Human activity is becoming increasingly virtualised. With routine communications and daily activities starting on workstations and taking place across enterprise networks and the internet, it is only to be expected that this is accompanied by a commensurate rise in the levels of undesirable digital activity in the workplace, writes Jay Heiser, research vice-president, Gartner.
Two trends are also creating an environment in which there is a greater level of data leakage and theft, as well as other forms of illegal, hostile or unacceptable activity. Firstly, alluring, yet dangerous, new internet sites are attracting surfers to hidden internet hazards of increasingly sophisticated malware. Secondly, employees are bringing more consumer-grade hardware and software into the workplace, leaking data out of the enterprise and reducing IT's ability to control user activity.
A few UK businesses have prepared themselves for these challenges by implementing digital analysis capabilities. They are equipping highly-skilled staff with sophisticated digital forensic tools to capture data in a legally-defensible way, and thoroughly dissect it, providing detailed chronological pictures of the activities of employees or intruders. This is obviously a delicate task, and not one that should be undertaken lightly. Clumsy or overenthusiastic investigators applying powerful forensic tools can inadvertently "taint" the evidence so it is no longer legally admissible in court. Even worse, they may damage the evidence, or draw false conclusions. Proper investigative protocol is not just a technical exercise. Experienced investigators are guided by careful attention to ethics and the law, the latter of which is especially challenging for organisations that work across multiple jurisdictions.
Organisations that are not prepared for forensic investigation have only three choices: train and equip an internal capability, hire outsiders, or just don't conduct any investigations. Complacency is becoming increasingly unacceptable, but unfortunately the supply of skilled investigators does not currently meet demand, which means consultants are expensive and not always available when needed. A growing number of companies, especially those that are highly regulated or deal with large amounts of proprietary information, have committed to building up their own internal forensic investigative capability.
Most organisations will be partially or fully dependent on outsiders to conduct their investigations, which will reduce their flexibility to conduct timely investigations - especially those of incidents in process. However, any organisation has the ability to perform a basic level of evidence collection in a legal and defensible way by turning off a system, locking it away without logging into it or unscrewing the cover, and leaving the computer intact until a qualified investigator can complete the investigation. Carefully documented, this preserves a chain of evidence.
Read more think tank articles
This was first published in April 2010