How well is your organisation managing the risks of whistleblowing? Here's how to avoid a deficient cyber reporting program
What exactly is cybersecurity whistleblowing? It’s a question that all organisations should be asking, but the answer is not a simple one. According to the Merriam-Webster dictionary, a whistleblower is defined as an 'employee who brings wrongdoing by an employer or by other employees to the attention of a government or law enforcement agency.' While whistleblowing is familiar in situations such as unsanitary working conditions, hazards, and payroll fraud - cyber is a fairly new territory. Now is the time to understand what this actually encompasses in order to take appropriate steps to combat security threats and close the gaps before any regulatory involvement.
Managing cybersecurity concerns and the possibility of whistleblowing needs to be included in cyber readiness initiatives, but also embedded into company culture. Having the enterprise take a teamwork approach to cybersecurity will increase awareness, provide a clear reporting mechanism to voice concerns, and control uninformed whistleblower claims. But what does this look like, and where should CISOs and legal teams begin? While there is not a “one-size-fits-all” solution, there are fundamental steps to take that will make it easier to spot imminent security threats, manage cyber resources, and streamline internal investigations.
New digital threats are constantly surfacing. Organisations have to balance these threats against budget constraints, resources, regulations, and data indicating attack probabilities. A breach can lead to serious legal and reputational consequences. Clear information governance, incident investigation, and breach response plans are important to limit the fallout. However, you need to take additional measures to facilitate cyber awareness, even if you already have strong protocols in place. Without proper communication on cyber controls, reporting procedure and companywide responsibilities, an organisation can open the door to claims that could have been avoided or remedied prior to regulatory involvement.
Imagine this scenario. An employee believes there is a serious security gap and reports it to someone within the organisation. Turns out, this was the wrong person to contact and it fell between the cracks. Failure to address this issue results in a breach and regulatory involvement or legal liability ensues. Going in the other direction, say the perceived gap actually was not a threat but the employee felt unheard and filed a formal complaint or called their employer out on social media. Either way, harm will ensue that could have been avoided. Had the organisation implemented better communication regarding reporting procedures, this could have been investigated and resolved internally.
Maintaining cyber programs where reporting procedures are clear and routinely communicated is crucial. Organisations should also include whistleblowing protections in company handbooks and as a part of cyber training so that everyone knows their rights, as there are absolutely times when these measures are warranted. Several regulators have recently increased protections and are incentivizing cyber whistleblowers. The range of behavior covered is wide and includes things such as breaches and security vulnerabilities. To balance all of this, company culture needs to evolve.
While there is always the likelihood of uniformed and unsubstantiated complaints, this can be counterbalanced with increasing cyber awareness within the enterprise. Make it known that protecting company data is every employee’s responsibility and there are procedures in place to accomplish this feat. In turn, the right complaints will get to the right places and there will be solid checks on cybersecurity to achieve the ultimate goal of keeping data safe.
Here are three hallmarks of a solid plan to elevate cyber hygiene within an organisation.
Oftentimes, people that report problems to regulatory agencies or the public do not have all the information relating to business risk decisions or the complex technologies involved. The resulting investigatory response and reputation repair will utilize a lot of resources. This reality needs to be offset with valuable education that will promote transparency and expand cyber knowledge for everyone in the organisation. This should be included past onboarding and be embedded into daily activities via mandatory training, open forums, cyber alerts, simulations, and other educational opportunities. Also, ensure that managers regularly talk about cyber responsibility to their teams and how to report suspected issues via the appropriate channels.
Having a hotline set up through a third-party is a solid investment to help manage cyber complaints while also providing the added benefit of employees feeling more comfortable to report. Hotlines are often part of a larger initiative, so if cyber complaints are not included in a current agreement, it is a good time to think about the benefits of expanding these capabilities.
There will likely be several ways that cyber reports occur, even if a separate hotline or IT process is already in place. Other avenues could include direct managers, HR, and legal. Everyone in these roles – and throughout the entire organisation – should know where to escalate reports. The appropriate team can then sort through the reports and determine which issues are actual threats, and which are everyday IT issues or instances of whistleblowing. Risk analysis and legal obligations will feed into these designations. Having policies around following up with individuals who report is also a good idea to keep decisions transparent and defensible.
There are two important takeaways here given the regulatory landscape and the increasing importance of cybersecurity in business. First, organisations need to understand that cyber whistleblowing is a real possibility. Second, updating programs to address internal reporting gaps is critical. Tackling problems head-on results in quicker remediation and lower exposure to risk. This also allows the organisation to allocate resources to fix a security problem earlier on versus dealing with a larger investigation or reputational repair down the road.
Joe Law is an Account Director for Epiq based in Hong Kong. His focus is to support and consult with law firms and corporate counsel in Hong Kong and globally regarding their litigation, investigation and legal ops needs. He brings his legal and practical experience to Epiq in APAC and continues to support clients in relation to digital forensics, eDiscovery solutions and technology-driven workflows.
Joe attained his Bachelor of Laws from the University of Nottingham (England) and completed his Postgraduate Diploma in Legal Practice from the University of Law (Moorgate, London). He is an admitted Solicitor of England and Wales and maintains his practising certificate.