Sun, Mar 7, 2021
When incidents or traumatic events occur, there are a set of investigative techniques and methodologies that need to be deployed quickly and with the right expertise. In this episode of Kroll’s Security Concepts, three of Kroll’s investigative experts Marco De Bernardin, Francesca Castelli and Nick Doyle come together to discuss their experience with the lifecycle of investigations.
Marco and Francesca are both from our Milan, Italy office, and are integral team members in the investigation practice for that region.
Marco is Kroll's Italy country manager and has a focus on Italy, Malta, Austria, Greece and the wider Mediterranean area. Over the years, Marco has led multiple investigations into leaks of information relating to intellectual property, working with clients and their legal advisors on civil litigation cases requiring a combination of computer forensics, interviews, analysis of public domain materials and intelligence gathering.
Francesca is a senior manager in Kroll's Business Intelligence and Investigations (BII) practice and is a certified fraud investigator. Francesca has led investigations for clients into allegation of fraud, corruption, conflict of interest and leaks of information by combining different and complimentary investigative techniques like those that we will be discussing today.
Nick leads our Security Risk Management practice in EMEA and works collaboratively with our investigation teams across the region to include deploying resources to the Milan office to assist in some high-profile investigations in that market with great success.
Life Cycle of an Investigation
“The format of today’s discussion is to look at the life cycle of the investigation—start with the very beginning of the incident that sets off the need for an investigation and work it through the whole way that you guys typically approach these investigations and bring everybody in when needed. Let's get started with a little bit of conversation on that triggering point and how you determine what is going to be needed to do this investigation successfully.” – Jeff Kernohan
“I think that the real thing is that when an incident or a traumatic event occurs, it is when also, let's say at a very high level at the company, the board level even, or the stakeholders understand that there's something wrong and they need to react. At that stage we are normally engaged because there is something that went wrong, and we need to act very promptly and very quickly. There is a set of investigative techniques and methodologies we need to deploy quickly with the right expertise and the right order to determine a series of very important issues, like the amount of knowledge of what happened, what was wrong in terms of if something has been leaked or physical goods of code, or if we are talking about a cyber incident. Depending on the nature of the case, the methodologies and the people to be deployed really vary.” – Francesca Castelli
“When we're kicking these investigations off, how is it typically, in your experience in the market there when you're working out of Italy and you're bringing in different parts of the Kroll company, how are you typically laying out your investigations to make this all get kicked off and get started?” – Jeff Kernohan
“There is always a first phase, and the key element of the first phase is to fully understand and receiving a full debrief from the client with regard to what really happened, or at least what is the understanding of the client on what happened. This is key for us to understand and start to wrap our heads around the expertise that may be required to conduct investigation.” – Marco De Bernardin
“From an investigative point of view, there are two to three things that are key. The first one is trying to secure whatever evidence that is maybe available us. The timing is a key factor here because we may need to extract from computers, we'd extract from emails, we may need to identify people quickly enough to understand if any evidence may be under risk of being destroyed, et cetera. So, this exercise of mapping exactly which document we have, which evidence we may need to secure, it's quite an important element.” – Marco De Bernardin
“Another basic element is to try again staffing the team—meaning to find the right people that can do the job for you. In terms of investigation, finding the right analysts that can analyze, going through the emails, understanding the corporate records if it's required, going through documents if it's required, but also people who can conduct interviews with potential witnesses as well.” – Marco De Bernardin
Mitigating the Physical Risks of an Investigation
“What are your key elements that you want to make sure are covered when you're brought into an investigation, by the BII team, the investigators?
