Digital Forensics: Insider Threats in the COVID-19 Age of Remote Work

2020 is now in our rearview. Nevertheless, we are still dealing with the repercussions wrought from the coronavirus pandemic. Over the past year, we have collectively witnessed novel challenges that affect our everyday lives, coinciding with impressive human ingenuity and feats of innovation.

The Work from Home Revolution

The pandemic response brought necessary barriers, while technologies involved in communications, collaboration, and remote worker support reduced obstacles. The confluence of COVID-19 precautions and technological advancements paved the way for the work from home revolution, and according to experts, this trend is not going away any time soon.

By the end of 2021, experts estimate 25 - 30% of the workforce will be working from home, up from only 3.6% prior to COVID-19. Managers and executives are less concerned about employee productivity. Statistics have demonstrated that thought workers are on average as productive, if not more so, than when required to work from an office. 

Although concerns about a distributed workforce’s productivity are lower than ever, this changing landscape elevates another concern to new heights, protecting corporate data. Accessing sensitive data while working from home and using personal devices creates ample opportunity to steal company data by intentionally or unintentionally transferring it to personal devices and accounts. According to Trend Micro, 39% of workers use personal devices to access corporate data. 

Regarding unintentional data theft, Dr. Linda Kaye, a cyberpsychology expert, explains, “The fact that so many remote workers use personal devices for accessing corporate data and services suggests that there may be a lack of awareness about the security risks associated with this.”

To put this in perspective, imagine an employee leaves a company for a competitor. They turn in their company-issued devices without any fuss. Months pass until they remember the sensitive company data they retained on their personal laptop computer. We would all like to think they would notify their former employer, but using that data to get ahead in their new position might be more temptation than they can bear. Their former employer is utterly unaware until suspicion arises when their competitor undercuts their blind bids and penetrates their customer base to an alarming degree.

Personal Devices in the Workplace

Expertly composed and enforced formal policies when employers allow employees to use their personal devices for work, or “Bring Your Own Device” (BYOD), is crucial when guarding against future litigation. Still, these policies can be more bark than bite if the evidence is not preserved contemporaneous to the departure of that employee.

As a preemptive measure, it is becoming increasingly common for an organization to work with digital forensic specialists to forensically image, or copy, the employee’s work and personal computer, phone, online accounts, and other electronically stored data. Employers who follow this methodology are prepared for potential future litigation and protected from spoliation claims. They are armed with a perfect snapshot in time of how the data existed when the employee left. 

The passage of time harms data. For example, let’s play out a common scenario. The computer used to steal data by a previous employee has been given to a new hire. Every moment that computer is in operation, it is overwriting unallocated space, often called deleted space, with new data, truly deleting the forensic artifacts and evidence of wrongdoing that lived there. Without this evidence, the chances of successful litigation are compromised.

Digital Forensics’ Role in Keeping Your Data Safe

With a team of digital forensic experts, Envista Forensics has been brought on multiple cases where an employee steals data by transferring files from a work Skype account to their personal Skype account. We’ve seen thousands of emails sent from work email accounts to secret personal email accounts, and on more than one occasion, we have discovered bad actors transferring sensitive company data to their children’s cell phones to obfuscate their activity. All of these methods are at the fingertips of a non-sophisticated technology user. A technocrat’s strategies to steal data can be highly complex and convoluted, limited only by ability, access, and imagination. 

In some cases, we have seen employees create backups of their entire computer in proprietary software formats so that data is virtually hidden from a non-forensic review. They subsequently delete the sensitive information from their machine, so it appears clean. The employee’s computer would not flag any concerns on the surface, and the employee could walk right out the door. The ability to create a backup like this is possible using any device, including a cell phone. 

However, that story can quickly change once the company starts seeing their customers being solicited and poached. The question is, what prevents employees from merely making a backup of their data, including emails, contacts, and confidential files, before turning the device over to the IT department? Unfortunately, the answer in almost every instance is nothing.   

It is exciting to see how well the world has collectively adapted to the precipitous rise in remote work due to the COVID-19 pandemic. Still, we must address these challenges head-on, and in an organization, this begins with protecting your data from every data theft vector, including the most prominent one, insider threats.