Mark Tibbs, Partner
Mishcon de Reya
Hi everyone, we’re just going to wait for all the attendees to join and we’ll get started in a couple of minutes. I can see the list of attendees going up so that’s great. Hi everyone, we’re just waiting for people to join the Digital Session and then we’ll get started. I can see the list of attendees slowly growing so I’ll give everyone a minute or two. Okay, we’ll give everyone just thirty, thirty seconds or so more to join and then we’ll get started. Right, that looks like a good number.
Hi everyone, welcome to our latest Digital Session in our Diligence 2030 Series and this time we’re looking at insider fraud threats. So, in this session we’re going to be talking about how to prepare for insider fraud investigations, some common challenges and then potential outcomes as well. So, firstly, if you want to get in contact with any of the speakers directly, please click on the ‘Resources’ tab down below and you’ll be taken to their bios and their contact details and there will be a recording of the session for everyone who signed up and we’ll be taking questions at the end if we’ve got time so, please use the ‘Q&A’ function, not the ‘Chat’ function at the bottom to submit these.
Right, so insider threats. Well, I’m joined by a really good group of experts on the call today and I’ll get them to introduce themselves shortly but as a sort of setting scene, insider threats present complex challenges for businesses and we deal with them a lot. Insider fraud usually arises where there’s been a misuse of someone… misuse of information by someone on the inside, a misuse of access and privileges and it may be driven by things like financial motives or revenge, we see disgruntled employees wanting to get back at their employer or as insiders being presented with an opportunity that they think is too good to refuse. So, could start with a small amount to test the water, we often see sort of reconnaissance at the beginning of an insider fraud before deciding to sort of go all in and it could also involve a conspiracy, we see, with insider frauds we see a lot of cases where there’s more than one person or there’s third parties that are involved. So, it will be important to be aware of the warning signs, but before we get into some of the questions, thank you for joining us. My name is Mark Tibbs, I’m a Partner in the Cyber Risk and Complex Investigations Team here at Mishcon. I’m unusual because I’m not a lawyer in a law firm and I’m going to introduce my colleagues Jess and Jatinder. Jess, over to you.
Jess Ambrose, Associate
Mishcon de Reya
Thank you, Mark. Hi everyone, thanks for joining today. My name’s Jess Ambrose and I’m an Associate in our Employment team, so I’ll be giving us the sort of insight from an employment legal perspective today.
Jatinder Seehra
Mishcon de Reya
Hi guys, I’m Jatinder, I’m the Digital Forensic Incident Response Lead at Mishcon de Reya and I’ll be providing an insight into the digital forensics perspective on this.
Mark Tibbs, Partner
Mishcon de Reya
Thanks very much. Let’s go into our first topic, which I think is one for you, Jatinder, to start us off.
Jatinder Seehra
Mishcon de Reya
Yes. Yeah, so, it’s preparing for workplace investigation. So, as Mark’s touched upon, insider fraud, it’s a significant risk to organisations, you know, often exploring complex schemes and requires careful investigation, you know, today we’re going to aim to explore the proactive measures you can take for such investigations and to ensure that you’re equipped and to respond effectively and efficiently. So, my first question to you, I think Jess, I guess, would be you know could you share your perspectives on the key steps an organisation should take to prepare for potential insider fraud investigations? Specifically, what sort of legal and technical measures should be in place to facilitate a thorough and successful investigation.
