Do we need Pinkerton’s or not? A comprehensive data triage for exiting employees.

We recently helped our client, a large corporate real estate firm, in implementing a comprehensive triage procedure to review all data related to exiting employees. The goal being to determine if any potential litigation or suspicious activity existed, and return equipment to use as quickly as possible based on investigation results.


Analyze the Data
When an employee exits employment their company issued devices are sent to our lab and we begin our analysis process. Essentially, we need to determine whether to preserve or wipe the employee data. The first thing we check for is active litigation. We must determine if this employee, or their data, is involved in any current or expected cases. If there is any relation to any current or expected litigation, all devices are imaged, and the data is stored for future use. The other part of the triage is to check the image for suspicious activity. We set our investigative timeframe to 90 days prior to exit and examine data patterns. What we’re looking for is any significant data exfiltration. In our experience where there is smoke, there is fire which is when we dive in deep and document so that the corporation decide what action to take.

Do we need Pinkerton’s
Firstly, yes Pinkerton’s still exists. Second, yes it is that Pinkerton’s. And third, yes they are still good at their job. In one case, we discovered that a terminated employee was refusing to hand over his company issued devices. We had good reason to believe that this recently departed employee was responsible for uploading a significant portion of confidential, proprietary source-code IP to a public library. We immediately recognized the behavior as suspicious and had to bring in the Pinkerton agency to get the laptop out of this employee’s hands as soon as possible. Once we had the devices in hand, we kicked off the investigation and quickly identified the source-code in question, where is was downloaded from and when. We then identified the pathway of where and when this stolen source code was uploaded to the public library, all in a matter of hours. The entire purpose of our triage system is to determine if threats exist and then act as swiftly as possible if they do.

Cleaned and Cleared
For the majority of employee devices we receive in this process, the data can simply we wiped. If there is no active litigation and no suspicious activity, we can simply clean the machine and send it back into use. We deploy the DoD standard and get those devices back to IT for re-issue ASAP. This allows more machines, a rapidly depreciating asset, to be in use for more of their lifecycle, saving in equipment costs.

Buying peace of mind

These days, data is top of mind for the enterprise. At scale, with large numbers of employees exiting at a constant rate, the level of potential data exposure is vast. Our triage process is designed to bring peace of mind to this data exposure. Every time an employee leaves, the enterprise can be certain that their data has been secured and meets contemporary information governance standards. If a legal hold is required, they know that data is backed up in a forensically defensible condition. They can also be sure that none of their data has been stolen or duplicated and that every machine they receive back is in pristine condition. At Lucent, we understand that managing data for the enterprise is now a never-ending process. Our job is to make that process as painless as possible.

Be brilliant. insightful. clear.