Tips to avoid IT and data fraud - Business Works
BW brief

Tips to avoid IT and data fraud

by David Kearns, MD, Expert Investigations Businesses of any size and across any sector can be victims of employees stealing company data. Whether it is in relation to personal data or confidential business information, we undertake on average 30 cases a year in an attempt to help eradicate this serious and hugely-damaging issue, says David Kearns, MD at Expert Investigations.

IT and data fraud can lead businesses to lose huge amounts of profits and even cause them to go out of business. Often, the 'insiders' are current or former employees who may forward data to an external person, use it to take to their next employer or even start their own business with this invaluable information that in many cases can take years to gather.

Recently we undertook an investigation known as 'Operation Rubery'. An MD from an organisation in the engineering sector was suspected of stealing company data. We were called to find evidence of any unlawful activity. We spent a week investigating the case and were able to produce sufficient evidence for their client.

The operation involved covert observation and surveillance. A part of it, the MD in question was followed to an airport lounge where he had met with senior employee from the competitor company to discuss their plans. Our people were able to record parts of the conversation covertly. In addition, both parties being watched were observed having a meeting with a venture capitalists in a hotel. Our team followed them to the meeting place and again were able to record the conversation, later used as evidence provided to the client.

The MD was aiming to set up a competing company in conjunction with a senior employee from a current competitor. With the evidence we provided to the client, their solicitors were able to obtain an injunction against all parties and effectively stop the enterprise before it gained momentum.

In the UK, unlawfully obtaining or accessing personal data without the consent of the data controller is a criminal offence under section 55 of the Data Protection Act 1998. Sadly, this doesn't stop employees stealing data and the consequences are so severe it can lead to dismissal and, in some cases, prison sentences.

In another operation, a company from the commercial sector needed help to observe an employee suspected of stealing data and funds. Initially, the company had granted a budget and permission for the employee to access data for a project to establish a new sector of business under a new company name as a subsidiary.

As the project was underway, the company felt something wasn't right. We discovered that the employee planned to set up her own company and, in advance, stole the client lists and account details for her own use. By investigating her work computer system and obtaining a seizure order for her personal computer, iPad and mobile telephone, we discovered that, not only was there stolen data, but the employee had diverted funds to herself from the budget that the company had given her. The evidence collated enabled the company to dismiss her and serve her with an Court injunction. She was ordered to pay back all monies and very substantial compensation for the use of the stolen data.

Whether you are a small, medium or large business, you really need to be more vigilant and think about the impact of employees stealing their data for either personal or third-party use. We have seen a significant rise in the number of cases we investigate, however simple measures can be put in place to reduce the chances of data theft arising. Here are some tips to help you:

  1. Initiate a Digital Forensic policy within the company to swiftly aid an investigation. It also acts as a deterrent as employees will know it exists.

  2. Restrict access to data, including remote access to the system. Not all employees need access to everything.

  3. Unless it is a requirement for work, prevent / disable write access to USB slots on all computers (including CD/DVD drives). Monitor the usage and dictate that only company-issued USB devices are to be used if they are needed at all.

  4. Use software / hardware protocols to restrict access to web-based e-mails and cloud storage facilities (other than those required for company use). Rigorously enforce password security.

  5. Initiate / enable system / security event recording on all systems and initiate random testing / checking of employee systems.

  6. Have a rigorous backup system that prevents an employee from deliberately wiping data.
All these measures should be recorded and mandated through employee handbooks and company policies to ensure that there is recourse to disciplinary action, if necessary.

It is important to stress that, whether you are a company that employees five members of staff or over thousand, businesses in all sectors can be affected by IT and data fraud, which largely impacts on productivity and costs.

To assist the client with IT and data fraud, it is vital to carry out forensics on computer and digital systems, whether it is a computer, laptop, iPad etc, as it holds so much data that could become an integral part of the investigation.

Often, clients will believe something is wrong, but are unaware of how to begin to compile compelling proof. That is where we can offer a higher level of expertise, ensuring evidence is lawfully gathered to provide a strong case.

For more information, please visit:

Tweet article
BW on TwitterBW RSS feed