Jess Ambrose, Associate
Mishcon de Reya
Oh well thanks Jatinder. So I think there’s three key things for employees to be aware of and starting with the first, I think that’s being aware of the warning signs. So what are we looking for when we suspect or we think there’s been some insider fraud. So just to give a few examples. It could be unusual levels of information being downloaded, employees changes to their sort of pattern of working, so that could be them working long hours, unusual hours, strange things happening with holiday, perhaps they’re making unusual requests, so they might be asking for data they don’t normally have access to, they could also be introducing more complex or complicated policies and practices and the reason we see employees do this is because it’s easier for them to disguise and hide any wrongdoing behind something that’s more complex. Secondly, I think it’s important that employers encourage a speak up culture, so to be on the front foot with this, it’s really important that employers create that safe space where employees feel as though they can blow the whistle and they can report wrongdoing. From an employment law perspective it will be really important to make sure you’ve got the right policies, procedures and training in place to facilitate that. And thirdly, having a plan in place because let’s face it, the last place that you want to be in one of these situations is on the back foot so, to get ahead of that, it’s making sure that you do have that contingency plan in place for what are we going to do if we suspect of find evidence of insider fraud and we’ll talk a little bit more later about what that entails. And lastly, just to finish off that point, I think bearing in mind other policies that will be relevant here, so that will be your acceptable use policy, your data privacy, perhaps you’ve got an IT and communications policy and that is to make sure that you can carry out that investigation when it comes down to it. Thank you.
Jatinder Seehra
Mishcon de Reya
Thanks Jess. Mark, have you got any insights?
Mark Tibbs, Partner
Mishcon de Reya
Yeah, so, I mean all the things that Jess said just now are great to have in place and you know, when we’re doing the investigations, we really rely on those kind of policies being in place to be able to do some of the work that we do because it can be quite intrusive and we don’t want to be breaking any privacy of employees for example. And then there’s a bunch of stuff that can be done from a technical perspective, you know there’s, there’s things like advanced data analytics for looking at large file downloads for irregular patterns, there are a lot of tools out there that are available to do that, to monitor and to keep an eye on sort of unusual anomalous behaviour. And so understanding these detection methods is very useful, very important for organisations to consider, but then in terms of sort of an investigation, we rely on technical logging, a lot of the information that we use in an investigation will be from you know having good access to these so, it’s important for businesses to sort of consider that and in their planning consider that, that it can be easily, made easily available without too much friction so, things like you know the access to email accounts, access to expense records and obviously there are, you know these are the kind of obvious places to look, but sometimes there are less obvious places to look like printer records or things like instant messaging so, so we rely on those kind of, those technical logging to help us and they can be really, really important for an investigation and I’ll give you an example of what I mean by that. So, we had a care where we were looking at the removal of confidential information and one of the data sources that we looked at was in fact a file system log, so it was logging all of the information around movement of files for example, but it was also logging information about IPs that were, that were being used to log in to a system and we were able to use that sort of metadata to show that our defendants were in a certain place at a certain time altogether, outside of their business and in fact in the business of a competitor. So, so stuff like that is sort of uncovering the obvious places but then obviously people are, when they’re doing this kind of work, they are, they are trying to remain covert so they might be taking steps to hide themselves and, and you know if they’re smart they won’t be using corporate sort of communications methods, they’ll be using other communication methods. However, it’s quite difficult to do that well and I think it’s worth when you’re doing an investigation to look at these sort of obvious places as well because sometimes people get sloppy, they leave clues and that’s always useful for our investigation so, yeah, there’s a technical point to it. And then I would say also, in preparation for an investigation, I would also a as a business encourage businesses to think about how they’re going to respond to certain incidents or certain types of fraud, you know, there’s a deterrent fact to investigating these things and to communicating it really effectively so, I think, you know personally I think, my opinion is taking decisive action against fraudsters is really critical for maintaining integrity and trust within an organisation and you know showing that you take it seriously as a business, it sort of, it allows your employees to see that you are fair, ethical, you know responsible, so I think it’s like a, a good proactive stance to, to show your employees that you know, you mean business and you take these things seriously.
Jatinder Seehra
Mishcon de Reya
Thanks guys, that’s really insightful.
Mark Tibbs, Partner
Mishcon de Reya
Cheers Jatinder. I’m going to take the next one. So, our next topic will be around the first steps to take because I think when insider frauds are detected usually, it can be a bit of chaos, from experience, and bringing together the right people and doing the right things can be quite tough and so I think there’s, there’s probably one or two things, Jess I’m looking at you in particular because I know you’ve got great experience in this so, so, when something has come to light, you know there’s been a financial discrepancy or there’s been an audit for example that’s thrown something up, what are the immediate actions that you think are the first things that you would advice a company doing other than getting someone like you on board of course.
