Q&A: Improving Interview Dynamics From Afar
Millions of workers worldwide set up home offices, digital workflows, geographically dispersed teams, and meticulous video backgrounds after the COVID-19 pandemic forced many workplaces to go fully remote. Many companies remain at least partially remote, having realized some of the many savings and benefits that can come from a reduced physical footprint and improved digital infrastructure. In general, remote work changed many workflows forever—including investigations.
While some investigations still benefit from the investigator physically being in the location of an incident—such as a workplace accident or injury—or the scene of a crime, many corporate investigations can be handled remotely, especially with the help of technology, says Scot Walker, PCI, chair of the ASIS Investigations Community. Prior to shifting into the private sector, Walker was a criminal investigator for the U.S. Department of Homeland Security and a reserve special agent for the U.S. Air Force.
Cognitive biases can lead to faulty analysis and flawed conclusions
In this new report by Liferaft, learn the top five most common mental heuristics that can sabotage workplace investigations.
Now, as a lead investigator, he can leverage a proxy on-site to film or video-call him to assess a location remotely, and if it’s an investigation of digital records, such as emails, “I don’t need to be at the data center where the emails reside to go look at emails,” he says.
Despite the many changes in the world of work in the past four years, fraudsters are still fraudsters, Walker says, and if an investigator can prove fraud remotely, it saves the company money.
“The ultimate goal with corporate investigations is not to catch the bad guy,” he says. “The ultimate goal is to get to the root cause of the issue and close those gaps—stop the hemorrhaging. Nine times out of 10, it costs you money.”
By leveraging remote interviews and investigation techniques, Walker says, security teams can often reduce the cost of an investigation and close vulnerabilities without sapping additional resources.
In this interview, Security Management spoke with Walker to discuss the merits and obstacles of remote investigations. It has been lightly edited for clarity and brevity.
Security Management (SM). What kinds of tools and skills are crucial for when it comes to conducting a remote investigation?
Scot Walker, PCI. You’ve got to know how to use resources. You’ve got to know how a business works and then who or what organization is in charge of the thing that you need access to. Before I first landed in Silicon Valley, I was in law enforcement, and I had all the resources of the federal government at my disposal. I could push a panic button and get hundreds of investigators if I needed them. When I landed at my first tech company, I was the only person with any real investigative experience, with the exception of my boss. I had to do everything myself and use what I’d learned from over 10 years in law enforcement. What I had to learn is a business operates in a certain way.
You’ve got to know who you need to talk to and who you can bring into that trust tree because not everybody is going to be trustworthy. Not even people on your team may be trustworthy. You have to figure out: “Who do I need to talk to? What do I tell them? What level of information do I give them?” Because if you’re working on something that has a human resources component, can you go to those people and you say, “Hey, do an investigation on Mary. I need Mary’s personnel file.” They’re going to go, “What? Why would you need such personal information?”
Then you can be honest with them and tell them what the issue is, or you might have to have a backstory or some other reasons that you need to make up. But number one is you got to be able to connect with people and then know how the organization is formed, and who’s responsible for what so that you don’t destroy a relationship—if somebody thinks you’re off the reservation during an investigation, they’re not going to help you. That was their job. Then you become untrustworthy. All we have as our investigations team, or as investigators personally, is our trust. We have to establish that.
SM. Moving into the actual process of an investigation—background checks and due diligence are ones that would work very well in a remote investigation environment, correct?
Walker. With one exception: Due diligence. Records. When we’re looking at records, we’re only as good as the database or the type of records that we’re able to look at. Having done probably several hundred background investigations or corporate due diligences, I can tell you that government records are good or they’re bad. I’ve seen very large government entities that I thought would have great records have absolutely horrible records. I’ve seen small entities that I thought would be terrible, be good. It really just comes down to what you can access.
The ultimate goal is to get to the root cause of the issue and close those gaps—stop the hemorrhaging. Nine times out of 10, it costs you money.
If your source is junk, your information’s susceptible to being wrong. How we look at things, when we look at things, are they dated? Can we draw a connection to them to being authentic and to being real, and to being true? How do you do these, how do you conduct these investigations? Our job is to be fact-finders. That’s it. I may provide recommendations, but only after I found all the facts and then I told you what all those facts are.
SM. When it comes to an investigation that you are conducting remotely, you need intelligence, and you want to talk to witnesses, someone who filed a complaint, or the person who’s being accused. How do you identify, connect with, and coordinate with these people while conducting a remote investigation?
