Your weak policies allow me to do my side job

Stealing company information for personal gain is a fraudulent activity, but the number of employees who understand that is remarkably small

I'm an IT fraud examiner for a large educational institution, and it was no shock to me to find company data scattered all over the place. Data was hiding in closets, under desks, and even within classroom areas.

There are lots of reasons to ensure control of company data, but there's one that keeps me especially busy. Weak or non-existent IT policies have enabled some employees to make personal gains from multiple employers simultaneously. These employees believe they can use their company's equipment and bandwidth to run their own businesses on the side. Talk about multitasking.

I began working on building policies and processes to detect fraud and prevent potential data loss. Some employees had been running their side businesses for quite some time and were even successful – until they got caught. For example, a tip came in from several employees that one of their coworkers had his own professional talent company and was actively recruiting from work for bands and singers to perform at local venues. The employee was using his official job title and work phone number on his electronic business cards, Web site, and e-mails while conducting his side business. In addition, he utilized the company banners and logos on his side business. All of this misrepresentation created a conflict of interest.

Our preliminary investigation consisted of utilizing forensic software and a data loss product to search for present and historical data related to the employee and the documents in question. Those preliminary results showed just how detailed the operation was; his work computer was being used for the creation of financial records, maintaining contact lists of past and present performers, and legal contracts used between all parties. We were also able to obtain e-mails and other documents that furthered our investigation. When questioned and shown snippets of the data collected, the employee admitted what he had done and provided additional details on his venture. The individual was subsequently terminated for cause and conflict of interest.

Prior to having data-loss tools available to investigate with, hunting down information was a time-consuming and cumbersome process. Interviews, luck, and knowing where to go were the keys to finding the valuable nuggets of data. Hunting for data was hard enough, but I had no way of reporting on what material was actually walking out the door, being used by competitors, or put up for resale. This problem became evident when we started to evaluate and implement data-loss tools into the environment.

Losing data and intellectual property is a real concern for all companies, and preventing that loss keeps me pretty busy. For instance, at my job, individuals who had access to personal information (phone numbers and home addresses) used in the recruitment process were downloading it to their desktops and then converting it into Excel documents. They would then resell the information to other agencies that obtain and resell information for sales leads. This is theft, in case you were wondering -- employees taking information the company paid for and making personal gains off that information are thieves. But it wasn't a total loss because the incident exposed the lack of a control around a business process. This problem was corrected and controls established to prevent a recurrence.

In the end, several people were genuinely surprised they got caught; several didn't understand what they were doing wrong. They had good jobs, enjoyed making the extra money, and felt it was not only worth it but owed to them by their employer. I've learned in my work that human nature is tough to change -- all I can do is deny the employee the opportunity by finding the weak or non-existent controls.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies