Protecting Business Value:
Investigating Workplace Misconduct

.

Businesses naturally place huge trust and confidence in their people, and in the vast majority of cases, that is rewarded with loyalty and integrity. But the impact of a rogue employee can be highly disruptive to business operations and can be disastrous to business value.

We’re not talking about the sort of low-level dishonesty and unprofessionalism that would typically be dealt with through summary dismissal, rather activities that would constitute serious criminal offences – and risk punitive financial and reputational damage. For example, employees: submitting fraudulent invoices for personal gain; sabotaging business operations (e.g. hack-and-leak and leak-and smear campaigns); stealing trade secrets and intellectual property; and being involved in bribery and corruption.

The technology that is driving digital transformation is also driving digital transgression: corrupt employees using sophisticated technical methods to achieve their malicious aims, including the use ransomware, backdoors and keyloggers. With law enforcement under ever-increasing strain, businesses cannot rely on a criminal justice response to deal with such matters in a timely manner, and increasingly have to turn to the civil courts and private prosecutions.

Sadly, most businesses confront the challenge of how to manage serious incidents well after the event, immediately placing them at a position of disadvantage. What’s more few businesses are aware of the range of digital forensics and other investigation tactics that can be deployed – including proactive measures – to identify, establish and evidence the nature and extent of employee wrongdoing.

Conducting a reasonable investigation where it is considered necessary and/or proportionate can also be a time-consuming and highly costly endeavour. Often HR personnel charged with investigating matters – though experienced in employment law and policy – have little investigative training and experience. This can result in a slow and inefficient investigation, where critical evidence is overlooked and leaving the employer open to challenges around the robustness of the process. Businesses also look to their internal IT departments to provide assistance during such incidents. However, as with their HR colleagues, IT professionals have limited – if any – investigative training, and their actions may unwittingly compromise the evidential integrity of the investigation.

.

Preventative steps

It would be wrong to suggest you can stop all serious misconduct through taking a more proactive approach – but you can certainly look to minimise its occurrence and mitigate its effects by getting on the front foot.
Consider the support a specialist investigations and forensics team could offer. They could:

• Conduct a detailed threat and risk assessment to determine organisational vulnerabilities
• Recommend controls and measures to be implemented to: achieve effective and proportionate data monitoring and surveillance; rapidly investigate incidents of concern; and enhance overall digital forensic readiness
• Support the design of anonymous and confidential whistle-blower mechanisms, encouraging employees (and other stakeholders) to report genuine concerns regarding illegal, unethical or risky business practices
• Advise on the various policies and procedures that should be in place to utilise necessary and proportionate proactive investigation tactics (including employee integrity testing)
• Enable organisations to develop ‘playbook’ response plans to contain and respond to readily anticipated incidents.

.

If there is no appetite for investing in that level of preparedness, then organisations do have options when information suggests serious misconduct is on-going or has occurred – which we can usefully characterise as proactive and reactive.

Taking a proactive stance, that specialist team can:

• Preserve and rapidly triage company data to confirm or allay suspicions, mitigating costly legal fees
• Support legal teams to identify and close evidential gaps, and in drafting without notice applications for injunctive relief and ‘deliver up’ orders (e.g. company laptops, media storage, and mobile devices)
• Deploy necessary and proportionate covert investigation tactics to preserve evidence and investigate serious misconduct

.

And on the reactive front, that same team can:

• Review case material and design a bespoke digital forensic strategy to support investigative objectives
• Investigate company email servers, devices and other digital sources to identify evidential material and establish the facts
• Utilise advanced open source investigation tools and techniques to obtain evidence from social media and other online sources
• Recover deleted data and unlock encrypted files
  Conduct deep, technical investigations, including malware reverse engineering
• Advise on interview strategies and prepare interviewers
• Prepare reports to support the disciplinary and/or court process, including expert witness testimony

.

Words into action
Let me share three varied examples of what that specialist help looks like in real-life.

.

Example 1:
An investigation into multiple incidents of confidential information being leaked. The information was being twisted is such a way as to have a seriously damaging effect on shareholder and investor confidence (i.e. a leak-and-smear campaign). We deployed one of our forensic investigators overseas to preserve digital evidence and ensure its safe return to the UK. We then conducted a deep technical investigation of a forensic image of a suspected employee’s device and established a timeline of user activity. Using proprietary tools and advanced forensic techniques, we were able to determine that there had been attempts to destroy a folder containing information that had been leaked. We were then able to provide evidence of this to our client’s legal counsel, and a foreign law enforcement agency.

Example 2:
An SME that had suspicions an employee was involved in fraudulent activity. We identified that our client had not implemented any controls to allow them to remotely investigate company data. We supported them in implementing these measures retrospectively, which allowed us to rapidly search business communications. This, together with open source investigation, enabled us to uncover a large-scale fraud – which was having a very serious impact on company finances. We then supported our client’s legal team in making a without notice application to the court to preserve digital evidence and confidential company information. We subsequently supported our client’s HR team in conducting the workplace investigation, resulting in the employee’s speedy dismissal.

Example 3:
We were called to the scene of a data breach by one of our corporate investigation partners. The breach had enabled the theft of circa £10m from a private business. Also in attendance were the cyber Incident Response team from one of the ‘Big 4’ accounting firms. Our forensic investigators took control of the scene and directed fast-track actions to preserve evidence and establish the facts. Using our proprietary Spektor imaging capability, we forensically imaged 22 PCs in less than 7 hours, enabling us to conduct a rapid evidential triage. This allowed us to determine that the breach had occurred as a result of an email borne banking trojan. We were also able to establish that our client’s IT managed service provider had attempted to run anti-virus software after the event – in order to conceal the fact that they had neglected to install such protection prior to the breach. Our investigative partners were able to recover the stolen monies, and we were able to provide critical intelligence and evidence to the NCA’s National Cyber Crime Unit. establish that our client’s IT managed service provider had attempted to run anti-virus software after the event – in order to conceal the fact that they had neglected to install such protection prior to the breach. Our investigative partners were able to recover the stolen monies, and we were able to provide critical intelligence and evidence to the NCA’s National Cyber Crime Unit.

.

What all three cases had in common was the application of data forensic techniques honed in law enforcement to the corporate world – their sophistication and the skill of the CCL team ensured a positive outcome in each case, with great speed, efficiency and cost certainty. So there is the truly expert help available – and it can make all the difference.