Some incidents require more than a traditional cybersecurity response. They demand coordinated action across both the physical and digital worlds, with precise, discreet execution and timing that leaves no room for error.
This is an account of how TEKID and PSU (China) Consulting, a long-standing partner and leader in risk and security consulting, worked together on the ground in Shanghai. The goal: recover digital evidence of wrongdoing, understand how far inside the organisation the problem had spread, and do all of it before anyone on the ground had the chance to make any of it disappear.
The Hidden Risk of Distance
For companies operating across multiple regions, one challenge often remains underestimated: the further a subsidiary operates from headquarters, the harder it becomes to maintain clear visibility over what is actually happening locally.
Information flows upward. Decisions flow downward. Between the two, blind spots open.
A European manufacturing company approached PSU with serious concerns about members of the local management team within its Shanghai subsidiary. The evidence pointed to actions that were directly contrary to the company’s interests. But the situation was more complex than a straightforward case of management misconduct. Questions remained about how far it extended — whether other staff across finance, HR, and IT had knowledge of what was happening, or had played a role in enabling it.
The company headquarters had no reliable access to the subsidiary’s IT environment. They were, in effect, locked out of their own systems. They could not see what was on those systems, who had access to what, or what might already have been altered or removed.
The question was no longer whether to intervene, but how to do so without alerting anyone inside the office — and without yet knowing who inside the office could be trusted.
A Coordinated Physical and Digital Response
What made the situation particularly delicate was the need to manage two parallel dimensions simultaneously, in an environment with a high degree of uncertainty and many unknown factors.
PSU led the operational and investigative coordination on the ground. This included managing the human dimension of the intervention and conducting interviews. They worked closely with the client’s incoming leadership team while maintaining control of a situation involving individuals whose degree of involvement — if any — had not yet been determined.
TEKID managed the digital response by deploying two teams working in parallel. The forensic team was responsible for device acquisition and the preservation of forensic evidence — 10 devices including laptops and desktops. The cybersecurity team handled the restoration of IT access rights and operational control to headquarters.
Neither side of the operation could function independently of the other. Any gap between the physical intervention and the digital response could have resulted in lost evidence and lost control of both the systems and the investigation. The success of the operation depended entirely on precise timing, fully synchronised execution, and mutual trust in each party’s ability to deliver its mission.
The Day Control Was Reclaimed
Much of what determined the outcome had been decided before either team set foot in the building.
In the days leading up to the intervention, critical technical groundwork was quietly put in place. Headquarters had no direct access to the subsidiary’s IT environment, making this preparation essential. Without it, TEKID would have had no operational foothold at the start of the intervention. Access to key systems was secured discreetly. Contingency plans were established in advance. The conditions for a controlled transition were prepared without raising any suspicion inside the Shanghai office.
On the day of the intervention, PSU and TEKID entered the building together. PSU managed interviews, personnel coordination, and the broader operational environment. In parallel, TEKID’s forensic team worked methodically through the devices while the cybersecurity team coordinated with the client’s IT team at headquarters. All unauthorised remote access was cut off, and full administrative control was successfully restored to HQ within the morning.
From that moment, no one in the Shanghai office could access company systems or data without authorisation from headquarters.
Every forensic acquisition was conducted on site under strict chain-of-custody procedures. This ensured the integrity and admissibility of the evidence for any potential legal or regulatory proceedings.
Following the intervention, the recovered forensic data was investigated and analysed by PSU. The analysis ultimately helped answer the question that had hung over the entire operation: who else, beyond the management team, had been involved? It also provided additional evidence regarding the management team’s own role in the activities under investigation.
In the days that followed, TEKID conducted a full security review of the subsidiary’s IT environment and delivered a remediation roadmap to the client’s newly appointed IT provider. This gave headquarters a clear understanding of the actual state of the environment and the corrective measures required to restore security and operational control.
Outcomes
- Operational control fully restored to headquarters within the same day
- 10 devices forensically acquired under chain of custody, with zero loss of evidence
- Remediation roadmap delivered to incoming IT provider within 10 days
- Evidence preserved to a standard admissible in China
Key Takeaway
This case is not unusual. It is simply more visible than most.
When subsidiaries operate with significant autonomy and limited oversight, conditions like these develop gradually — particularly in complex regulatory, operational, and cultural environments where on-site intervention is difficult. Broad local freedom, often justified by “local business practices” or cultural differences in management style, can quietly reduce visibility and weaken effective control. By the time the situation reaches the headquarters desk, the window for a controlled response may already be narrowing.