866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Tips for Creating a Security Whistleblower Strategy Blog Feature
DEBBIE ZALLER

By: DEBBIE ZALLER

Print/Save as PDF

Tips for Creating a Security Whistleblower Strategy

When you hear the word “whistleblower,” do you think business traitor or Good Samaritan? In most company cultures, it tends to be the former, which is unfortunate because more often than not, exposing a security issue is a matter of ethics, not malice for employees. However, because malicious intent has occurred before, the negative connotation lives.

Regardless of your stance, the scope of technology is widening and at the same time, the sophistication of data threats is mounting. Gaps in security are no longer acceptable, and entities like the Securities and Exchange Commission (SEC) are cracking down, holding organizations that don’t do enough to prevent breaches just as accountable as those that don’t meet the minimum security requirements. And a significant part of security breach prevention is encouraging employees to speak up if they detect a potential security issue.

Consider this:

  • When R.T. Jones Capital Equities Management did not adequately prevent a security breach that compromised information related to 100,000 people, the SEC slapped the company with a $75,000 fine.
  • The Dodd-Frank Act of 2010 (though good-intentioned) encourages employees to report wrongdoings directly to the government instead of internal management in exchange for a monetary reward (should the accusation be proved accurate).
  • Law firms are actively on the prowl for employees who wish to blow the whistle on their organization (especially if their internal reports have gone unaddressed).
  • 72 percent of businesses that suffer a major data loss shut down within two years.

Without a functional security whistleblower strategy in place, organizations create two new and unnecessary risks. First, employees are more likely to report their concerns to an outside source, which means a security issue could end up going public before your organization is even aware it exists! Second, employees could turn a cold shoulder to potential security issues, leaving gaping holes in your organization’s infrastructure that could result in a breach (for which you may be deemed liable).

In addition to taking security seriously (having a detailed protocol for the prevention and resolution of security-related issues), organizations should establish a program that encourages employees to report internally security concerns. Here are six tips for creating a security whistleblower strategy:

1. Create a Culture of Security

In a company culture that values security, employees possess an above-average understanding of security protocols and how best to utilize data. These cultures teach employees to be observant of themselves and others and encourage security reporting as an ethical obligation to ensure the safety of each employee, customer, and the organization at large.

2. Provide Numerous Ways for Employees to Report

To reduce the anxiety or emotional stress of reporting a security matter, employers should provide employees with a variety of ways to disclose information, including:

  • A telephone hotline
  • In-person reporting
  • Online reporting
  • Email
  • O. Box
  • Fax

With numerous channels in place, the stress of being exposed is less likely to deter an individual from reporting an issue that could be potentially dangerous. Keep in mind, an in-person reporting protocol will require that someone on your staff be trained to collect the report and communicate with potentially emotional whistleblowers in a professional and helpful manner.

3. Educate Employees

If employees don’t understand how the whistleblower strategy will affect them, or why participation is important, they aren’t going to risk putting themselves “out there” to protect the organization. Furthermore, this isn't an endeavor that ends with new employee onboarding. Organizations must regularly talk about their overall stance on security with current employees, third-party partners, vendors, and customers. Conversations should include:

  • What constitutes a security concern
  • What is expected of employees
  • How a security issue could impact the organization and employees
  • The importance of reporting security issues
  • What to do if an employee suspects a co-worker of foul play
  • How to report security issues
  • What happens once a report is made

4. Create Assurance Around the Strategy

It’s important that employees feel safe and protected by their organization, or there’s no way they’ll risk their neck to report a security issue. More than anything else, employees want to know:

  • That their report will be taken seriously, and appropriate action will be taken
  • That their involvement will remain anonymous and legally permissible if desired
  • That they will not receive any backlash whatsoever for filing a report

These points should be clearly and concisely conveyed repeatedly to ease anxiety and help employees trust in the strategy.

5. Get Top-Level Support

The ethics behind your whistleblower strategy must come from the top. If your organization’s leaders aren’t backing the strategy and participating in the conversation, employees will doubt its efficacy and their safety. Moreover, top-level involvement and backing of ethical actions will help foster trust and employee loyalty in the organization. In this type of environment, employees will be far more likely to take pride in and defend their organization’s security.

6. Proactively Address Reports

If your organization doesn’t have a solid plan in place to investigate reports and resolve security issues promptly, the whistleblower entire strategy will unravel. Employees won’t take the reporting protocol seriously and worse, they’ll doubt your organization’s commitment to the cause. In these situations, employees may report to an outside entity instead, putting your organization at risk for fines, public scrutiny, reputation damage, and more. In addition to addressing reports, organizations must also remember to follow up with reporters if they wish to know the outcome. The follow-up acts as confirmation for them that their report was taken seriously.

Cybersecurity is a multibillion-dollar industry projected to more than double by the year 2020. Organizations need to rally their troops and work together to protect themselves and their customers, not only from internal and external threats but also from those who see cybersecurity growth as an opportunity to benefit themselves. With a respected and functional whistleblower strategy in place, organizations can help make security less about meeting compliance standards and more about ethical responsibility. At the same time, they will revitalize employee trust and pride in their organization, and solidify their reputation.

About DEBBIE ZALLER

Debbie Zaller is Chief Operating Officer at Schellman. Debbie is responsible for maintaining and driving operational results and executing the firm's strategic goals. Debbie oversees all daily operations of the firm while spearheading the development, communication and implementation of effective growth strategies and processes. Debbie has over 21 years of IT compliance and attestation experience. Debbie led the firm's Midwest, Southeast, and Northeast regions along with the national service lines of SOC 2 and Privacy service lines as Managing Principal before assuming the position of COO in 2021. Debbie holds a Master of Accounting degree from the University of Florida. She is a Certified Public Accountant, Certified Information Privacy Professional/United States, Certified Data Privacy Solutions Engineer, Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified Cloud Security Knowledge. She is currently an AICPA-approved and nationally listed SOC Specialist and speaker on various privacy topics. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.