Jess Ambrose, Associate
Mishcon de Reya
Thanks Mark. Yeah, I have to say that this is, as you mentioned, this is the chaotic point, this is quite frantic because you’ll have discovered this insider fraud or maybe you know you’ve suspected it and it’s, it’s everyone on board at this stage trying to decide what to do next. So the immediate next steps will be focussing on preserving and, preserving that evidence but also protecting the business, so the key at this point is to act swiftly and you don’t want to tip off the employee. That will be a balancing act between the need to protect the business from any ongoing harm but also that need to gather and preserve as much evidence as possible. If the employee is tipped off and if they’re tipped off too soon, then there is a risk that they could destroy or tamper with that evidence, so they could take steps to dissipate assets, they could cause further harm to the business, so it’s really important that you sort of manage that balancing act carefully. The business will need to carry out its own investigation and this is where we are often involved because fraud cases differ from ordinary internal employment investigations because the stakes will likely be much higher, given the potential liability and the risks for the business. So as you mentioned Mark, the business should instruct the right professionals to provide that support so, in…
Mark Tibbs, Partner
Mishcon de Reya
Good plug.
Jess Ambrose, Associate
Mishcon de Reya
…assembling that investigation team, as a first step. Keeping that circle to a small number of trusted and independent individuals, you’ll need to then plan out the investigation and it’s scope, you will need to conduct interviews and there will be a right time to do that, so making sure you’ve got enough information before you can interview the employees and the sequence of who you interview will also be really important, asking your experts or lawyers to draft those questions for you and another important step that not everyone thinks about is communication. So, at some point you’re likely going to have to communicate this with clients, customers, investors, shareholders, and other third parties but they may need to be managed really carefully. As we mentioned, keeping the circle small, you’ve got to be certain that these people can be trusted in this situation and that they haven’t been involved in some other sort of conspiracy or making sure that those communications won’t lead to tipping off the employee. Other legal considerations, just to mention if you will be regulatory issues, data privacy and also legal privilege. Legal privilege is always important when thinking about creating a helpful paper trail but also protecting the business’s legal advice. Another point which will be immediate step but there will be a certain point in the timeline where this is appropriate, is suspending the employee. So, suspending the employee may tip them off that you’ve obviously found out that something is wrong, you’ve got to justify to the employee why you’re doing that, but there will become a point where it is perhaps important to withdraw their access and suspend them from the business to protect the business from any further harm. So hopefully that gives you a few tips on the sort of normal, practical, immediate steps that we see happen once someone suspects there’s insider fraud.
Mark Tibbs, Partner
Mishcon de Reya
Yeah. And I get the impression from these kind of investigations that sometimes you’re working a lot with imperfect knowledge, so you’ve just got to kind of, you’ve got to come up with a strategy particularly around interviewing for example, that makes as much sense as you can of it and it’s always going to be based on imperfect information, you don’t know the background, you can gather as much as you know as possible within the timeframe but you don’t want to stop the dynamic nature of it carry on, you know your investigation so, I feel like that could be tricky.
Jess Ambrose, Associate
Mishcon de Reya
And I think that’s an important, yeah, I agree Mark, and I think it’s also an important point is to remember to always be flexible, these things are a fluid process and you can change the scope of the investigation and your methology as you go along and adapt to different things that you discover.
Mark Tibbs, Partner
Mishcon de Reya
Yep, sure, so Jatinder, how about? From a digital forensic sort of perspective, tell me, tell me about your, your insights.
