Employee Investigation

Employee Investigations 101

By Dr. Christine Izuakor

Every visionary business wants to onboard the best of the best when it comes to talent. When hiring, companies look for hardworking, trustworthy individuals that they can rely on to propel the business forward. Similarly, people don’t typically hire people thinking they might start stealing money or misusing information and resources. Unfortunately, this happens quite regularly.

The term Insider Threat is a common part of business vocabulary these days and, when you do find that you may have an Insider Threat within your organization, it may prompt the need to launch an employee investigation. These investigations have proven to be a time consuming and challenging process for many companies. Here’s an introduction to the concept of employee investigations along with answers to commonly asked questions.

What is an employee investigation?

An employee investigation is a process for gathering, analyzing, and reporting on evidence regarding an Insider Threat within an organization. There are various levels and scopes of investigation. For example, some investigations may be strictly internal, whereas some may require external involvement from law enforcement agencies or regulatory entities. While some investigations may be left to the discretion of the company, regulations like Sarbanes-Oxley, for example, can also mandate investigations. For many companies, they are no longer become an optional step – they become an obligation.

How do you know when you need to investigate an employee?

With an active Insider Threat management program, companies can quickly detect and respond to Insider Threats and determine the action required. If there is a credible alert that requires further analysis, this is where employee investigations kick in. Some signs that an investigation may be necessary include violations of policy, theft, substance abuse, sabotage, conflict of interest, excessive absence or lateness that is out of normal behavior, abuse of privileges, unauthorized use of resources or information, and more.

Have you discovered that an employee has accessed unauthorized information? Are you noticing abnormal behavior from a previously consistent employee? Before taking action, the investigation process can provide insight into the extent of the employee’s actions, potential intentions and motivations, and the scope of the incident. You can also gain insight into additional questions such as: Are other employees involved? How long has the threat been active? What are the downstream impacts? These are essential details to confirm before addressing the threat. Employee Monitoring Software is a critical tool often used to gain context into digital activity pre or post investigations.

What happens during the investigation?

During the investigation, a plan should be created to ensure that a reliable process is being followed by qualified investigators. This plan may include collection and analysis of logs and data, interviews of other employees and third parties, surveillance of the employee in question, and more. The process also includes a final report with a summary of the case, action taken, and the conclusion of the investigation.

While this was once a very manual process, today there is technology that can help automate and increase the efficiency of investigations. With the right Employee Monitoring Software, companies can:

  • Access video playback of actions taken on screen
  • Track activity regarding files and documents including information sent to printers, data exported to USBs or other external storage (cloud), as well as information that’s been edited or deleted
  • Evaluate web activity based on browser history, including how long a user leveraged various sites and how active they were on each
  • Track and search through email communications
  • View granular details such as specific keystrokes entered by users
  • Analyze the sentiment within the company using psycholinguistics

Note – Best practice is to install these tools well before an investigation is necessary so your approach is proactive instead of reactive.

What are the challenges associated with conducting employee investigations?

  • Visibility: Though technology has alleviated many of the traditional challenges associated with employee investigations, there are still issues companies must continue to address internally. One of the most significant challenges is in even being able to detect that there is an incident worth investigating in the first place. Many companies struggle with having adequate visibility into resources and their use by employees. Without a solid Insider Threat management and Employee Monitoring program, it can be hard to determine where Insider Threats exist and whether an investigation is necessary.
  • Motivation: Confirming the intent of the employee can also be a challenge once an incident is detected. Not all Insider Threats are malicious and confirming motivation is not something a tool can typically distinguish. It requires some human judgment to evaluate the full scope of the evidence and to determine the possible intentions of the employee.
  • Resources: Investigations require considerable time and resources to complete. This can include internal resources across the company such as information security, HR, legal, communications, leadership, as well as, the use of third parties for services such as digital forensics, overall investigation management services, and more.
  • Evidence: Without adequate evidence, there is no case. Some companies simply don’t have the logs and audit trails to prove out activities. Even when there are logs, companies still struggle with ingesting and analyzing the volume of data that systems can generate. When there is excessive information available, determining what’s relevant to the investigation can also pose a challenge. Without the necessary tools to analyze the information, it can be unfeasible for analysts or investigators to review manually. Also, if employees are sharing accounts or passwords, it can be challenging to gather evidence that confirms who actually did what.
  • Reputation: The outcome of the investigation can impact employer reputation. There have been Insider Threat incidents that turned into major breaches and landed companies in the headlines. Such events can lead to key stakeholders, shareholders, customers, and the general public to question the management and integrity of the company depending on the extent of the incident. Breaches often lead to a 30% reduction in revenue and significant damage to brand reputation.

What are some best practices when it comes to employee investigations?

When it comes to employee investigations, it’s vital to act promptly and efficiently. Every day that passes is an opportunity for a malicious insider to inflict more harm on the company. Investigations should be thorough, objective, and well documented. The details of the investigation should remain confidential to the greatest extent allowed, and integrity or evidence should be maintained.

Another best practice is to ensure there is a strong program plan for conducting investigations. Don’t wait until there is an incident to create a plan as you go. Proactively plan and train employees involved in the process on what they need to do. Lastly, be conclusive with the investigation and ensure there is a final report with clear action items and next steps.

Insider Risk – How Prepared Are You?

Insider Risk – How Prepared Are You?

Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.

About the author

Dr. Christine Izuakor
Dr. Izuakor is the Senior Manager of Global Security Strategy and Awareness at United Airlines where she plays a critical part in embedding cyber security in United’s culture. She is an adjunct professor of cyber security at Robert Morris University, and independently helps corporations solve a diverse range of strategic cybersecurity challenges.

Insider Risk & Employee Monitoring Resources

Why User Activity Monitoring (UAM) is a Must for SMBs

Why User Activity Monitoring (UAM) is a Must for SMBs

Key Takeaways: Productivity Drives Growth: Understanding workforce behavior helps SMBs eliminate inefficiencies, boost productivity, and fuel organizational success. Remote and Hybrid Work is Still Common: With 28% of workers operating remotely weekly, SMBs need tools...

Smart Year-End IT Investments- A Trifecta for ROI

Smart Year-End IT Investments- A Trifecta for ROI

Drive Productivity, Reduce Insider Risk, Enforce Compliance As the year wraps up, many IT, security, compliance, and HR teams have unspent budgets that won't roll over. Rather than scrambling for last-minute, low-value purchases, why not make smart, strategic...