I'm an IT fraud examiner for a large educational institution, and it was no shock to me to find company data scattered all over the place. Data was hiding in closets, under desks, and even within classroom areas.
There are lots of reasons to ensure control of company data, but there's one that keeps me especially busy. Weak or non-existent IT policies have enabled some employees to make personal gains from multiple employers simultaneously. These employees believe they can use their company's equipment and bandwidth to run their own businesses on the side. Talk about multitasking.
I began working on building policies and processes to detect fraud and prevent potential data loss. Some employees had been running their side businesses for quite some time and were even successful – until they got caught. For example, a tip came in from several employees that one of their coworkers had his own professional talent company and was actively recruiting from work for bands and singers to perform at local venues. The employee was using his official job title and work phone number on his electronic business cards, Web site, and e-mails while conducting his side business. In addition, he utilized the company banners and logos on his side business. All of this misrepresentation created a conflict of interest.
Our preliminary investigation consisted of utilizing forensic software and a data loss product to search for present and historical data related to the employee and the documents in question. Those preliminary results showed just how detailed the operation was; his work computer was being used for the creation of financial records, maintaining contact lists of past and present performers, and legal contracts used between all parties. We were also able to obtain e-mails and other documents that furthered our investigation. When questioned and shown snippets of the data collected, the employee admitted what he had done and provided additional details on his venture. The individual was subsequently terminated for cause and conflict of interest.
Prior to having data-loss tools available to investigate with, hunting down information was a time-consuming and cumbersome process. Interviews, luck, and knowing where to go were the keys to finding the valuable nuggets of data. Hunting for data was hard enough, but I had no way of reporting on what material was actually walking out the door, being used by competitors, or put up for resale. This problem became evident when we started to evaluate and implement data-loss tools into the environment.