It’s Time to Blow the Whistle on Deficient Cyber Reporting Programs
- Cyber Breach Response
- 4 Mins
What exactly is cybersecurity whistleblowing? That is a question that all organizations should be asking, but the answer is not a simple one. According to the Merriam-Webster dictionary, a whistleblower is defined as an 'employee who brings wrongdoing by an employer or by other employees to the attention of a government or law enforcement agency.' While whistleblowing is familiar in situations such as unsanitary working conditions, hazards, and payroll fraud - cyber is a fairly new territory. Now is the time to understand what this actually encompasses in order to take appropriate steps to combat security threats and close gaps before regulatory involvement.
Managing cybersecurity concerns and the possibility of whistleblowing needs to be included in cyber readiness initiatives, but also embedded in company culture. Having the enterprise take a teamwork approach to cybersecurity will increase awareness, provide a clear reporting mechanism to voice concerns, and control uninformed whistleblower claims. But what does this look like and where should CISOs and legal begin? While there is not a “one-size-fits-all” solution, there are fundamental steps to take that will make it easier to spot imminent security threats, manage cyber resources, and streamline internal investigations.
The Dilemma
New digital threats are constantly surfacing. Organizations have to balance these threats against budget constraints, resources, regulations, and data indicating attack probabilities. A breach can lead to serious legal and reputational consequences. Clear information governance, incident investigation, and breach response plans are important to limit the fallout. However, even when having strong protocols in place there needs to be additional measures to facilitate cyber awareness. Without proper communication on cyber controls, reporting procedures, and companywide responsibilities – an organization opens the door to claims that could be avoided or remedied prior to regulatory involvement.
Imagine this scenario. An employee believes there is a serious security gap and reports it to someone within the organization. Turns out, this was the wrong person to contact and it fell between the cracks. Failure to address this issue results in a breach and regulatory involvement or legal liability ensues. Going in the other direction, say the perceived gap actually was not a threat but the employee felt unheard and filed a formal complaint or called their employer out on social media. Either way, harm will ensue that could have been avoided. Had the organization implemented better communication regarding reporting procedures, this could have been investigated and resolved internally.
Maintaining cyber programs where reporting procedures are clear and routinely communicated is crucial. Also include whistleblowing protections in company handbooks and as a part of cyber training so everyone knows their rights, as there are absolutely times when these measures are warranted. Several regulators have recently increased protections and are incentivizing cyber whistleblowers. The range of behavior covered is wide and includes things such as breaches and security vulnerabilities. To balance all of this, company culture needs to evolve.
Changing Culture
While there is always the likelihood of uniformed and unsubstantiated complaints, this can be counterbalanced with increasing cyber awareness within the enterprise. Make it known that protecting company data is every employee’s responsibility and there are procedures in place to accomplish this feat. In turn, the right complaints will get to the right places and there will be solid checks on cybersecurity to achieve the ultimate goal of keeping data safe.
Here are three hallmarks of a solid plan to elevate cyber hygiene within an organization.
Enhance cyber training programs
Oftentimes people that report problems to regulatory agencies or the public often do not have all the information relating to business risk decisions or complex technologies involved. The resulting investigatory response and reputation repair will utilize a lot of resources. This reality needs to be offset with valuable education that will promote transparency and expand cyber knowledge for everyone in the organization. This should be included past onboarding and be embedded into daily activities via mandatory training, open forums, cyber alerts, simulations, and other educational opportunities. Also ensure that managers regularly talk about cyber responsibility to their teams and how to report suspected issues via the appropriate channels.
Offer a reporting hotline
Having a hotline set up through a third-party is a solid investment to help manage cyber complaints while also providing the added benefit of employees feeling more comfortable to report. Hotlines are often part of a larger initiative, so if cyber complaints are not included in a current agreement it is a good time to think about the benefits of expanding these capabilities.
Have detailed protocols for handling complaints
There will likely be several ways that cyber reports occur, even when a separate hotline or IT process are in place. Other avenues could include direct managers, HR, and legal. Everyone in these roles – and throughout the entire organization – should know where to escalate reports. Then, the appropriate team can sort through the reports and determine which issues are actual threats, everyday IT issues, or instances of whistleblowing. Risk analysis and legal obligations will feed into these designations. Having policies around following up with individuals who report is also a good idea to keep decisions transparent and defensible.
Conclusion
There are two important takeaways here given the regulatory landscape and increasing importance of cybersecurity in business. First, organizations need to understand that cyber whistleblowing is a real possibility. Second, updating programs to address internal reporting gaps is critical. Tackling problems head-on results in quicker remediation and lower exposure risk. This also allows the organization to allocate resources to fix a security problem earlier on versus dealing with a larger investigation or reputational repair down the road.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.