps the most secure method, is to install software that places locking mechanisms on company computers. Locking mechanisms restrict computer users from connecting USB devices to computers for download purposes. The inherent downside to locking mechanisms is that employees may need to remove data from their computers for a legitimate business reason, such as travel. Therefore, in crafting a policy that implements locking mechanisms, companies should consider allowing select users to retain downloading capabilities.

In the event that all or certain employees are allowed to download data onto a USB drive, it is absolutely critical that companies insist that the data be downloaded onto a USB drive that is either password protected or encrypted. This safeguards against data loss in the event that a USB drive containing valuable information somehow ends up in an outsider's hands. This measure does not, however, protect against malfeasance by the employee.

An emerging trend towards protecting business data that simultaneously allows business needs to be met is to give a "vanilla" laptop to employees who have a valid need to transport particular company data. A "vanilla" laptop is a baseline installation of the operating system with only the bare necessities. It is not part of the network and does not contain any custom applications. This type of machine contains just enough applications to create a Microsoft^® PowerPoint^® presentation or allow a user to work on a Microsoft^® Word file. It allows the business purpose to be met while minimizing the risk of company data misuse. To ensure adequate protection, however, a policy authorizing the use of "vanilla" laptops must also specify who has ability to authorize the use of such a machine. Additionally, the policy needs to state who is responsible for placing the data onto the laptops. Typically, IT personnel would be ideal for this responsibility.

A less restrictive option is to allow employees to download data onto USB drives but also install monitoring software that lets companies see what information was taken. Monitoring software works by enabling a server that houses company data to track user information whenever files are accessed on the server. The software then creates a log that details when, how and by which user the data was accessed. This audit trail may become invaluable in identifying and prosecuting thieves. While monitoring software does not necessarily prevent data theft, it may have some deterrent effect and will definitely aid in investigations.

A complete USB policy will not only include information concerning the use of USB drives but will also contain a procedure for responding to a data breach. In the event that data is stolen, it is essential that companies respond immediately by implementing pre-existing procedures to preserve evidence of the incident. A knowledgeable computer forensic expert can also assist companies in investigating data loss incidents in the event that data is stolen.

In conclusion, companies can mitigate the serious risk of employee theft by implementing or modifying their policies and procedures regarding data management as they pertain to USB devices. A proactive company will create policies to prevent data loss in addition to reactive policies.

Special thanks to Carlos Cordova, Kroll Ontrack Consultant, for his contribution in writing this article. Mr. Cordova specializes in computer forensic analysis and consulting and can be reached at ccordova@krollontrack.com for questions or comments.

Back To Top

News & Events

Enhanced E-Discovery Certification Course Propels Litigation Teams to New Heights
Given the current economic condition, corporate clients are being forced to cut back legal and IT budgets, while the threat of sanctions due to improper ESI handling continues to rise. Become e-discovery certified to prevent your firm or corporation from becoming the next headline. Kroll Ontrack's 2009 E-Discovery Certification Course is ideal for legal and technical professionals of all levels, especially in-house counsel, law firm attorneys, litigation support professionals, paralegals, IT staff, and members of the judiciary. Upon completion of this program, you will be able to make informed decisions regarding ESI, be prepared to negotiate at the meet and confer and understand the most current e-discovery law. For more information and to register for an upcoming course, visit www.krollontrack.com/certification-courses/.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcoming-events/ for more information on these events and others.

Back To Top

We Request Your Input

This newsletter was written by Regina Jytyla and Joni Shogren, Kroll Ontrack staff attorneys, with assistance from Kelly Kubacki and Meridith Socha, Kroll Ontrack law clerks. We value your input and feedback! Please send your questions or comments to Ms. Shogren at jshogren@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.