The Importance Of Interviews In Insider Investigations

Exit interviews speed up investigations, prove intent, and cover your legal bases

Dark Reading Staff, Dark Reading

June 12, 2012

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Whether it is an exit interview upon termination or resignation, or just a simple question-and-answer session during an investigation, employee interviews are critical to handling insider incidents, IT forensics experts say.

"If you [don't have] a procedure to formally interview people and to do it properly and record it, you're not doing your job right," says Steve Santorelli, director of global outreach at Internet security research group Team Cymru.

Interviews are a must for IT incident-response teams to more quickly get to the bottom of incidents and to distinguish among theft, impropriety, or just sloppy mishandling of IT resources. In many cases, simply putting someone who has done something malicious in front of a computer forensics investigator is enough to get him to talk right then and there.

"Most of the time, when somebody comes in and they're a forensics professional, you sit down with the suspect and you say, 'Look, I'm going to find the data. I know exactly what happened and I want to talk about it,'" says Damon Petraglia, director of forensic and information security services for Chartstone. "Almost inevitably, they do. Most regular users aren't really, really savvy about how data travels and things like that. They become very nervous during an interview, and you'll find them changing their stories. As you go back to them and say, 'Before you said this and now you come to this, so which is it?' you start to really establish what actually happened."

When done right, these types of interviews can help prove intent for potential litigation or, on the flip side, help IT figure out employee action was not malicious. If the employee is to be sanctioned or fired, then it can stand as evidence should he sue the company later on down the line. Not only are these interviews important from a reactive perspective, they may even be a powerful preventive measure against insiders thinking about stealing on their way out the door.

"When key employees or suspected malicious insiders are preparing to leave the company for employment with a competitor, the exit interview and related processes can be critical and should be tailored to each individual situation," says Robert McCauley, partner at global IP law firm Finnegan. "These exit discussions can thwart possible misappropriation -- innocent or not -- before it starts. If the departing employee is planning to serve a similar role for a competitor, or there are other warning signs, then in-house counsel may find it advisable to specifically write or contact the new employer to alert them to areas of sensitivity and concern, and to emphasize that the former employer will aggressively monitor and safeguard its trade secrets.”

[ Are you making legal mistakes when showing malicious insiders the door? See 5 Ways To Lose A Malicious Insider Lawsuit. ]

But interviewing can seem intimidating to IT personnel unaccustomed to it. According to Santorelli, it doesn't have to be rocket science.

"A lot of times people get freaked out about gathering evidence," he says. "But all it is is getting somebody's side of the story. And, generally, most people want to have the opportunity to give their side of something that happened."

The most important principle to remember is to record everything and to get consent and proof of consent through the process. Video, Santorelli says, is ideal. A video recording offers fantastic evidence in that worst-case scenario when a former employee comes back three years later for wrongful dismissal. If there's evidence that not only records the person telling her story, but also shows there's no one standing ominously over her shoulder and that she was of sound mind and body during the process, the case will be made much stronger.

"It sounds really crazy if you're just letting someone go because they misused company servers for whatever. It seems crazy to go through all that formal length of recording things," he says. "But at the end of the day, you can't be criticized for covering your bases."

Of course, always remember that recording should be done with consent. And if an employee refuses to consent, record that, too.

"You can't force someone to talk about it," Santorelli says. "But a good practice would be to get that person to sign a bit of paper saying, 'I don't consent to have this recorded.'"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

2012

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights