Insider matters, whether IP theft, data exfiltration or misconduct, follow a predictable pattern. The person leaves signals across email, file access logs, USB events, cloud sync activity and messaging platforms. The evidence is usually there. The question is whether it survives the moment the individual realises the organisation is looking.
The order that works
- Preserve, quietly. Images of the device, exports of the mailbox and audit logs, before any conversation.
- Analyse. Establish what was accessed, copied or sent, and to where.
- Then act. Suspension, injunction, or termination, informed by evidence rather than suspicion.
What destroys these cases
Confronting the individual before the evidence is secured. Confiscating and browsing the laptop. Asking IT to have a quick look. Each of these turns a strong case into an argument about tampering.