Jatinder Seehra
Mishcon de Reya
Actually, interesting enough, we probably, I’d probably follow the same sort of steps as Jess because we tend to work hand in hand with solicitors so, you know, touching on the points that Jess has done like you need to act swiftly, efficiently to protect the business, but it’s crucial to operate discreetly to preserve evidence without raising awareness and requires balance as Jess has touched upon, you know, versus alerting the individual concerned or capturing essential data. I mean the first step generally with us is by then, when we’re introduced, you know identifying key individuals and digital evidence sources, you know once the individuals and sources are identified, you can expand the scope to, are they, are there individuals or other types of evidence, you know this will also help determine who is a suspect and who isn’t, you know, and it’s really essential to have a structured and managed approach for evidence gathering, but like Jess said, this will have to be flexible because in terms of investigation, it can, a lot, you know go down all different routes. One of the key things we tend to look at is, you know, utilise the controls that you have in place already so, you know, you might have monitoring software, you know this can streamline the process of identifying and preserving digital evidence, you know this is useful for you know company owned devices or bring your own devices where people bring their own phones and just have the mail or certain apps on there for a work perspective. It’s also collection method to different sources, you know, there’s digital collection and then there’s Cloud source, based collection and you know, you know for Cloud environments for a lot of stuff has moved to the Cloud, you know like resources like Office 365 and Slack, you know, it can be collected covertly so you don’t really have to do anything necessarily immediate but what you could do is you know they have features such as Legal Hold, so within the Cloud you can place a legal hold on an individual you suspected and that will preserve the data on the Cloud so the user can’t delete or modify or anything and you can collect it later, so it’s a great, great source. Physical devices, you know, you see laptops, they can be acquired without user consent, they’ve often got new technology where you can remotely acquire devices without anyone knowing, this can be done out of hours, you know, it used to be the case where I’d go into an office you know at midnight or late at night to collect someone’s device and you know the cleaners would come in and switch on all the lights and scare and scare them too, but you know that doesn’t have to be a thing anymore. One of the things that does prove difficult is collecting personal devices so, you know, sometimes Mark touched upon communication, sometimes a lot of insider fraud can be you know the communication aspect of it can be done on mobile devices like personal devices so, there’s a balance there so, at times it’s more we collect devices during the interview stage for personal devices and this obviously, you know, as soon as you do that the individual’s alerted so, you need to be careful how you do that. And once you have all that data in place, it’s you know important to build a timeline so you can reflect and review where your data is going and what happened so you know you can how it happened, you know what was taken and what are the next steps to take.
Mark Tibbs, Partner
Mishcon de Reya
Yeah, and I know, I know that part of the sort of important part of the process, Jatinder, is to do this all evidentially because of course you need to be leading to criminal prosecution, it could be leading to other legal action so, the integrity of like the investigation needs to be maintained with you know…
Jatinder Seehra
Mishcon de Reya
Yeah. Exactly. Yeah, notes, photographs.
Mark Tibbs, Partner
Mishcon de Reya
Contemporaneous notes and yeah, those kind of principles of evidence collection. I’m going to move onto the next topic as well, I think this is one for you, Jess, possible routes for investigation.
Jess Ambrose, Associate
Mishcon de Reya
Yeah, it is, I think I’m taking the next one. So, possible routes for investigation, understanding the potential routes. For investigating insider fraud and the types of evidence that can be uncovered is crucial for organisations. This knowledge not only aids in effectively addressing the immediate issue but it does also help with strengthening future fraud prevention measures. So more that the business understands about this the better prepared we can be. With that in mind, could you discuss the potential routes an investigation might take once the insider fraud has been suspected and additionally, what types of evidence or findings are typically uncovered during such investigations? I think Jatinder, I’ll start with you.
