I was reading an article from CSO Online about how we should
expect a larger number of whistleblowers who sound the alarm over poor infosec
practices. I tend to agree. At Rendition Infosec, we’ve seen an uptick in
people willing to blow the whistle to regulators over perceived cyber security
risks. I think some of this is
generational. The younger generation
(joining the workforce over the last 5-10 years) seems to be much less likely
to stand by while anything is swept under the rug. This, it turns out, also includes infosec
issues.
The article points out that case law is relatively scant on
protecting cybersecurity whistleblowers.
However, it also points out that because cyber security isn’t called out
as an explicit exception to the law, whistleblowers are most likely
protected. This doesn’t mean that it’s a
good idea, you could be blacklisted from future employment by blowing the
whistle. At a minimum it’s likely to involve
you moving jobs.
The article correctly notes that the FTC and SEC are both
ramping up efforts against companies who have lax cybersecurity. Generally for publicly traded companies, just
knowing that there’s a security issue forces the organization to act or
disclose the vulnerability to shareholders in their public filings. Since disclosing publicly is obviously is less
than ideal, I think we are far more likely to see the organizations either fix
the problems or just ignore them altogether.
No matter how you feel about whistleblowers, they will be a
reality in your organization sooner than later.
If you don’t have a plan for dealing with a disgruntled employee blowing
the whistle, you have a critical hole in your infosec playbook.
At Rendition Infosec, when we help organizations plan for a
possible whistleblower disclosure, we generally tell them they have two
critical areas to worry about. First,
make sure that decisions about infosec pass the “New York Times Test”
(NYTT). Second, work with PR before a
disclosure and solidify your containment/press strategy.
What is the NYTT?
The New York Times Test is pretty simple. Simply look at
your actions involving infosec and ask yourself “if this were published in the
New York Times, would the average reader think we were handling things
appropriately?” If the answer is “of course
not, they’d be outraged” then I submit you’re doing it wrong. Unfortunately, the NYTT is actually a bit
harder than it looks. I’ll have a full
post on effectively implementing the NYTT hopefully later this week.
PR engagement
Like it or not, you need PR.
Well, more accurately your organization needs PR. When the press gets ahold of a lead from a
whistleblower (and this will happen
eventually), you need to be ready with a response.
At Rendition, we worked with many organizations on the
Ashley Madison disclosure. We worked
with these organizations to determine their exposure, including employees that
registered using a corporate email and those who registered and/or paid for services from
corporate IP ranges. Let me take this opportunity to say that I don't really care what you do on your own time without using company assets. But that wasn't the case here, and that's sort of the point. Of the 17
organizations Rendition did this for, only two were ever contacted by the press
(that I know of). But all 17 were ready
with prepared statements – nobody was taken by surprise. Again, I’ll do an upcoming full blog post
about engaging your PR team effectively in the incident response process.
Overall, the consensus of the CSO Online article is clear: be ready for the cyber security whistleblower. My experience tells me that they aren’t wrong. If your policies and playbook don’t cover dealing with whistleblowers today, talk to a professional with experience in dealing with these issues before you are taken by surprise. Above all, get your policies together and deal with issues as they arise. That way, potential whistleblowers have fewer opportunities to blow the whistle in the first place.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.