When you hear the word “whistleblower,” do you think business traitor or Good Samaritan? In most company cultures, it tends to be the former, which is unfortunate because more often than not, exposing a security issue is a matter of ethics, not malice for employees. However, because malicious intent has occurred before, the negative connotation lives.
Regardless of your stance, the scope of technology is widening and at the same time, the sophistication of data threats is mounting. Gaps in security are no longer acceptable, and entities like the Securities and Exchange Commission (SEC) are cracking down, holding organizations that don’t do enough to prevent breaches just as accountable as those that don’t meet the minimum security requirements. And a significant part of security breach prevention is encouraging employees to speak up if they detect a potential security issue.
Consider this:
- When R.T. Jones Capital Equities Management did not adequately prevent a security breach that compromised information related to 100,000 people, the SEC slapped the company with a $75,000 fine.
- The Dodd-Frank Act of 2010 (though good-intentioned) encourages employees to report wrongdoings directly to the government instead of internal management in exchange for a monetary reward (should the accusation be proved accurate).
- Law firms are actively on the prowl for employees who wish to blow the whistle on their organization (especially if their internal reports have gone unaddressed).
- 72 percent of businesses that suffer a major data loss shut down within two years.
Without a functional security whistleblower strategy in place, organizations create two new and unnecessary risks. First, employees are more likely to report their concerns to an outside source, which means a security issue could end up going public before your organization is even aware it exists! Second, employees could turn a cold shoulder to potential security issues, leaving gaping holes in your organization’s infrastructure that could result in a breach (for which you may be deemed liable).
In addition to taking security seriously (having a detailed protocol for the prevention and resolution of security-related issues), organizations should establish a program that encourages employees to report internally security concerns. Here are six tips for creating a security whistleblower strategy:
1. Create a Culture of Security
In a company culture that values security, employees possess an above-average understanding of security protocols and how best to utilize data. These cultures teach employees to be observant of themselves and others and encourage security reporting as an ethical obligation to ensure the safety of each employee, customer, and the organization at large.
2. Provide Numerous Ways for Employees to Report
To reduce the anxiety or emotional stress of reporting a security matter, employers should provide employees with a variety of ways to disclose information, including:
- A telephone hotline
- In-person reporting
- Online reporting
- O. Box
- Fax
With numerous channels in place, the stress of being exposed is less likely to deter an individual from reporting an issue that could be potentially dangerous. Keep in mind, an in-person reporting protocol will require that someone on your staff be trained to collect the report and communicate with potentially emotional whistleblowers in a professional and helpful manner.
3. Educate Employees
If employees don’t understand how the whistleblower strategy will affect them, or why participation is important, they aren’t going to risk putting themselves “out there” to protect the organization. Furthermore, this isn't an endeavor that ends with new employee onboarding. Organizations must regularly talk about their overall stance on security with current employees, third-party partners, vendors, and customers. Conversations should include:
- What constitutes a security concern
- What is expected of employees
- How a security issue could impact the organization and employees
- The importance of reporting security issues
- What to do if an employee suspects a co-worker of foul play
- How to report security issues
- What happens once a report is made
4. Create Assurance Around the Strategy
It’s important that employees feel safe and protected by their organization, or there’s no way they’ll risk their neck to report a security issue. More than anything else, employees want to know:
- That their report will be taken seriously, and appropriate action will be taken
- That their involvement will remain anonymous and legally permissible if desired
- That they will not receive any backlash whatsoever for filing a report
These points should be clearly and concisely conveyed repeatedly to ease anxiety and help employees trust in the strategy.
5. Get Top-Level Support
The ethics behind your whistleblower strategy must come from the top. If your organization’s leaders aren’t backing the strategy and participating in the conversation, employees will doubt its efficacy and their safety. Moreover, top-level involvement and backing of ethical actions will help foster trust and employee loyalty in the organization. In this type of environment, employees will be far more likely to take pride in and defend their organization’s security.
6. Proactively Address Reports
If your organization doesn’t have a solid plan in place to investigate reports and resolve security issues promptly, the whistleblower entire strategy will unravel. Employees won’t take the reporting protocol seriously and worse, they’ll doubt your organization’s commitment to the cause. In these situations, employees may report to an outside entity instead, putting your organization at risk for fines, public scrutiny, reputation damage, and more. In addition to addressing reports, organizations must also remember to follow up with reporters if they wish to know the outcome. The follow-up acts as confirmation for them that their report was taken seriously.
Cybersecurity is a multibillion-dollar industry projected to more than double by the year 2020. Organizations need to rally their troops and work together to protect themselves and their customers, not only from internal and external threats but also from those who see cybersecurity growth as an opportunity to benefit themselves. With a respected and functional whistleblower strategy in place, organizations can help make security less about meeting compliance standards and more about ethical responsibility. At the same time, they will revitalize employee trust and pride in their organization, and solidify their reputation.
About DEBBIE ZALLER
Debbie Zaller is Chief Operating Officer at Schellman. Debbie is responsible for maintaining and driving operational results and executing the firm's strategic goals. Debbie oversees all daily operations of the firm while spearheading the development, communication and implementation of effective growth strategies and processes. Debbie has over 21 years of IT compliance and attestation experience. Debbie led the firm's Midwest, Southeast, and Northeast regions along with the national service lines of SOC 2 and Privacy service lines as Managing Principal before assuming the position of COO in 2021. Debbie holds a Master of Accounting degree from the University of Florida. She is a Certified Public Accountant, Certified Information Privacy Professional/United States, Certified Data Privacy Solutions Engineer, Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified Cloud Security Knowledge. She is currently an AICPA-approved and nationally listed SOC Specialist and speaker on various privacy topics. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.