Ediscovery Comment: BYOD, Social Media and the Cloud – so where exactly is the data?
by Martin Carey, managing director at Proven Legal Technologies, a corporate forensic investigation and edisclosure firm
It is generally accepted by now that Bring Your Own Device (BYOD), social media and cloud computing cannot be dismissed as passing fads, but are without a doubt here to stay. Today we have the ability to create, disseminate and store information on an unprecedented scale. We can do this with ease and what’s more, from our personal mobile devices, such as iPhones, BlackBerrys and tablets. Not only this, but as mobile telephony technologies continue to improve, we are entering a world where any data can be accessed, anywhere, at any time, using any device.
The rise of BYOD
It may be that mobile devices and so-called Web 2.0 technologies, such as Facebook, LinkedIn and Twitter, originally focused on the power of the individual but, as we know, it did not take long for their use to infiltrate the workplace. It is now common for individuals to use their own devices and to have access to social media sites from within and without the corporate network. Businesses themselves are increasingly adopting social media tools to market for new business and reach customers and partners.
Businesses, through sophisticated BYOD infrastructures, are allowing employees using their personal devices to have full access to business systems, not just email. With this proliferation of devices and mediums, the search for data becomes even more complicated, and legally confusing. Whichever way you want to look at it, social media encapsulates sharing and collaboration and individuals now have the ability to propagate information to an audience of millions in seconds. Add to this an inherent slack attitude to privacy concerns and the adoption of social media doesn’t sit well with the need to protect commercially sensitive information.
Not only is the user-side of infrastructures changing, but the server-side is as well, as more companies head towards cloud computing, seeking to grasp the expected lower costs, greater availability and fuller functionality. The day of the “server room” may not be dead, but more often than not, business data will not reside within their bricks and mortar, but somewhere on a cloud. And this does not just apply to companies, as individuals are increasingly turning towards cloud storage, such as OneDrive, DropBox or Google Drive, rather than relying on physically connected drives to copy, transfer or back-up data. This flexibility allows us to choose a mobile device to connect to the corporate network, the freedom to access a myriad of applications available on the web and to store large amounts of data somewhere in the cloud.
So, as the demarcation between business and personal becomes increasingly blurred, how does a business protect itself against data loss, deliberate of otherwise?
Data loss: a preventative approach
Prevention is always best. The challenges facing corporate IT and security departments are well documented and largely emphasise the need for well thought-out policies and contracts that cover employee access to web applications. An individual’s right to privacy, versus employer rights to audit privately owned devices, must also be reconciled.
For example, BYOD protocols should dictate a list of devices approved by the business and determine which corporate applications can be accessed. Security policies should incorporate mandated anti-virus software, firewalls and encryption in the event that the device is lost or stolen. IT departments should therefore have the means, and the authority, to wipe corporate data from personal devices.
The challenges of social media
Social media activity is potentially more of a challenge. The whole point here is that the environment is dynamic and any number of connections can be navigated. Network traffic monitoring and access blocking can play a role and there are increasingly more tools coming on to the market to achieve this. However, for every preventive measure applied there is probably a way around. Companies therefore must instil regular training processes to ensure best practice.
Investigating employee wrong-doing
The first thing to grapple with is where the relevant data is, and then how to capture it in a forensically sound manner. This can be far easier said than done, especially given the myriad of mobile devices, cloud computing platforms and social media accounts. In addition, this can become legally confusing, especially when considering personal devices used under BYOD policies; is the company allowed to investigate these without consent for example?
Social media: Spotting patterns
In terms of the actual investigation, an experienced investigator will be looking to discover patterns in an individual’s behaviour and is generally focused on, not only trying to find the ‘smoking gun’, but also locating supportive intelligence that helps bring the overall picture into sight. This can include analysing who is connected to who and recent movements that correlate with other sources of evidence. Investigation of all available social sources can help build a picture around the scene of the crime.
Evidence will come from a variety of sources. For example, sources could include corporate network log files to identify the use of web-based email, as well as other outbound activity, such as uploads to Google Drive and Drop Box. Internet history databases and cached pages of internet sites retained on a work computer can also be investigated alongside deleted data and backups of personal devices on corporate machines. Investigators should also seek to look at public profiles on LinkedIn and Facebook too as many profiles tend to be open for all to see. Traces of artefacts left behind on a computer system by certain applications, such as Skype, can provide indications of malpractice. Finally, it should be noted that mobile devices can often contain more relevant evidence than computers.
The success of any investigation will depend on an investigator’s legitimate ability to access a personal device or social media site of the individual in question. Organisations can benefit by looking at all the data and analysis, allowing the results of one to feed into the other, in order to achieve a higher level of analysis.
A preventative approach should always be taken by firms to protect potential reputational and financial damage to their business. Implementing the right systems must to be a priority for firms so that they can stop any suspicions before they rise to the surface.
Certainly BYOD, social media and cloud computing are here to stay and as a result each element must be robustly looked at in all investigations.