What's your cybersecurity whistleblower strategy?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/3018853/leadership-management/whats-your-cybersecurity-whistleblower-strategy.html

It reads like a security nightmare. An employee, maybe even someone in IT,
contacts a government regulator and reports major vulnerabilities in the
company’s infrastructure. The employee says the company knows about the
problems but has done nothing, putting people's personal data or maybe even
their physical safety at risk.

Even worse, the whistleblower claims to have been punished for complaining
too much to management about the problems. An investigation ensues, forcing
the company to hire attorneys and consultants, and the regulator levies a
hefty fine when several accusations prove accurate. Finally, the
whistleblower is given a portion of that judgement, financially rewarded
for exposing their employer’s dirty laundry.

When I discuss this scenario with other security professionals, many see it
as a classic case of insider threat. The fictive whistleblower is blasted
as unprofessional, spiteful, a traitor even. That reaction may be
understandable, but it is increasingly misinformed and dangerous.
Whistleblowers will be coming to cybersecurity, and a strategy built around
blaming and demonizing them will actually make things much worse.

In 2015, the Securities and Exchange Commission (SEC) settled charges that
R.T. Jones Capital Equities Management violated the “safeguards rule” by
not doing more to prevent a security breach that compromised the
information of about 100,000 people. Even though no one appeared to be
harmed, the SEC censured R.T. Jones and fined the firm $75,000. Justifying
the enforcement, the SEC said,

"Firms must adopt written policies to protect their clients’ private
information and they need to anticipate potential cybersecurity events and
have clear procedures in place rather than waiting to react once a breach
occurs."

The security community has not really considered whistleblower risks, which
is somewhat surprising given an ongoing parade of large public breaches,
and the common knowledge that many organizations do a poor job of securing
their systems and data. Though there seems to be no whistleblower
involvement in the R.T. Jones case, it has been a sort of catalyst. In
response to lawmaker pressure to crack down on companies that fail to
prevent breaches, Kara Stein, the SEC Commissioner, wasquoted after the
settlement saying her agency intended "...to play a much more active role
in trying to help companies better protect themselves against an increasing
number of cyber security issues in a world in which we are all increasingly
connected."

Effective enterprise security is not yet formally synonymous with ethical
corporate behavior. When security professionals discuss ethics, the tone
can be somewhat ambiguous or focused on certification requirements rather
than engaging the deeper question of whether companies have an ethical duty
to make security work properly. If companies have such a duty, the calculus
changes. Neglecting or underfunding security is no longer just a business
decision, but has ethical repercussions as well.

So maybe it should come as no surprise that regulators and other entities,
like law firms, are thinking about the possibilities of cybersecurity
whistleblowers. The R.T. Jones settlement was relatively small, but the
fine seemed to be less important than the precedent. Reactions and
interpretations from the case should be a wake-up call for security
professionals, compliance officers, and organizations in general.

Attorneys, for instance, have become interested in the implications of the
R.T. Jones settlement. Although no recent public breaches are known to
involve whistleblower complaints, lawyers seem to smell opportunity. Some
now offer to help whistleblowers expose security problems, particularly if
they’ve had trouble reporting them internally. Others offer legal services
for companies dealing with investigations or lawsuits. Many see the market
for these services only getting bigger.

"It is only a matter of time...before we see a headline announcing that a
hacked company knew about its vulnerabilities yet did nothing to protect
its customers, but instead fired the whistleblower who identified and
sought to fix the problem."

The SEC regulates financial firms, and runs its own whistleblower program.
But whistleblower programs also exist in the automotive industry,
healthcare, and government, all sectors where security breaches have made
major headlines, fromJeep hacking to medical privacy to the OPM.

Cybersecurity has remained esoteric enough to avoid direct connection to
cases of corporate fraud or product liability. But embedded software and
the growing Internet of things will increasingly make those distinctions
weaker and less convincing. Future security stakeholders may be less able
to disassociate their actions from direct consequences and personal
responsibility. Could a developer be more motivated to report, believing
their firm's software product might harm or even kill someone? Might a
fired CISO launch a wrongful termination suit against an employer, claiming
a failure to provide adequate security resources prior to a breach? These
are the dilemmas that create whistleblowers.

So what's a rational cybersecurity whistleblower strategy? The only
effective way to manage the risk is to develop a culture that actively
embraces those whistleblowers. You must motivate people to report problems
within the enterprise. Research shows that most whistleblowers are not
disgruntled employees acting out of greed or spite, but good workers (often
managers) honestly trying to fix problems they believe will cause people or
the company harm. They go outside because they worry no one is listening
inside or, worse, that management will “shoot the messenger” and retaliate
against them.

But a cyber hotline or a beefed-up security awareness program means nothing
if the organization doesn’t move quickly to fix reported problems.
Ironically, the best whistleblower strategy is for the organization to
truly hold itself accountable for identifying and fixing security problems.
Imagine an organization where, when people pointed out bad security, senior
management took action as quickly and aggressively as if someone reported
accounting fraud, safety violations, or sexual harassment? What would
security look like in that organization? If nothing else, it would look
like a place with far fewer whistles waiting to be blown.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.