I was reading an article from CSO Online about how we should expect a larger number of whistleblowers who sound the alarm over poor infosec practices. I tend to agree. At Rendition Infosec, we’ve seen an uptick in people willing to blow the whistle to regulators over perceived cyber security risks. I think some of this is generational. The younger generation (joining the workforce over the last 5-10 years) seems to be much less likely to stand by while anything is swept under the rug. This, it turns out, also includes infosec issues.
The article points out that case law is relatively scant on protecting cybersecurity whistleblowers. However, it also points out that because cyber security isn’t called out as an explicit exception to the law, whistleblowers are most likely protected. This doesn’t mean that it’s a good idea, you could be blacklisted from future employment by blowing the whistle. At a minimum it’s likely to involve you moving jobs.
The article correctly notes that the FTC and SEC are both ramping up efforts against companies who have lax cybersecurity. Generally for publicly traded companies, just knowing that there’s a security issue forces the organization to act or disclose the vulnerability to shareholders in their public filings. Since disclosing publicly is obviously is less than ideal, I think we are far more likely to see the organizations either fix the problems or just ignore them altogether.
No matter how you feel about whistleblowers, they will be a reality in your organization sooner than later. If you don’t have a plan for dealing with a disgruntled employee blowing the whistle, you have a critical hole in your infosec playbook.
At Rendition Infosec, when we help organizations plan for a possible whistleblower disclosure, we generally tell them they have two critical areas to worry about. First, make sure that decisions about infosec pass the “New York Times Test” (NYTT). Second, work with PR before a disclosure and solidify your containment/press strategy.
What is the NYTT?
The New York Times Test is pretty simple. Simply look at your actions involving infosec and ask yourself “if this were published in the New York Times, would the average reader think we were handling things appropriately?” If the answer is “of course not, they’d be outraged” then I submit you’re doing it wrong. Unfortunately, the NYTT is actually a bit harder than it looks. I’ll have a full post on effectively implementing the NYTT hopefully later this week.
Like it or not, you need PR. Well, more accurately your organization needs PR. When the press gets ahold of a lead from a whistleblower (and this will happen eventually), you need to be ready with a response.
At Rendition, we worked with many organizations on the Ashley Madison disclosure. We worked with these organizations to determine their exposure, including employees that registered using a corporate email and those who registered and/or paid for services from corporate IP ranges. Let me take this opportunity to say that I don't really care what you do on your own time without using company assets. But that wasn't the case here, and that's sort of the point. Of the 17 organizations Rendition did this for, only two were ever contacted by the press (that I know of). But all 17 were ready with prepared statements – nobody was taken by surprise. Again, I’ll do an upcoming full blog post about engaging your PR team effectively in the incident response process.
Overall, the consensus of the CSO Online article is clear: be ready for the cyber security whistleblower. My experience tells me that they aren’t wrong. If your policies and playbook don’t cover dealing with whistleblowers today, talk to a professional with experience in dealing with these issues before you are taken by surprise. Above all, get your policies together and deal with issues as they arise. That way, potential whistleblowers have fewer opportunities to blow the whistle in the first place.