Companies need to be aware of how easily sensitive data can be stolen by employees wielding high-capacity USB devices, writes KARLIN LILLINGTON
THE BIGGEST risk to your company may be no larger than your thumb. With high-capacity storage devices such as USB thumb drives small enough to fit into the tiniest pocket, companies need to be aware of how easily sensitive company data can go walking, according to a leading Irish forensic investigDator.
Recent data theft court cases, including the just-settled Green Isle Foods suit in which four employees were accused of removing sensitive data on a USB drive, underline how difficult it can be to know exactly where data is going, says Andy Harbison, director and IT forensic lead in accountancy firm Grant Thornton's forensic and investigative services unit.
Harbison says the most common method of removing company data - a practice he says is "rife" in Irish businesses - is by a USB "key" or "thumb" drive, or by similar small storage devices, including iPods.
The use of iPods and other MP3 music players - which are essentially portable hard drives - has become so common in data theft cases that the phenomenon is now referred to as "podding".
"We had one of those cases last year," says Harbison. "A bunch of stuff put on a [ iPod] Nano."
He believes firms do not usually notice when data theft is taking place and, as it is easy to do, "could be more the norm than not". Data theft tends to be a white-collar, professional crime that takes place in standard situations. "There are particular times when people commit data theft, for example, when they are browned off at work, or when they are about to leave the company," Harbison says.
The data often stolen is used as the basis for a new job or company, or for the next project for the person or group stealing it.
For example, Harbison points to a case in Ireland where a software development consultancy stole the software it was working on for a client as the basis for a pitch for new clients.
Fortunately, the perpetrators e-mailed each other discussing their plans to steal the software, making it easy to convict them, he says.
In another case, a group of managers took sensitive intellectual property from a company for which they were working for a full six months before they planned to leave.
A common item to steal is client lists, in preparation for setting up a competing company.
Sometimes people take personal data on others, out of "prurient interest".
Thumb drives featured in several of these cases and are so common and cheap that they have become ubiquitous in offices, says Harbison. And while they are extremely useful, they are a nightmare for fraud investigators. "These things are an unqualified menace," argues Harbison. "They were only invented in 2000 or so, and at first only held eight megabytes of data. But now you can get them up to 256 gigabytes. You forget how much data can be stored on these things."
A single gigabyte is enough to hold the print equivalent of a 100m shelf of books, he notes.
Most companies lack policies for managing storage devices, according to Harbison, with only the largest companies generally having a comprehensive security approach to what employees can bring in, attach to work PCs, and carry out the door again.
Even digital cameras can be used for transferring files on to memory cards.
Webmail - which is effectively a storage medium on the internet directly connected to company PCs - is also a potential security hazard, and businesses need to weigh up the usefulness of having such accounts with the potential for abuse.
Harbison recently had a case where an employee was transferring sensitive private data from the company to her webmail account, but investigators were able to trace the activity from the cache (memory) of webpages left on her web browser.
If forensic investigators can get hold of the storage devices or computers used to commit fraud, it is not generally too difficult to compile enough evidence to convict the perpetrators, says Harbison.
Traces of information from the originating computer are transferred with files to thumb drives and other storage devices, and information is often left in browser caches.
It is also still extremely difficult to wipe the files from hard drives completely - even for the adept thief.
Forensic investigators can pull residual information from a drive even if it has been wiped half a dozen times.
The problem is catching the thieves in the first place, especially when they know what they are doing with computers.
"About half the cases I do are IT guys, because they have the keys to the kingdom," says Harbison. "They have the knowledge, the liberty, and the privilege to access data. A manager and [ IT administrator] working together are the most damaging cases, as they can get access to just about everything. With the IT guy - give him admin privileges and the next thing, he's raiding the chief executive's e-mail."
He says it is best to have IT administrators "completely ignorant about everything else that is going on in a company", and to never allow a personal storage device on to a company network.
Harbison, who previously headed up the IT forensics units at Ernst & Young and Deloitte in Ireland, says he enjoys the challenge of unearthing evidence.
"It's a puzzle and a game," he says, adding that only one drive has totally defeated him, although a recent IT specialist in Cork almost got away too after he carefully destroyed evidence. A mix of circumstantial and primary evidence did him in, however.
About one-third of cases now display some attempt to destroy evidence. "It's because of bloody CSI on TV!" Harbison laments.
"It's become a major headache for us, because people expect a forensic investigation and know more about what we are able to do."
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VR3765MFOBH2NMV2QNICYDF67M.png)