Jatinder Seehra
Mishcon de Reya
Yeah, thank you, Jess. So, you know, an investigation can take many routes, evidence can be you know printed documents, hard copy documents or terabytes of Cloud data, you know it’s crucial to explore all options and balance the cost because obviously it’s a costly exercise to get this in place versus an effective outcome for the business as a whole. As I touched upon earlier, you know, prioritising evidence sources, you know the data’s there, if it is, then in my experience you know all the evidence sources should be identified and prioritised based on the suspicions at hand, you know, often you analyse one type of data such as a company computer, you know, reveal you know unexpected other data sources so example add to mind was a case I worked on where someone had printed a document, another employee had found it and noticed his him address was on there and what that turned into was that we had to look through his pc and his email and all the rest of it and it turned out he was invoicing this property he did for doing up his house so, you know, it comes from one source and then you go into his computer, then you go into his work email and then you go further on so, this data can merge and move everywhere but it’s kind of important, like, you know when you can delve into numerous scenarios, it’s not like CSI where all this has happened, that’s happened, but you need to avoid you know jumping to conclusions and there’s numerous possible scenarios, it’s important to consider what’s feasible for the average user. But one other final point, I guess, is mediation so, once this data has been you know leaked or gone elsewhere, you know you need to be you know confident that you’ve gathered this data and you’ve secured it essentially for the business so, to make sure that it’s safeguarded and removed from the public domain. Another quick example we had was a company, X, data was exfiltrated to by an external threat to a Cloud sharing site, you know Mishcon was able to get in there, contact the Cloud provider, ask them, you know proof who they were, who owned the data, they didn’t have any other information but more importantly, we got the data back safe so, they confirmed that the data hadn’t been leaked, nobody had downloaded the data and the data had been securely deleted and you know, it’s important to ensure that that you know remediation part happens.
Jess Ambrose, Associate
Mishcon de Reya
Very interesting, thank you Jatinder.
Jatinder Seehra
Mishcon de Reya
Always is, always is.
Jess Ambrose, Associate
Mishcon de Reya
Mark, do you have anything from your perspective? Yeah, it is always interesting these things.
Mark Tibbs, Partner
Mishcon de Reya
Yeah, I think it’s all building on what Jatinder said so, there’s obviously a bunch of internal sources that we always look at and like I said, you know sometimes that can be labour intensive and not all that enlightening but it can lead us in other directions as well so, I think considering those is useful and like Jatinder said, there are third party data sources that shouldn’t be overlooked so, many of our insider fraud investigations have relied heavily on third party data so, this is sort of systems that are being used by employees for example, systems that perhaps are not under the control of our client or of the business so, as a business or as a legal team as well you know you might have to consider strategies for obtaining this data either through sort of legal disclosure of in some instances, you know if it’s, it’s a criminal action, you may find that third parties are willing to disclose certain data to you under data protection act exemptions for example so, in our experience, yes a lot of companies are wanting to help and they will do as much as they can but certainly there’ll be a point when, or usually there’ll be a point when they will sort of require top cover for what they’re providing so, so they may want to ask you to you know go through the legal route which obviously can be more costly and, and take a lot, a bit longer, but so as well as sort of looking at third parties, the other thing I wanted to highlight was around public information because all of our insider fraud investigations, they haven’t just relied on what’s, what’s available to the business, they’ve also relied on you know what’s available externally, so I’m talking about social media for example and we’ve had cases where, so there’s been suspected fraudsters whose lifestyles have been shown to be sort of beyond their means, you know international travel, first class travel, photographs on the beach etc, which helps build a picture of sort of lifestyle as well as, and if you can marry that up with sort of financial disclosures for example, which we did in one case, you’re able to see you know someone who had stolen some money from their business and then they were using it to you know to go on holiday and to take you know fancy first class flights and things like that, so, so I think it’s important that an investigation can consider that, obviously that’s not evidence but it is, it paints a picture of someone’s lifestyle and then things like CCTV as well, so, and not just in, you know you can obtain a CCTV can be useful to show if someone is coming into the office or you know a pass access logs as well, so things like that to show a sort of pattern of life as well, is it unusual from their normal day to day, are they coming in and again, I think Jatinder mentioned it right at the beginning, coming into the office late at night or you know are they, are they acting kind of suspiciously etc, etc. So, so, yeah, just not, not ignoring kind of external sources of information is really useful as well and I think we probably have to move onto the next question because we are running short on time. So I’m going to, I’m going to move over to you, Jatinder.
