The Danger Within: How to Protect Your Company from Your Own Employees, Using Nothing but Data Trends

Today, right under your nose, legal and compliance risks to your company could be brewing—potentially damaging your reputation and brand, and resulting in financial penalties. Take these scenarios, for example. Your peers, unbeknown to you, may be sending instant messages back and forth detailing plans to poach your company’s customers when they start a competitive business venture. An employee secretly planning to leave the company may be sharing your plans for a proprietary new software product with a rival via e-mail, hoping to curry favour with a future boss. A finance manager might click on an attachment in an outwardly authentic message purportedly sent by a colleague, unwittingly sending payment to a fake third party. Any of these actions, whether inadvertent or advertent, can cause your company harm. 

Organisations are expending more energy—and with it, more resources—to protect the unique elements of their company’s brand, culture, and intellectual assets. How can organisations identify potential risks and protect their confidential and proprietary information from theft by budding entrepreneurs seeking to get a quick start, the prying eyes (and computers) of competing entities, or enterprising cyber thieves looking for loopholes created by unsuspecting employees? The answer: powerful data analytics tools that are capable of detecting signs of noncompliance in companies’ data vaults.

The Shortfalls of Traditional Enterprise Risk Management Approaches

With employees using increasingly common forms of communication, such as e-mail, bring your own device mobile tools, chat and social media, they can share information that might include falsehoods, disparagements and trade secrets via means that evade traditional enterprise risk management (ERM) approaches. For some time, organisations have relied on a traditional mix of preventive and reactive measures to identify and thwart organisational risk. Tried and true approaches include policies, procedures, risk committees, task forces, audits and employee training. Additionally, auditing software is effective at scrutinising data for indicia of risk or outlier transactions. This approach usually focuses on structured data: facts and statistics buried in accounts payable systems, point-of-sale databases, or financial reports, for example. Filtering and trend analysis could help identify anomalous transactions within these repositories. But, troublingly, these audits often exclude a wide universe of data most likely to uncover underlying employee conduct that poses potential risk: unstructured data sources such as e-mails, social media, text messages, internet logs, and chat. With these data sources untouched, subtle yet informative cues indicating concerning behaviour too frequently go unnoticed.

The Role of Big Data Analytics in Detecting Risk

In litigation, investigations and regulatory compliance matters, legal counsel are increasingly relying on analytical tools such as technology-assisted review, concept searching, e-mail threading and relationship analysis, to name a few, to quickly winnow down data volumes and find meaningful patterns in data sets. While effective when used appropriately, these analytics are used on a case-by-case basis, requiring that legal teams reinvent the wheel with each new matter. This is because there is limited (or no) knowledge transfer from case-to-case or even within single cases involving multiple law firms and vendors, so attorneys often re-review the same documents over and over again. This process is not only costly and inefficient, but prone to inconsistencies, risk of misclassifying or inadvertently exposing trade secret, privilege, private or other sensitive data.

Enter ‘big data’ analytics. Organisations that take a holistic ‘big data’ approach to documents across all legal and compliance cases by continuously combining the intelligence they have generated in prior cases with new information collected as matters arise can gain even more insights from their data. Emerging analytics platforms can amass billions of previously reviewed and classified records, across internal and hosted third-party platforms, into a unified repository. This collective data history gives counsel the ability to repurpose their past work and view new data through a historical lens. Once this information is assimilated, the power of these platforms can reorganise data and extract unexpected trends and relationships for future matters.

With the collaboration of subject matter experts and data scientists, organisations can customise multiple algorithms to detect and monitor specific types of regulatory and legal risk across all types of data, including e-mails, voicemails, social media messages, word processing files, video and even structured data. More importantly, they can mine these records using a veritable arsenal of traditional analytics tools, including text analytics, natural language processing, sentiment analysis, machine learning, statistical learning, anomaly detection, and audio analytics. These tools yield both diagnostic and predictive analytics by organising data from disparate sources and custodians into an informative array that organisations can use to identify red flags that point to illicit or negligent behaviour.

Predictive Analytics in Action

One of the most promising applications of predictive data analytics is their ability to help organisations prevent risks before they arise—that is, before rogue employees can damage their company and its brand. For instance, predictive analytics tools can:

•          analyse social media messages for unorthodox communication patterns or emotive tones that suggest suspicious activity,

•          decipher coded language that employees use in e-mails to evade detection by monitoring software,

•          study telephone and chat transcripts for evidence of collusion between employees,

•          evaluate gaps in communications that may indicate an employee has deleted e-mails with a certain person or on a particular topic, 

•          review outgoing e-mail to determine whether employees are violating company policy by sending confidential or proprietary data to their personal e-mail addresses or other external destinations,

•          create a social map of communication traffic to show unusual patterns in chatter with a third party, or

•          uncover post-dating of memoranda relating to a transaction to obscure the dates when critical actions were actually taken.

In the event that the organisation unearths disturbing behaviours such as these in its data, management can take corrective action to thwart the errant employee before harm occurs, prevent losses, and avoid liability.

A Big Data Analytics Risk Management Approach Protects Your Company

As risks continue to multiply and grow in complexity, variety, and scope, organisations will find that their internal controls, such as policies and audits, cannot keep up. By adopting a risk management approach that incorporates ‘big data’ analytics, they can save significant future costs, prevent sensitive data from becoming top-line news and, most importantly, they can better insulate themselves against existing risks and address future ones to better protect the organisation’s brand.

Nyembo Mwarabu is Vice President, EMEA, Xerox Legal Business Services.