HR professionals may need to work with digital forensic investigators to conduct internal investigations on employee digital activity. Before you begin your investigation, it is essential to ask yourself what you are trying to find out, the devices you must work with, and what time frames you suspect the theft took place to help investigators complete their work efficiently.
Additionally, digital forensic investigators recommend that you ensure you have the appropriate authority, check your organizational policies, determine compliance requirements, and review all relevant privacy laws and legislation before you begin your internal investigation. These considerations will help protect your findings during legal proceedings and ensure the success of your investigation.
Many workplace investigations involve digital devices and may require HR professionals to work with digital forensic investigators to find evidence of harassment claims, fraud, or the misuse of company assets.
These types of investigations can be complex, and there are a few key considerations to keep in mind when working with a digital forensics team to review an employee’s digital activities. Our advisors have summarized the steps you can take to ensure the investigation meets the requirements of your organization and to help the process go smoothly.
Digital forensic investigators ask clients four important questions before beginning an investigation to help complete the process efficiently. It is essential to keep these questions in mind to get the best results from an internal investigation:
Digital forensic investigators want to be as efficient as possible — and knowledge about the bigger picture can help them provide guidance and suggestions. Share as much information as possible about the situation to help investigators meet your objectives.
Keeping the story in mind will also help you to determine what systems, devices, and data you need to access for your investigation and identify any potential roadblocks in your path. For example, you must have authorized access to every system you want to examine — and if you don’t have the necessary authorization, a court order may be required to gain access.
Determine the information you need to know to help digital forensic investigators narrow the focus of the investigation. You might be trying to find out if an employee accessed valuable files, why a breach attempt succeeded, or identify the employee who shared intellectual property (IP) assets with a competitor — and determining what you need will contribute to the success of a digital forensic investigation.
Include your legal counsel in this step as they can provide guidance and may need to use the findings of the investigation in court proceedings.
Asking yourself this question will help digital forensic investigators identify the starting point for the examination — typically a system, a device such as a laptop or cellphone, cloud storage locations, or even internet-connected devices.
Identifying potential sources of information, the amount of data in scope, and who is involved will enable digital forensic investigators to simplify the approach and take the most direct route to obtain results. Are the systems and data sources owned by the organization or does the organization operate in a bring-your-own-device (BYOD) environment where systems and data sources are owned by the employee? This will be a significant factor to consider.
A timeline will help digital forensic investigators focus the examination to provide timely results for your organization. First, consider when the event or incident occurred and whether the investigation can be narrowed down to a point in time such as an hour, day, week, or month.
The next step is to determine when you need to receive the results of the investigation. For example, you may have a set court date, or your company may need to have measures in place before a compliance deadline. Informing your digital forensics team about your timelines can help prioritize investigative activities and ensure you receive the results you need on time.
Organizational policies, compliance requirements, and privacy laws will all influence your investigation into an employee’s digital activities and can have severe consequences if they are not followed appropriately.
HR professionals should keep these four considerations in mind before beginning an investigation:
Ensure you have a formal written request signed by management before you begin your investigation. This request should outline the scope of the investigation and grant you the appropriate authority to proceed.
Again, consider involving your legal department from the outset, as the investigation may lead to legal proceedings where you will have to prove each step you took during the investigation and defend the integrity of your findings.
Review your organizational policies for any information related to activity monitoring or reviews. Next, take the steps to confirm employees — specifically those within the scope of your investigation — are aware of these policies, have completed training, and signed off on compliance.
Your company’s security department may have a list of employees who have completed awareness training. Additionally, you may already have a list of employees who have completed training and signed off on compliance within your HR records.
Asking yourself this question will help digital forensic investigators identify the starting point for the examination — typically a system, a device such as a laptop or cellphone, cloud storage locations, or even internet-connected devices.
Identifying potential sources of information, the amount of data in scope, and who is involved will enable digital forensic investigators to simplify the approach and take the most direct route to obtain results. Are the systems and data sources owned by the organization or does the organization operate in a bring-your-own-device (BYOD) environment where systems and data sources are owned by the employee? This will be a significant factor to consider.
A timeline will help digital forensic investigators focus the examination to provide timely results for your organization. First, consider when the event or incident occurred and whether the investigation can be narrowed down to a point in time such as an hour, day, week, or month.
The next step is to determine when you need to receive the results of the investigation. For example, you may have a set court date, or your company may need to have measures in place before a compliance deadline. Informing your digital forensics team about your timelines can help prioritize investigative activities and ensure you receive the results you need on time.
It is essential to ask the right questions to help you identify which partner is the best fit for your organization.
These five high-level questions can help you filter through prospective partners to gauge their level of experience and determine if they are the right fit for your specific needs:
Leveraging the experience your partner has gained from working with similar organizations will ensure you find a solution that aligns with your business goals. The right partner will recommend technology solutions that solve your business problem and meet your needs both now and in the future — enabling your organization to grow and thrive.
Our team of dedicated professionals can help you determine which options are best for you and how adopting these kinds of solutions could transform the way your organization works. For more information, and for extra support along the way, contact our team.