“Our security specialists can provide a really nuanced analysis of the operational risks and the potential requirements needed to mitigate physical risk as part of an investigative process. So we'll look at the protection of people, we'll look at the protection of assets, and collectively both the investigation team and the security team provide a complete picture of both the business risk environment and the physical risk environment. That's very important when we're looking at, say, loss prevention projects.” – Nick Doyle
“There is a sort of circle of interaction between the investigative angle and the security angle. Whereas the investigation serves as a roadmap of understanding the organization, trying to understand what went wrong, and then the security practice, with this roadmap, is in the position where they can actually read the organization and then try to identify the gaps.” – Marco De Bernardin
“At the end of the story the incident becomes the trigger to understand that more broadly something needs to be fixed, in the sense that the incident guides and allows also the company to become aware that they need to rethink about something and to involve the right people and having the availability of people at different levels to cooperate together.” – Francesca Castelli
“During the investigation, we bring together our colleagues from different divisions, in particular Nick and his team, to try to understand really if something went wrong and the incident occurred, where the vulnerabilities were that were exploited in terms of, let's say, physical vulnerabilities, but also in terms of policies, in terms of procedures, in terms of the overall assessment. It is something that can just be as a sort of first step of rethinking about the organization.” – Francesca Castelli
“As a consequence of our participation on these investigations as well, it's also right to say that it's of added benefit to a client, because as well as supporting our investigators, we're also able to provide inputs and suggestions and recommendations to our clients to mitigate the chance of any of these potential incidents or thefts, whatever, from happening again by securing their security environment moving forward. We can enable and assist the client to do that. It's like a follow-on service; we've done the investigation, we've understood what happened and then we can start to develop a more secure environment for the client to operate in moving forward so they don't have these issues.” – Nick Doyle
“I just worked a case where we found a lot of offices that are almost vacant all over the country here because people aren't working in the offices, and someone was able to wander into an office and walk away with several laptops that may have had pertinent data on them. We actually went through and conducted all the interviews and at the same time, I was there to look at how this happened, how this person got into the building, how they got around security, how they got around your security technology, how they actually were in the space without really leaving a lot of evidence that they were there that we could use.” – Jeff Kernohan
Combining Investigations, Cyber Security and Physical Security
“What are the key elements of your investigation and how security may play a part or how cyber security may play a part? When you're doing these investigations, where do we really see the breakout of the types of work that are happening?” – Jeff Kernohan
“Sometimes it happens that we start first the investigation, and then, once we conclude the investigation, we make sure the client understands that the investigation will not provide a full solution for these issues. Then we advise the client to bring in security management expertise into the equation. In that kind of situation, the role of my team would be more of supporting by feeding the information we have developed during our investigation into Nick and his team so they are able to fully understand and then make their own recommendation after they're conducting their part of work.” – Marco De Bernardin
“Sometimes we see a joint effort of the investigation that takes place at the same time of the assessment. Again, I think that the benefits of conducting potentially the investigation at an earlier stage is to provide the roadmap for then the exercise and the security assessment that will follow afterwards.” – Marco De Bernardin
“I'd also like to add that when you look into this at the beginning altogether, it means that since the very first step of the investigation, for example in conducting interviews, you are talking to people and sometimes they are very sensitive to the issues that are under discussion, because they might be, let's say, part of the investigation, even if there is any internal complicity. Conducting an interview in which any of us can, make his or her own questions in a way that suited the specific situation and get all the information together, it's very key.” – Francesca Castelli
“We had a case in which a key part was an onsite visit because there was a theft of physical goods. Being together there, it meant that each of us was looking at different things, because each of us have our own background and also aim and purpose for the client. When we then came back altogether, bringing what we have learned about this onsite visit, we realized that the picture that came out from our joint efforts were really much better than if we were there alone. And also in this sense, it makes a very big importance that when we are together, we also convey a different image of our job and of the value we can have to the client. Because we are able to convert all the analytic approach, for example regarding, let's say, security, in a way that the client is not just asking for what happened in this specific theft, were some criminal gangs involved, is there internal complicity, but more broadly about what was really vulnerable in this situation and what you could do to prevent this kind of event take place another time in the future.” – Francesca Castelli
“Our Security Risk Management group has a depth of experience in operating security controls, and especially in real life, real world situations. Our knowledge of security systems can influence the findings of an investigation. We can look at the methodology of how a theft occurred and we can look at how that theft was captured or wasn't captured—that can influence the findings of the investigation. It could also eliminate, potential insider threats because of that input as well. We can bear a real qualitative influence on an investigation.” – Nick Doyle
“When you guys are doing these investigations, who are you typically working with? Are you working directly with the board of the company? Are you working with local personnel? How does that usually play out?” – Jeff Kernohan
