Changing the whistleblower-retaliation culture

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/2985780/staff-management/changing-the-whistleblower-retaliation-culture.html

If you've spent any time reading or watching the news this year, you've
heard about at least one major data breach. Not only do those
headline-grabbing events damage the company's reputation, they also put
clients and customers at risk, because their data can easily get into the
hands of the public.

In the wake of these incidents, you would think companies would appreciate
a heads-up before a cyber-security threat becomes a reality. However,
that's not always the case. Internal whistleblowers often face retaliation
from the company they were trying to protect. Many times employees aren't
even aware of the legal protections offered to them if they become a
whistleblower.

Debra Katz, a founding partner of Katz, Marshall & Banks has represented a
number of clients who have faced direct retaliation from their own employer
after bringing a cybersecurity issue to the forefront. "What we see often
is that when employees write long memos or long emails where they detail
the problems, they get told right at that juncture, to not be stupid and
not write stuff down. So almost from the very beginning, employees in these
roles can be hammered just for reporting the problem, and trying to
document the issue to get it on the screen of the company so the company
allocates the necessary resources." This is especially true for employees
who work closely with cybersecurity; they often feel as though they are a
walking target, with the business viewing them as a threat, rather than an
ally.

"It is an environment where people who work in this sector really have a
lot of legal protection, they also operate with a target on their back and
companies have to be sensitive to this," says Katz.

Cybersecurity threats can also be associated with fraud, where a business
might simply understate potential threats to business partners and clients.
For example, an employee may find a number of vulnerabilities, but is
denied the resources to bring the systems up to date.

But if a company ignores internal whistleblowers, it could lead to even
more problems, especially if that employee takes their concerns to the SEC,
which has a whistleblower program through the Dodd-Frank Wall Street Reform
and Consumer Protection Act. Through this program, whistleblowers are
incentivized to come forward by receiving 10 to 30 percent of the fines the
SEC imposes on companies.

These acts also offer protection to whistleblowers who work for publicly
traded companies, and in addition to the Dodd-Frank Act, there is the
Sarbanes-Oxley Act, which both pertain to company fraud. In addition to
these two acts, state statues protect employees when it comes to reporting
fraudulent business practices and potential for sensitive data breaches.
And for those working at private companies, if workers find their employer
is misrepresenting themselves to a publicly traded company, they are also
granted protections under the same acts.

Why would a company risk backlash for punishing an employee who was simply
trying to do the right thing and ultimately help the business? Generally,
an executive would most likely prefer the whistleblower be wrong in his or
her assessment of the cybersecurity practices of a business. Rather than
fundamentally change how the business protects its data, clients and
assets, executives would rather stick with the status quo. The problem is,
what worked in cybersecurity five or 10 years ago, most likely doesn't hold
up today, since technology is rapidly evolving.

Ultimately, Katz notes that companies that choose to ignore cybersecurity
threats and don't take a proactive approach to scan their systems for
vulnerabilities, will wind up paying more in the end. When considering the
cost of legal fees, hiring people to help fix the issues, SEC fines, the
loss of customers, and the damage to a company's reputation, it greatly
outweighs the cost of proactive resources businesses could invest to
maintain secure cybersecurity system and patch and flaws.

For example, Target's breach in 2013 cost the company $264 million in
direct expenses and Home Depot estimates that its 2004 breach cost the
company $62 million dollars, not including the legal fees for the 44
lawsuits brought upon the company, according to Katz. The Ponemon Institute
released a report earlier this year that states the average cost for a data
breach for any company, big or small, is $3.8 million, which means small
businesses aren't immune to the staggering cost of cybersecurity threats
either. For the healthcare industry, which handles some of the most
sensitive client data, Ponemon reports the average cost per stolen record
is $363.

For employees, it's important to understand your rights when it comes to
reporting ethical issues with your company. "If someone feels they are
vulnerable to this retaliation they need to keep a comprehensive log
documenting their efforts to raise the issues and the response that they
got when they tried to raise these issues," says Katz. And while plenty of
companies have ethics hotlines and 800 numbers to call, Katz says it's not
always the safest avenue for employees to reach out. In reality, ensuring
employee's safety when it comes to whistleblowing, businesses need to
create an environment that reassures its workers that they can present
questions and concerns around security threats.

Ensuring your business doesn't fall victim to the crippling losses
inflicted by cybersecurity breaches starts with a zero-tolerance policy
against retaliation, according to Katz. "They should be doing everything
possible to really provide the resources and support for these people to
effectively do their jobs," she says, "And companies need to understand
that obviously it's crucial to their business to not have these kind of
breaches, but they also face significant legal liabilities from the
whistleblowers themselves."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!