The Importance Of Interviews In Insider Investigations

Exit interviews speed up investigations, prove intent, and cover your legal bases

Whether it is an exit interview upon termination or resignation, or just a simple question-and-answer session during an investigation, employee interviews are critical to handling insider incidents, IT forensics experts say.
If you [dont have] a procedure to formally interview people and to do it properly and record it, youre not doing your job right, says Steve Santorelli, director of global outreach at Internet security research group Team Cymru.
Interviews are a must for IT incident-response teams to more quickly get to the bottom of incidents and to distinguish among theft, impropriety, or just sloppy mishandling of IT resources. In many cases, simply putting someone who has done something malicious in front of a computer forensics investigator is enough to get him to talk right then and there.
Most of the time, when somebody comes in and theyre a forensics professional, you sit down with the suspect and you say, Look, Im going to find the data. I know exactly what happened and I want to talk about it, says Damon Petraglia, director of forensic and information security services for Chartstone. Almost inevitably, they do. Most regular users arent really, really savvy about how data travels and things like that. They become very nervous during an interview, and youll find them changing their stories. As you go back to them and say, Before you said this and now you come to this, so which is it? you start to really establish what actually happened.
When done right, these types of interviews can help prove intent for potential litigation or, on the flip side, help IT figure out employee action was not malicious. If the employee is to be sanctioned or fired, then it can stand as evidence should he sue the company later on down the line. Not only are these interviews important from a reactive perspective, they may even be a powerful preventive measure against insiders thinking about stealing on their way out the door.
When key employees or suspected malicious insiders are preparing to leave the company for employment with a competitor, the exit interview and related processes can be critical and should be tailored to each individual situation, says Robert McCauley, partner at global IP law firm Finnegan. These exit discussions can thwart possible misappropriation -- innocent or not -- before it starts. If the departing employee is planning to serve a similar role for a competitor, or there are other warning signs, then in-house counsel may find it advisable to specifically write or contact the new employer to alert them to areas of sensitivity and concern, and to emphasize that the former employer will aggressively monitor and safeguard its trade secrets.”
[ Are you making legal mistakes when showing malicious insiders the door? See
5 Ways To Lose A Malicious Insider Lawsuit
. ]
But interviewing can seem intimidating to IT personnel unaccustomed to it. According to Santorelli, it doesnt have to be rocket science.
A lot of times people get freaked out about gathering evidence, he says. But all it is is getting somebodys side of the story. And, generally, most people want to have the opportunity to give their side of something that happened.
The most important principle to remember is to record everything and to get consent and proof of consent through the process. Video, Santorelli says, is ideal. A video recording offers fantastic evidence in that worst-case scenario when a former employee comes back three years later for wrongful dismissal. If theres evidence that not only records the person telling her story, but also shows theres no one standing ominously over her shoulder and that she was of sound mind and body during the process, the case will be made much stronger.
It sounds really crazy if youre just letting someone go because they misused company servers for whatever. It seems crazy to go through all that formal length of recording things, he says. But at the end of the day, you cant be criticized for covering your bases.
Of course, always remember that recording should be done with consent. And if an employee refuses to consent, record that, too.
You cant force someone to talk about it, Santorelli says. But a good practice would be to get that person to sign a bit of paper saying, I dont consent to have this recorded.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
The Importance Of Interviews In Insider Investigations