When you hear the word “whistleblower,” do you think business traitor or Good Samaritan? In most company cultures, it tends to be the former, which is unfortunate because more often than not, exposing a security issue is a matter of ethics, not malice for employees. However, because malicious intent has occurred before, the negative connotation lives.
Regardless of your stance, the scope of technology is widening and at the same time, the sophistication of data threats is mounting. Gaps in security are no longer acceptable, and entities like the Securities and Exchange Commission (SEC) are cracking down, holding organizations that don’t do enough to prevent breaches just as accountable as those that don’t meet the minimum security requirements. And a significant part of security breach prevention is encouraging employees to speak up if they detect a potential security issue.
- When R.T. Jones Capital Equities Management did not adequately prevent a security breach that compromised information related to 100,000 people, the SEC slapped the company with a $75,000 fine.
- The Dodd-Frank Act of 2010 (though good-intentioned) encourages employees to report wrongdoings directly to the government instead of internal management in exchange for a monetary reward (should the accusation be proved accurate).
- Law firms are actively on the prowl for employees who wish to blow the whistle on their organization (especially if their internal reports have gone unaddressed).
- 72 percent of businesses that suffer a major data loss shut down within two years.
Without a functional security whistleblower strategy in place, organizations create two new and unnecessary risks. First, employees are more likely to report their concerns to an outside source, which means a security issue could end up going public before your organization is even aware it exists! Second, employees could turn a cold shoulder to potential security issues, leaving gaping holes in your organization’s infrastructure that could result in a breach (for which you may be deemed liable).
In addition to taking security seriously (having a detailed protocol for the prevention and resolution of security-related issues), organizations should establish a program that encourages employees to report internally security concerns. Here are six tips for creating a security whistleblower strategy:
1. Create a Culture of Security
In a company culture that values security, employees possess an above-average understanding of security protocols and how best to utilize data. These cultures teach employees to be observant of themselves and others and encourage security reporting as an ethical obligation to ensure the safety of each employee, customer, and the organization at large.
2. Provide Numerous Ways for Employees to Report
To reduce the anxiety or emotional stress of reporting a security matter, employers should provide employees with a variety of ways to disclose information, including:
- A telephone hotline
- In-person reporting
- Online reporting
- O. Box
With numerous channels in place, the stress of being exposed is less likely to deter an individual from reporting an issue that could be potentially dangerous. Keep in mind, an in-person reporting protocol will require that someone on your staff be trained to collect the report and communicate with potentially emotional whistleblowers in a professional and helpful manner.
3. Educate Employees
If employees don’t understand how the whistleblower strategy will affect them, or why participation is important, they aren’t going to risk putting themselves “out there” to protect the organization. Furthermore, this isn't an endeavor that ends with new employee onboarding. Organizations must regularly talk about their overall stance on security with current employees, third-party partners, vendors, and customers. Conversations should include:
- What constitutes a security concern
- What is expected of employees
- How a security issue could impact the organization and employees
- The importance of reporting security issues
- What to do if an employee suspects a co-worker of foul play
- How to report security issues
- What happens once a report is made
4. Create Assurance Around the Strategy
It’s important that employees feel safe and protected by their organization, or there’s no way they’ll risk their neck to report a security issue. More than anything else, employees want to know:
- That their report will be taken seriously, and appropriate action will be taken
- That their involvement will remain anonymous and legally permissible if desired
- That they will not receive any backlash whatsoever for filing a report
These points should be clearly and concisely conveyed repeatedly to ease anxiety and help employees trust in the strategy.
5. Get Top-Level Support
The ethics behind your whistleblower strategy must come from the top. If your organization’s leaders aren’t backing the strategy and participating in the conversation, employees will doubt its efficacy and their safety. Moreover, top-level involvement and backing of ethical actions will help foster trust and employee loyalty in the organization. In this type of environment, employees will be far more likely to take pride in and defend their organization’s security.
6. Proactively Address Reports
If your organization doesn’t have a solid plan in place to investigate reports and resolve security issues promptly, the whistleblower entire strategy will unravel. Employees won’t take the reporting protocol seriously and worse, they’ll doubt your organization’s commitment to the cause. In these situations, employees may report to an outside entity instead, putting your organization at risk for fines, public scrutiny, reputation damage, and more. In addition to addressing reports, organizations must also remember to follow up with reporters if they wish to know the outcome. The follow-up acts as confirmation for them that their report was taken seriously.
Cybersecurity is a multibillion-dollar industry projected to more than double by the year 2020. Organizations need to rally their troops and work together to protect themselves and their customers, not only from internal and external threats but also from those who see cybersecurity growth as an opportunity to benefit themselves. With a respected and functional whistleblower strategy in place, organizations can help make security less about meeting compliance standards and more about ethical responsibility. At the same time, they will revitalize employee trust and pride in their organization, and solidify their reputation.
About the Author
Debbie Zaller is a Principal at Schellman & Company,LLC. Debbie leads the SOC 2 and SOC 3 service line and is also an AICPA SOC Specialist. Debbie has over 15 years of IT attestation experience and currently spearheads Schellman’s SOC 2 practice, where she is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee.More Content by Debbie Zaller