Email misuse is having a significantly harmful impact on companies around the world. In some cases, misuse by the employees has led to the prosecution of company directors, and disciplinary cases being brought against employees for violating email and Internet policies, have increased. Huge amounts of time, money and personnel resource are required to manually trawl through thousands of emails to identify these culprits and prevent damage to the reputation of a company.
The increasing cost to businesses of managing email misuse is a major concern. Email abuse cannot be ignored with the liability of corporate compliance and employee welfare legislation now falling on the company directors personally, rather than on the company itself. A reliable and efficient way of gathering and managing the masses of electronic information required to investigate email abuse has become a top priority in organisations that are looking to protect both reputation and employees.
In this case, the information was in millions of emails generated over six months throughout the company. To speed the email analysis process, McKemmish's team used a combination of i2 Analyst's Notebook and iBase to manage the large amounts of data and identify those involved by charting the path and frequency of illicit emails through the organisation.
- Rodney McKemmish, the Forensic,Technology Group's practice leader
Situation
Senior management at an Australian corporation discovered employees were using the company's computer system to store and distribute pirated pornography, MP3 and movie files. This misuse of corporate email caused concern for the senior management who understood the importance of stopping this misuse before it impacted the company or the employees.
The executives had suspicions regarding who was responsible for this misuse, and had the data to back up their theory; however the sheer volume of information that needed to be analysed meant it could take several months before they were able to uncover the culprits. So the company called in KPMG's Forensic Technology Group to investigate.
KPMG's Forensic Technology Group has in depth experience in investigating complex cyber crimes and helps companies to respond to the threats and challenges that are posed by fraud and misconduct. In addition to conducting fraud investigations they help companies to implement and monitor ethics and integrity programs to prevent future misuse.
"Our team provided the company with a level of independence, the skill-set required to conduct the investigation and the infrastructure in terms of computer equipment," says Rodney McKemmish, the Forensic Technology Group's practice leader.
"We were initially looking at the electronic crime scene," McKemmish says. "We wanted to know what systems would allow us to prove or disprove the allegations. The sort of information that we're interested in is emails, access logs and proxy server logs (to track internet use)."
Solution
In this case, the information was in millions of emails generated over six months throughout the company. To speed the email analysis process, McKemmish's team used a combination of i2 Analyst's Notebook and i2 iBase to manage the large amounts of data and identify those involved by charting the path and frequency of illicit emails through the organisation.
"Even if you filter the emails, you've still got hundreds of thousands of messages to sort through," McKemmish says. "It would take months and months to review each email and identify the relationships manually."
Using i2 Analyst's Notebook and i2 iBase, the bulk of the visual analysis was completed in two days. The emails were fed into i2 iBase in a structured format and the required information was easily extracted by i2 Analyst's Notebook. The investigators were able to query for the relationships they were looking for, with the results showing up as a series of lines between the participants - the thicker the lines, the more email traffic and hence more likely the person in question was to be deeply involved.
"As a starting point, we had one or two emails that had pornographic attachments," he says. "What we ended up with was a person in the centre and as you moved outwards towards the other recipients, the lines tended to get thinner and thinner. This gives you an overall picture of individual and traffic volume."
Once this chart was created, the team added more information until all people were identified. KPMG then investigated the extent of each person's involvement. "You have to look at the nature of that message, did the person request that information or was he/she an unwilling recipient?"
Outcome
"By the end of the investigation, the KPMG team had uncovered a widespread problem, with four ringleaders running more than 60 people. About 100GB of pornography, MP3s and movie files had been sent. But no one was sacked. Two ringleaders were "severely reprimanded" and the other two given "stern warnings". McKemmish said this was a "decision of the organisation", based on the evidence. Possible reasons include the legal uncertainty surrounding monitoring workplace emails and internet usage, or wanting to avoid negative publicity.
"The policies and procedures regarding email and internet usage were looked at and revised and re-communicated to employees," he says. "The company also conducts regular assessment of the file servers and workstations now."
Uncertainty surrounding the legality of monitoring email and internet usage in the workplace means employers should tread carefully and clearly articulate their policies.
