Case study with private investigation company, Expert Investigations.
Expert Investigations is a commercial detective investigation agency, its physical offices closed since the first COVID lockdown, but they are still working virtually in effect from 4 sites, London, Birmingham, Coventry and Leeds.
Managing Director, David Kearns is a former police officer who held a specialist role in the force that included covert and overt intelligence gathering. He set the business up 21 years ago because he saw there was a gap in the market for a good quality investigation company to service the legal and the commercial sector. Sometimes described as a maverick, David is highly respected in the industry due to his reputation for thinking outside the box as well as protecting his business and his clients with the highest of professional compliance standards. He even advised the BBC in their portrayals of private investigators.
Using a combination of employees and sub-contractors, Expert Investigations are a team of 22. One specialised area of expertise for their investigations is the area of dishonest employees. David’s team conduct surveillance operations, computer forensics investigation, statement taking and interviewing, covert vehicle tracking and de-bugging in the commercial world.
What are the largest security concerns?
Those that work as a professional independent investigator find themselves in an unregulated industry. A private investigator can currently work without a licence in the UK which opens the field up to those unqualified operatives offering improper services. In this climate, reputation is hugely important to an investigations company and we are often judged to be only as good as our last job.
The dishonest employee is a huge risk for organisations and one that I help others with, but it is not the only way to lose your client data or compromise your professional reputation. Less than 25% of investigators have indemnity insurance and therefore even less will be GDPR compliant. Because if they’re not paying for professional indemnity insurance, they’re not going to pay for Cyber Essentials and IASME Governance certifications.
We first got both Cyber Essentials and IASME Governance certifications when the GDPR was coming in. I spoke to Helen Barge from the consultancy, Risk Evolves in October 2016 and said that we needed to be ready by 2nd January 2017. I was, and still am, keen to promote the fact that, in an unregulated industry where there is no governance, our investigation company is prepared. I think it’s a very powerful marketing tool. We do investigations, we do process serving and we do tracing and asset reports and we often work with law firms. As a matter of course, we will send them our terms and conditions and compliance documents.
How was the process for you in certifying to Cyber Essentials and IASME Governance?
It was pointless for me to try to work in this arena unassisted, because it’s not an area that I’m comfortable with. I’m a believer in getting in the right people so I brought Helen Barge in and simply said, you ask, and we’ll give it to you. Risk Evolves is excellent, we go through the process each year to get our certification and it’s a seamless process for us.
Initially, we had highlighted some areas that we were concerned about, particularly with one area of the business where we are putting documents out all over the country. They are legal, sensitive documents, but we can’t possibly have an employee in Berwick on Tweed and one in Portsmouth and one in Maidstone, so we have to subcontract out to a document service to deliver these documents. That was the biggest risk, but we thrashed through how we could overcome those hurdles and we did. I believe no problem is insurmountable, you’ve just got to work out how to get there.
What is your advice to other small businesses?
Get certified. There are no ifs and buts, because if you don’t, and something happens, the ICO will come along and you’re going to find yourself in a difficult position. In my business, we have to move quickly, so we have to have a system in place that allows us to do that and I did not want to put things in place that could stop us from being operationally swift and agile. If you’re a small company, going through the process to gain IASME Governance certification can give you the compliance and security and it can be at a reasonable cost, reasonable for the size of your business. I’m sure that if something went wrong and we were looked at, the ICO might come in and advise something but we wouldn’t get as highly penalised for it because of the size of our business, we feel that we’ve done everything that can be reasonably expected.
What else do you advise businesses to put in place?
As well as getting Cyber Essentials or IASME Governance certification, my advice is also to have fraud insurance. I’m an associate member of the Fraud advisory panel on the committee of the Midlands Fraud Forum and we are seeing that fraud is a huge problem for organisations.
I think there’ll be a huge increase in fraud attacks in business and we’re getting to the point where there needs to be compliance. Cyber Essentials will stop 80% of cyber attacks, so now the most vulnerable part of your business is your people.
We hear our grandparents say that when they went out, they never locked their doors, nowadays, you would not go out without locking your doors, setting your alarm and putting your house cameras on. In the same way, businesses will be forced to change, to have more bells, more bolts, more whistles, more situational crime prevention. That situational crime prevention has to be on your software systems and your IT systems as well as your physical perimeter protection. Now, there are so many people working from home, so many more devices that are dispersed across a wider area, that leaves a vulnerability and that leaves an opportunity for fraudsters.
I think that insurance companies could actually be the ones that drive compliance. They will stipulate that irrespective of the size of your business, you need to have fraud insurance, which means you will need to do a fraud risk assessment. In the SME sector, less than 1 in 5 companies have done a fraud risk assessment. I think it will become a pre-requisite that organisations will have to have compliance and have to give training.
Expert Investigations is currently reviewing the IASME Counter Fraud Fundamentals (CFF) scheme. The CFF scheme was developed in partnership with The Open Banking Implementation Entity and a team of counter fraud experts to certify organisations of all sizes in the best practice counter fraud measures.
For more information about Expert Investigations, visit their website.
Find out more about the IASME Governance scheme here.