“We have experience that tells us that it's key to involve C-level people and even the board at the very early stage, in the sense that having a clear idea of what is the objective of our engagement. Not only to ask a question regarding the specific incident, but more broadly doing our investigation in a way that is not just a cost, but an investment.” – Francesca Castelli
“We deal with people at various levels during the day-to-day investigation. We talk to people that might have useful information for us, we talk to the security manager, we talk to people in the warehouse if a physical theft occurred, we talk to the CIO or to people that might have access to the information that was stolen, depending on the different type of incident that occurred. At the end of the story, the people to whom we are talking to when we have to provide our results and provide our recommendation are really the people that are the ones who need to decide the risk that the organization wants to take and the risk appetite. It's impossible to protect everything 100%, so we need to decide where the risk is acceptable, and if it is not, how much you want really to invest in order to secure the organization. It is typically a decision that must be taken at a very high level of the organization.” – Francesca Castelli
“When it comes to talking to people and especially interviewing potential witnesses, there are a couple of considerations to take into account. In the process of conducting an investigation, the client would usually like to push for you to talk to certain people and maybe avoid talking to certain others. I think it's key for the investigator who is deployed on the field to be able to make that call. Whereas if he or she thinks that talking to someone is very key and very important, to push it a little bit with the client in order to have access to that information, specific information. I'm thinking especially in cases of a leak of information where, especially with sensitive information, the client may be a little bit reticent in terms of giving you access to all the layers of his organization.” – Marco De Bernardin
“What is required for the investigator is to conduct a bit of diplomacy with the client in order to have the right accesses. That's also key because you need to develop that kind of diplomacy when you have to deliver your message to the board, but also you have to be able to relay your findings to the board. Sometimes you have to deliver bad news, so working out that diplomatic approach is the one that allows you to have that credibility also to be able to deliver that kind of news to the client, but also to make the client willing to listen to your advice when it comes to remediation and mitigation.
“When it comes to the actual investigations, are there any trends that you're seeing?” – Jeff Kernohan
“The Italian market is composed by few large companies and large corporations, and there is a plethora of smaller companies. All of them, the small, medium-sized companies, have something very specific and valuable, which is intellectual property, which is trade secrets, etc. The trend is to help those companies to secure their intellectual property, making sure that they can retain the edge if they want to keep on being competitive on the international markets.” – Marco De Bernardin
“I see that there is not enough interest in Italian companies because they tend to see security as a cost and not as an investment, that there's not enough interest in that area of expertise. This is why, the message is, yes, we can conduct an investigation and help a company to understand the narrative and the responsibilities, but yes, Italian companies definitely needs the security risk management approach that will help them to secure their companies and potentially avoid that traumatic event, avoid that trigger event in order to create a security around the company and what is important for you to protect.” – Marco De Bernardin
Investigation Key Takeaways
“What are those key items, those food for thought pieces that you really want to make sure we express here, that your clients and everybody out there really needs to be aware of when they have an incident and they need to start an investigation?” – Jeff Kernohan
“If we're talking around insider threats and where there's a collaborative approach from the investigations team and the security risk management team about providing solutions to clients with insider threats, it's important to mention that many, many clients actually have perimeters of security because they are protecting themselves against external threats. Where we can advise clients around internal threats is looking at the process, because these people are already inside the premises where a lot of the security environment isn't as rigid as it would be around the perimeter of a site. Therefore we can work with our investigators along the process and controls that carry on internally within an organization to identify those vulnerabilities, to identify those gaps for the investigators to look at as potential avenues of where the internal threats or the theft of IP have occurred.” – Nick Doyle
“In conducting, especially for the insider threat investigation, you do realize that the human element is key, because of course, either willingly or unwillingly, a subject was responsible for the data leak or information loss or IP theft. One piece of advice for companies is always to make sure and to understand—what's the level of satisfaction of your workforce? Disgruntled employees, people that believe that they're not treated fairly by the company, they are more subject to potentially either being victim of a third-party who want to aggressively capture relevant information from within the organization, or maybe they'd be tempted in order to take revenge over the company to try to take trade secrets, trade important and valuable information and bring it out just to prove the point that they can harm the company.” – Marco De Bernardin
Kroll is ready to help, 24/7. Use the links on this page to explore our services further or speak to a Kroll security risk management expert today via our contact page.
Kroll’s Enterprise Security Risk Management practice provides expert guidance and advisory services to our global clientele as they navigate the most challenging and emerging security and threat-related issues.
Kroll’s sophisticated global network of experts can assist with your operational security needs, whether they are proactive to avoid enterprise risks, reactive augmentation to your current capabilities or capacity-building due to threats.
Kroll experts provide security services tailored to the needs and specific contexts of diverse industries.