Please ensure Javascript is enabled for purposes of website accessibility

Report an Incident: 844.TRICORPS (844-874-2677)

Combating the Internal Threat: Using IT Auditing and Online Surveillance to Fight Data Theft

Organizations spend a fortune purchasing the latest cybersecurity firewalls and intrusion detection systems to protect against external threat actors. Yet, they often neglect one of the greatest threats to their own data: employees.

A survey by Biscom highlighted the danger of employee data exfiltration. The survey found:

  • More than 1 in 4 respondents say they took data when leaving a company.
  • 15% of respondents were more likely to take company data if they felt forced out of their job (fired, laid off) rather than leaving on their own.
  • 85% took material they had a hand in creating, and didn’t feel it was wrong.
  •  25% took data they did not create.
  • 95% of respondents felt it was possible to take data either because their company did not have policies or technology safeguards against data stealing, or if they did, they simply ignored them.
  • Most respondents believed they were not doing anything wrong.

Data (file) sharing through technologies like Dropbox, Google Drive, and even USB thumb drive and email, which make it simple to get data out of the company, impact an employee’s decision to take data. If there is no monitoring or control over these avenues of transmission, it becomes a temptation. Similarly, where employees know data policies are strictly enforced and monitored, theft becomes less common in normal circumstances.

So, how do you prevent insecure or covert data transfer?

Most computers run on operating systems that offer good visibility into where your data is going through audit logs. This allows for some visibility into what employees have been doing with the organization’s data. Yet, sadly, many of these features are not turned on by default.

Every organization needs to come up with its own policies about monitoring employees and systems. Many organizations rely on a “culture of trust.” Yet, as studies show, if there is an opportunity to misuse data for personal gain, often it will be seized. Success can be found with the right balance between employee autonomy and data protection. Every organization needs to define two levels of system auditing: Basic Auditing and Surveillance and Enhanced Auditing and Surveillance.



Basic auditing involves enabling the tracking of data entering and leaving your systems and how users manipulate this data. For enterprises that issue company-owned computers, it’s usually possible to set up auditing policies centrally, thereby affecting users as they log in based on defined “groups.”

For smaller companies where central management isn’t applied, it is possible to set these policies up on each individual laptop or computer, as long as the primary user doesn’t have administrative privileges.

Some of the main ways employees remove company data include:

  • USB flash drives or other removable storage
  • Email (usually to personal accounts)
  • File sharing services (Dropbox, OneDrive, iCloud, etc.)
  • Printing out key data (usually financial reports)
  • Getting complete copies of software source code from online repositories (e.g. GitHub, BitBucket)
  • Accessing personal and third-party email accounts through web browsers (e.g. Gmail, GoDaddy, etc.).

Most employees have a need to deal with some level of sensitive company data. So, the mere presence of such files on their machines is not necessarily cause for concern. What is important is whether an employee’s pattern of data access is commensurate with his/her job duties. Use of appropriate audit logging provides an indelible record of this person’s activity. This can be periodically reviewed to detect unusual activity or misdeeds.

Some basic information should be collected on all employees. At the very least, one should audit the most likely methods for getting information out of the organization, including the following:

  • USB and removable storage activity, including the names of files read and written
  • Files accessed from shared network repositories (such as shared drives) which may contain sensitive data
  • Email logs containing the sender, recipients, and the names of attachments within the email
  • Browser activity, including the URLs of sites visited
  • Recently printed documents.

In most cases, these will simply gather in the auto repository. However, upon review, these logs can identify employees that have:

  • Put unusually large amounts of storage on removable drives
  • Access to data that has nothing to do with their jobs
  • Downloaded large amounts of data from corporate shared drives
  • Sent large numbers of attachments to outside email addresses.

These behaviors may flag an employee for closer attention. Organizations should have a higher level of monitoring for staff that are:

  • Accessing, storing, and transferring large amounts of company data
  • Routinely accessing sensitive documents and databases outside their area of work
  • Accessing sensitive documents outside of work hours or remotely
  • Telegraphing a strong dissatisfaction with the organization or colleagues
  • Likely facing removal from their assignments.



When someone exhibits the above characteristics, it may be wise to apply a higher level of auditing to:

  • Better determine what data is being accessed, stored, and/or transmitted by the individual to better assess the organization’s exposure
  • Generate additional forensic evidence, in case any legal proceedings are needed.

Additional auditing that can generate a more detailed forensics log are:

  • All files accessed by the individual
  • All applications used by the individual
  • Activity by time of day
  • What files have been attached to outgoing emails and opened via incoming emails
  • All email messages sent and received (detailed mode)
  • SaaS apps (GitHub, Company Dropbox, CRM systems) to track access to customers, sales records, and software source code.

These logs can provide insight into a person’s activities and may offer proof as to whether an individual is stealing company data, how this data was taken from the company, and where this data was transferred to.

In most systems, few audit features are turned on by default. Usually, an administrator needs to explicitly enable many types of audit logs, since he also need to find space to store them. Most software manufacturers minimize the amount of audit information collected by default to avoid claims of privacy invasion by individuals; yet when their software is used in a corporate environment, on a company computer, there is generally no expectations of privacy.

Company policy should dictate when increased surveillance is needed. It should also be clear if an employee is allowed to take any data for his own reference when exiting the organization. By having these policies explicitly outlined, individuals will be aware that monitoring for data theft is standard and that it is not a matter of personal interpretation whether certain types of data can be removed from the organization’s network.



When an employee or contractor separates from the company, his/her company issued computer and devices should be immediately collected and sequestered until a forensic examination can be performed.

A forensic examination of the computer will be able to access all detailed logs and analyze what, if any, files have been accessed or deleted in the days prior to separation. This can serve as proof of any wrongdoing, should the company need to seek damages or injunctions.

Separation agreements should include very explicit verbiage that the individual is to retain no record of company data and to certify that no unauthorized transmission of company data has occurred.

Subsequently, the computer should go through forensic analysis. At minimum, the device(s) should be sealed in a tamperproof bag with multiple witnesses indicating the date and time it was collected and sealed. The computer should then be given to a forensics team to make a copy of the device’s storage media.

Once a copy has been created, the forensic researcher can search the audit logs, disk data (including deleted files), and other data sources (such as email repositories) to search for any unauthorized removal or sharing of confidential organizational data and generate a report of any findings. The organization can then compare the findings to the stated policies and determine if any punitive or legal measures are required.

Typical actions based on the review of the forensic report range from:

  •  Nothing
  • A strongly worded letter to the individual that they have agreed that no company data is missing and that this data must be immediately destroyed if any remains in his/her possession
  • Injunctions against any third parties having received the sensitive data from the individual
  • Legal action against the individual and/or those he/she has colluded with to steal the data.

If legal action is decided upon, proper auditing and forensic imaging of the device is critical, because it will be useful or necessary in court. Having a third party perform the forensics is also beneficial because it eliminates any claims the organization’s employees had motive and opportunity to destroy or “plant” data on the storage devices and were attempting to “set up” the offending party.

At TriCorps, we are able to help you analyze your system configurations to ensure proper audit trails are in place to support any future forensics work. We are also available to perform analysis and forensics services for clients as needed. Our experienced team of cybersecurity experts and technologists are here to keep your information safe, so you can mature and thrive.