Walker. There are a couple of tripwires. One tripwire that I’ve got to know before I do anything is: who are we talking about? Who’s involved? Are the allegations or the people that are involved under my purview? For example, if you have a (third-party) contractor, can I investigate that person? Maybe, but maybe not—depends on the jurisdiction. Sometimes you’ve got to be really careful when you start dealing with people who are outside of your company.
You can’t impose your employment rules on somebody who’s not your employee. You've got to be sensitive to labor laws. Before I've even talked to anybody, I’ve got to figure that out and try to understand it. Fortunately, it's not complex—most people can figure it out in probably 30 seconds.
Another tripwire is: what are we investigating? What are the allegations? Is there a violation of civil law or a violation of criminal law? Or is it simple code of conduct violation? You’ve got to have an understanding that this is where we’re going and this is what the concern is. That will help guide you to know this is what I can do and this is what I can’t do.
The private sector is similar to my experience as a military criminal investigator—I’ve got to know who they are, got to know what we're investigating, essentially where are we going with this? What are we doing? And then we can start talking to people but even before that, I like to do even deeper due diligence, maybe even on the people that I'm going to talk to. Where are they in the world? That could be important, especially when you're trying to do something sensitive.
Companies Face Upwards of 700+ Social Engineering Attacks Annually
Download our e-Book and learn how open-source intelligence can be used to investigate these attacks and de-anonymize threat actors.
SM. Another part of gathering intel is building rapport with the people you’re interviewing. What are some effective methods to doing that remotely?
Walker. What I like to do first is I’ll go on LinkedIn, see if you can find them, but not everybody’s on LinkedIn.
The next thing I’ll do is—if you have access or a partnership with HR—look at HR records. I’ll go in and look at how long a person has been with the company, what’s their specific job, what’s their specific work location, if I can see it. What was their last rating as an employee? Are they getting good marks? Who’s their supervisor? All of that gives me some indication of how I can build that rapport with somebody.
I’m looking for commonalities. When I look at LinkedIn, if I’m talking to somebody who’s obviously not from our industry, I’m going to look for law enforcement, military experience, security experience, or location experience.
SM. Is it all that foundation that helps build rapport? Or is it also in the moment, too, when you’re on Zoom or Teams?
Walker. Why you’re talking to somebody matters, too. So, if we’re interviewing somebody who's just a witness and they’re cooperating, they’re not difficult. They understand that everybody signs a code of conduct, which is also really important to understand. Whether you’re looking at a civil violation, criminal violation, or a code of conduct violation, that’s just as important. The code of conduct should say something about telling the truth or being helpful and being honest.
You have to understand why you’re talking to these folks and, to your point, how long you build rapport with somebody really depends on what you think they know and if you think you’re going to have problems. This is why you got to really understand who they are. What do they do in the world? Where do they live? Are they married? Are they divorced? Do they have kiddos? What’s their education level? I want to know that before I get in the room, and I can’t pivot once I’m in the room or the virtual room.
When you’re talking to a subject, you’ve got one shot at that when it’s in person. Now that we’re all remote, I don't know if that’s the case. If you’re talking to a subject, you may keep things above board and not lighthearted, because it’s not a joke. But you keep things amicable throughout the conversation, you may be able to get away with saying, “Hey, you’ve given me a lot of great stuff, good notes to go dig into and research. I’ll tell you what, why don’t we pick this up tomorrow?" That’s more acceptable today in remote investigations than it ever was in physical, in-the-room investigations. Then, once the person walked out that door, you were almost guaranteed not to get them back in the room.
SM. Do you find that you have more control now in remote investigations when it comes to interviews than you did before?
Walker. I think you have more control with schedule and your ability to disengage, whereas when you are in the room and if it got heated or if it got a little off track or sideways, it’s really hard to bring them back. Now you could say, “My Internet went out.” You can pull that.
Control’s an interesting thing to talk about because I think it’s more scary now than more than ever with remote. You don’t know where that person is in the world. They don’t know who you are.
Nine times out of 10 when I would show up as a federal agent to do an interview, the person being interviewed would come to me for the interview. They came to a professional office that had a badge on the door and had pictures of people doing cool stuff on the walls and I had a badge, credentials, and could be like, “This is who I am.” We would start all our interviews that way and so you knew everything was above the board.