Jatinder Seehra
Mishcon de Reya
Sure, thanks Mark. You know, so the outcomes of insider fraud investigation can you have you know implications for both the organisation and the individuals involved from a legal standpoint, you know these outcomes may include civil or criminal proceedings, you know while from an employment perspective this could lead to disciplinary actions or terminations. So to understand these potential consequences, is it essential for organisations to navigate the aftermath of an investigation effectively and ensure compliance with within legal and regulatory environments. So for you guys, what are the potential outcomes of insider fraud investigation from both a legal and employment perspective? Jess?
Jess Ambrose, Associate
Mishcon de Reya
Yep, thanks Jatinder. I think you’ve mentioned a few of the main ones there but from an employment perspective, if the evidence does support that suspicion then you will be looking at disciplinary proceedings with the employee and at this stage in a case, you’ve probably already suspended them at that point, depending on how swiftly of course you’re moving and if the wrongdoing is fraud, then obviously that’s very serious and we are likely going to be in thar gross misconduct territory so, that allowing the employer to dismiss immediately without notice. And as you mentioned before as well, involving the police so, if we are in that territory of it being criminal, the business needs to consider though whether it will be helpful to involve the police because that might not always be the case but it is a possible outcome. And then civil action, the business has a right to pursue its own civil legal action against the employee to try and recover its losses, that’s the main purpose of this, and also to prevent any further wrongdoing being done at that point and some more immediate legal steps if you like in the civil courts would be to seek injunctions against the employee, so those could be freezing injunctions, to freeze the employee’s assets, there could be search orders or delivery up orders, there could be disclosure orders and also more general orders to try and stop the employee from continuing with that harmful behaviour until the main case is heard. So there’s, there’s a lot of different outcomes and sort of remedies available to businesses that we often help with.
Mark Tibbs, Partner
Mishcon de Reya
Thanks Jess. From a sort of practical perspective rather than necessarily just a legal perspective, I think that businesses need to recognise that these kind of investigations can be quite lengthy and complex and they’ve got to be resourced properly, so you’re going to find if you’re going into these kind of investigations that some of your staff are going to be spending a lot of their time on these cases and not, you know, doing their day job, so that’s something just for businesses to consider and then also I think lessons learned, like the key, the key thing about these kind of investigations is obviously you’re seeking justice or you’re seeking you know to get to the bottom and make sure that, that, that the people responsible are held accountable but then there’s also a wider, probably more important point to try and continually improve controls, you know, to analyse findings to identify weaknesses and to just implement those lessons learned and I think they can be lost sometimes when you are in the thick of an investigation to take stock of where you are, go back, have a wash up, make sure that you are implementing the changes that you need to do and usually that’s to do with fraud, you know fraud prevention, it’s access rights, you know does this person actually need to be able to do this or do these group of people do they actually, do they actually need access to this data. So there’s, there’s that, I think it’s probably the most important thing that you can learn from a fraud investigation but then one more thing that just came to me as well was around sort of making sure that, because investigations can sort of create anxiety amongst staff, so I think ensuring that you are clearly communicating why your actions are taken, you know, giving support to those employees that might need it and just to sort of maintain morale and manage reputational fallout as well. And I think that, that probably leads us to the, to the end of our session because we’re up to the half hour and it’s a flash, a Flash Digital Session so, thank you very much Jess, thank you very much Jatinder. I don’t think unfortunately we’re going to have any time for questions right now, but, yeah, if you’ve got any outstanding questions, please do send them in over email and there’ll be a recording sent to all of those who signed up and again, if you want to get in contact with any of us directly, please click on the ‘Resources’ tab down below and you’ll be taken to our bio and our contact details. Thank you very much for joining us.
Jatinder Seehra
Mishcon de Reya
Thank you.
Jess Ambrose, Associate
Mishcon de Reya
Thank you.