A selection of case studies from our recent customer engagements
United Kingdom
Industry: Retail
Date Of Engagement: 2022 - Present
A major retailing family office had previously suffered a data breach whereby a ransomware demand was made in exchange for the return of their data. The organisation paid the ransom, but the incident prompted pronounced awareness and concerns around issues such as effective business risk mitigation, cyber and information security, as well as operational resilience in general. They realised they required the help of trusted subject matter experts and legal counsel to mitigate their risks.
Having learned of the ever-growing list of threats including, amongst others, ransom, kidnap and ideologically driven hacktivists with a grudge against certain types of family business, and a need to protect a large amount of assets, both physical and monetary, it was vital they sought ways to defend themselves.
After undertaking the initial assessment and associated risk report, QRI was appointed to deliver a cyber and information security roadmap in order to implement pragmatic improvements to support the board’s strategic objectives. We were also retained to provide a full CISO (Chief Information Security Officer) and advisory service. We integrated the QRI team with the family office, attending board meetings and were mandated to structure IT policies across all the separate businesses within the retail group. We also supported their teams with weekly workshops to gain their buy in and confidence, with the overall result that we introduced and embedded a new data security operating model.
We now report on progress quarterly, and hold monthly conversations with the CEO and board members. Our report is tailored for their organisation, the geographically disparate markets in which they operate and the potential risks their organisation could face.
QRI also undertook a substantial project to upskill next generation family members to enhance personal protection and ensure ongoing compliance and security within the organisation. To this end, we helped the family office adapt their culture and adopt operational best practice.
Group Chief Financial Officer
"We appointed QRI because we knew that not only could we trust them, which is key for our organisation, but that they had a superior level of knowledge and expertise. They are also able to provide tailored legal advice around information security and compliance which is invaluable to us. QRI has proven to be a flexible partner who has also helped our board understand, in simple terms, the business impact of security complexity."
Family Member, Director and CEO
"The ongoing support we receive from QRI is outstanding. We feel like they are almost one of the family: we trust them to attend our board meetings and work with us to meet our organisational objectives. They understand what we want to achieve and help us accelerate outcomes to support our goals through their expertise and education to the wider team, whilst ensuring we consider risks we may not have thought about before."
United Kingdom, Canada, Africa
Industry: Recruitment
Date Of Engagement: December 2022
The Financial Director of a large, privately owned company, had been committing fraud which included regularly purchasing clothing, wine and luxury goods. As he had been taking small monetary amounts over a lengthy period of time, it went undetected for several years. In the end, it was discovered that he had stolen more than £1m.
The company and their retained solicitors quickly realised that between them they did not have the specialist cyber, information security expertise and situational awareness to advise the owners accordingly. The solicitors and owner wanted to have privileged conversations, promptly, before approaching both their insurers, (noting that this was a reportable event), law enforcement and the individual concerned.
QRI was highly recommended to the solicitors by an unknown third party, based upon QRI’s engagement within a similar matter. The company solicitors made discreet contact with QRI as they were seeking multi-disciplinary expert assistance.
Noting that urgent direction was required, QRI advised the owner and introduced Mr Sandip Patel KC, expert counsel (and member of QRI), who specialises in cross border civil and commercial dispute resolution, fraud, white collar crime, and regulatory proceedings.
QRI led the electronic investigation, within the National Police Chiefs’ Council guidelines, and identified that small sums of money were leaving the company account on a regular basis for non-business purposes. We alerted the business owner that inappropriate activity was occurring. The Financial Director was confronted and the necessary action taken.
Outcomes
Had QRI not been able to detect what was occurring, it is likely the fraud would have continued and the owner would have lost even more money.
The Board of the company also realised that they were falling foul of their fiduciary duties as detailed under the Companies Act 2006.
They have since retained QRI and benefit from the Risk 360 platform and risk management engine.
As a result of partnering with QRI to deploy a new operating model, they have been able to, in near real time demonstrate their security posture, and when, for example, there have been instances of business-email-compromise, that it is their clients and third-party partners that have suffered a breach and not the company. This cost saving on management time alone, required for these legacy investigations, exceeds the cost of QRI monthly fees.
United Kingdom, Canada, Africa
Industry: Manufacturing
Date Of Engagement: March 2023 - Ongoing
A multi-generation family business received an email from one of their suppliers with an attachment stating that their banking details had changed and requested that the business should use these new details for their next payment of £30,000 which was due.
The team member who received this email did question its authenticity and phoned the supplier to check if it was true that their banking details had been changed. However, despite having the correct intentions to protect the organization, the employee called the number the criminals had used in their attachment, rather than using the number they had listed for the supplier in their database of suppliers.
After this situation, the family business engaged QRI to conduct a thorough review of their security and data protection processes with the aim of dramatically enhancing their overall security posture.
As part of this engagement, QRI provided the organization with access to the proprietary AI enabled platform Risk 360 which led to the following outcomes:
a. Through a set of context aware questions, recommended that the organization should move away from the existing information security training software to a more suitable service.
b. Allowed the finance & supply chain teams to pro-actively assess third party risk, in near-real time.
c. Allowed the organization to conduct automated third-party assessments.
d. Produced automated guidance for third party partners & suppliers whose security posture is below the organizations risk threshold.
The organization has not knowingly suffered from online financial fraud since. It has lagging and leading metrics which demonstrate the reduction in human errors of judgement. The executives now have the Risk 360 application on their mobile devices, which displays near real-time risk, on the same format as the board reporting packs.
They executives have stated that they like the simplicity of the application and that push notification alerts sent to them from the applications bring any critical change to risk to their immediate attention, in a clear and simple format. They are now rolling out the QRI Risk 360 SAAS platform to all of their global entities.
Family Member and CEO
"As a fourth-generation family-owned business and as custodians of multiple companies trading across 70 countries, we are not about the short term – our aim is to build, improve and protect them. Naturally, we exercise superior governance when selecting and forming a partnership with our closest advisors. The team at QRI are an extension to our team and we trust them implicitly."
United Kingdom
Industry: Manufacturing
Date Of Engagement: March 2023
A Finance Director had taken copies of sensitive files from the company’s network as he was leaving the company. It is possible that he could have used these files to blackmail the company, or shared the sensitive data with competitors.
QRI identified that a USB device had been inserted into one of the company’s devices on the network and that multiple files had been copied on to it in a short space of time. The files were then deleted from the company network, which aroused suspicion so QR notified the owner of the business who took the appropriate action with the Finance Director.
The Finance Director’s severance payment was significantly reduced, thereby saving the organisation both money in the immediate term, as well as potential much greater loss if he had shared the details with competitors or used the files to blackmail the company.