It happens to us all. We thought things were going great, and then the unexpected. There’s someone else. I’m not happy anymore. I need something more, or our long-term plans are incompatible. Whatever the reason, critical and important employees leave organizations. When this happens, when we’ve exhausted our attempts at reconciliation, we need to make sure we put our organization first and protect our company’s interests going forward.

That’s what I want to talk about in this month’s Ethical Hacker. In many instances, the departure is amicable and aboveboard. In those cases, taking a few extra precautions costs very little and has no negative effect. In the other cases, where employees act in manners inconsistent with agreed upon policies and contracts, taking extra precautions can mean the difference between a minor inconvenience and a loss of significant intellectual property – and, possibly, a long-term financial impact.

I’ve had many clients call months after a departure asking what can be done. They have circumstantial evidence that their confidential data is being used by a competitor, and a former employee now works for that company. How can they determine if the data was stolen? At this point, the employee’s equipment has likely been redeployed within the organization and the forensic traces are quickly fading away. While we’ve had success in ferreting this out, it’s more difficult (and more expensive) and less effective (and less compelling) than if the analysis had been done at the time of the departure.

So, what can be done? Whether it’s an employee leaving with customer lists and contacts, or critical intellectual property and processes, today this information is stored electronically and can easily be walked out the door on a thumb drive or in an email, or, as is becoming more common, via Google Drive or Dropbox cloud storage.

Whatever tools are leveraged to exfiltrate data, the operation is most often performed with company-provided equipment. And that equipment stores a lot of forensic information about what the employee has been up to. Accessing network folders and files? Check. Connecting to Dropbox or Google Drive? Check. USB drive activity? Check. Accessing non-company webmail accounts? Check.

Making the analysis more compelling is that we can observe changes in behavior over the days and weeks preceding the departure. Were there new USB drives being used for the first time just days before? Was the computer used to browse network shares that weren’t normally accessed? Is new software installed or were attempts made to delete content? All of this information can be used to help management make decisions about legal action after an employee has left.

Even better, this type of analysis, if applied properly and in a timely manner, can prevent the loss in the first place. The mere fact that such a policy is in place, and that the equipment is being scanned upon departure for anomalous activity, can in and of itself have a preventative effect. Employees who know that employers are monitoring and reviewing their activity prior to departure may be more likely to act in an appropriate manner. A reminder during the exit interview, or even when notice is given, of company policy, and that equipment will be processed according to that policy, can go a long way toward preventing an honest employee from making a mistake, or a malicious employee from taking the next step.

Even so, some employees will continue to try to thwart the system and take valuable company property when they leave. When this happens, if you’ve taken the appropriate steps to preserve the evidence and analyze the systems, you will be in a position to move quickly and with authority. With the analysis already performed, you can act before the information is used, issue notice and hopefully prevent a competitor from taking advantage of your hard-earned and valuable property.

Finally, it doesn’t need to be expensive. A key employee leaving the organization is, in itself, an expensive event. But taking the proper precautions to assure that company property is protected doesn’t need to add significant cost. A few hours of forensics work can preserve the computer’s data, perform high-level analysis and provide a quick assessment as to whether a deeper dive is required. In many cases, that won’t be necessary, as the employee has done nothing to warrant it. But in those few instances where the evidence suggests that something nefarious may have occurred, the costs of further analysis are easily justified against the possible loss of critical data.

It’s better to know than not to know. And it’s better to know sooner rather than later. A quick, inexpensive review now can save months of heartache and lost revenue later.

About the author

Charlie Platt - iDiscovery Solutions

Charlie Platt - iDiscovery Solutions

Charlie Platt is an expert services affiliate at iDS and a Certified Ethical Hacker. He advises clients on data analytics, digital forensics and cybersecurity. If you have questions or would like to discuss how iDS can help with your cyberdefense, you can reach him at for a free consultation.

Leave a Comment