I just talked to a whistleblower yesterday, and I was thinking halfway through the interview, “She's just trusting I am who I say.” She’s no longer in her company. She can’t go to our corporate directory and look me up because she's not in the company.
If I feel like I need to provide bona fides of who I am, I'll name-drop or location-drop. If we have an acronym, I'll use the acronym, because the listener will think, “Oh, yes, they’ve said this location isn’t actually called this in the company, they use that term. Or they talked about a manager who not everybody in the company knows about.” If you can build that rapport through finding that commonality, they’ll be hopefully more open.
We’ve got to be really careful with trying to be secret squirrels.
We’ve got to be really careful with trying to be secret squirrels. The same thing with corporate. If they don't know who you are, are they really going to be open with you about what’s going on? Maybe, but probably not. I wouldn’t be open with somebody who won't really tell me who they are, they don’t have a LinkedIn profile, or I can’t find in the corporate directory because they do secret things for the CEO.
You've got to be careful with what your persona is. I’m not saying that you got to give them your home address, but you do have to cultivate a bit of professional image on who you are.
SM. How do you assess the information that you gather remotely, whether that’s from interviews or from records that HR or legal sends you?
Walker. It's tricky. I’ve had situations where somebody will send me an email as evidence of whatever we're trying to investigate. That’s really helpful—it gives me the dates to times that people were on the email, and maybe some level of evidence on what was said. I've also seen where people have changed those facts, and if they sent me a scan, it’s not the scan of when the incident occurred, it’s maybe a scan of another email. I go back to attribution.
I went through evidence collection school when I was a federal agent, and we talked about best evidence. Best evidence is the original piece of information. In the email example, assume they gave me an email. I'm going to go do what I call a parallel construct. If I get information that has a questionable legality, I can go and try and prove my case with that bit of information, or I could figure out another way that I could find that out.
With the email example, I would go to all my IT partners and tell them the parameters, and they usually pull the email and send it to me. If they can give me that actual file, then I can compare them side by side, and this helps you validate the person you were talking to as well.
I always start off with being a fact finder; I don’t provide any judgment at all. Evidence can help corroborate or disprove what someone says.
Stay Alert, Stay Updated
Find out your top 7 security-news articles,
I’ve always had a saying, and it’s not one that I made up: “I believe nothing that I hear and only half of what I see.” If I don’t really believe what you're giving me, I need to go figure out how to either recreate it, so I can understand it, or find another witness who can corroborate it. I need to do some work.
Now, I think things are really different because we’re all remote. This is where you’ve got to rely on those relationships. You’ve got to build rapport with other people who can help you pull this information in and then can support you, because I don’t believe anything anybody gives me—whether they're a witness, or a victim, or a subject. I want to go and parallel construct, try to find that information on my own.
SM. Is there a point when operating remotely starts to become a hindrance rather than something that's helpful in an investigation? At what point do you know you need to switch gears?
Walker. What it will come down to ultimately is cost. If the organization wants to pay for you to go, physically be in a location, it's important. Workers comp fraud investigations are a good example of that. You can do a lot of work remotely—check their social media and see if they’re on a jet ski over the weekend, or you can even talk to their manager, legal, or HR. At some point you’re going to have to figure out whether it’s worth going out there. In some cases, it may be. In other cases, it just may not be.
I have seen companies eat money, lots of money, because it just wasn’t worth doing the thing. When I was working in tech, we had black market and grey market issues. Grey market is, “Hey, we pushed a product at this price point, yet our retailers are selling them at a lower price point. We’re not making good margins.” Black market is, “It fell off the back of a truck and wound up in a retail space that we weren’t operating in or maybe we weren’t allowed to operate in.”
We would investigate those things, and when we got opportunities, we would send people into those areas to try and confirm those allegations. That’s the ultimate goal. Most of the time it was the manufacturer flooding the market on the back end somewhere, trying to drive down your prices. But are you going to spend maybe tens of thousands of dollars sending investigators to go and find one or two situations where you think this is occurring? Maybe if you are a big box store. Smaller retailers or retailers with really good margins aren’t going to do that.
It's really incumbent on the money. Is the bang worth the buck? Because you come back empty-handed more than a couple of times, and you probably won't get any opportunities to go do stuff like that.
Sara Mosqueda is associate editor for Security Management. Connect with her on LinkedIn and on Twitter @XimenaWrites.