A Surprising View on Whistleblowers from a Cybersecurity Perspective

The term whistleblower comes from the role a person plays in sports by using a whistle to stop a play when an illegal activity or foul occurs. During the 1970s US civic activist Ralph Nader coined the phrase to avoid negative connotations associated with the use of other words like ‘informers’ or ‘snitch’.

The Issue of Values

Most whistleblowers come from internal sources who report the misconduct of fellow employees. Why would an employee feel compelled to risk their job and the ridicule of fellow employees or retaliation such as termination? This type of behaviour normally occurs only after the values of the employee have been challenged or a higher ranking manager has asked a subordinate employee to participate in an illegal activity. The values of the employee are important for the organization to establish their level of integrity, trust, further mitigating the risks of fraud and embezzlement. Many organizations spend significant resources on indoctrinating employees on their unique mission and corporate values. These organizations do this to demonstrate their ‘standard-of-care’ which includes values like integrity and trust.

Classifying the Whistleblower

During the risk assessment process the risk of threats and matching vulnerabilities are reviewed. One of two possible known attack vectors will be evaluated,

  1. the threat of accidental events creating risk to asset(s)
  2. the deliberate actions leading to a security incident (this is where a whistleblower falls under).

There is one additional scenario to consider and that is negligence which is considered to be a failure to exercise the care that any reasonable person would exercise. Negligence is an area of tort law involving harm caused by carelessness, but not to be confused with intentional harm.

Whistleblower Protection Act of 1989

The Whistleblower Protection Act of 1989 is a United States federal law designed to protect federal whistleblowers who work for the government and report misconduct. The Whistleblower Protection Act was created to ensure authorities do not take retaliatory action against employees who blow-the-whistle. Reasonably, evidence substantiating a whistleblower’s report would include any violation of a law, rules or regulation, gross mismanagement, gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety. All commercial and public organizations are encouraged to establish a whistleblower policy endorsed by their respective Board of Directors to help demonstrate the organization’s ‘standard-of-care’.

Whistleblowers and Risk Management

Risk Management can be integrated into most organizations using a wide variety of techniques illustrated in the following workflow diagram. One such technique is called “control self-assessment”. This technique puts the manager in the driver’s seat by scheduling a review of the controls within their respective department, branch or division. Typically this technique is scheduled and executed at a minimum once per annum, but it could be executed more frequently and could precede annual scheduled audits or follow major system changes. Additional techniques include the integration of a weighted security assessment with the project management cycle and systems development life-cycle.

Risk Management Report Integration

Whistle-blowing is one more important element of every vulnerability management system that acts as a fail-safe. What happens when vendors don’t patch defects that can lead to security failures? What happens when a consumer reports a security weakness and the vendor does nothing to close the vulnerability? Vulnerabilities are almost always discovered by security researchers and published on the internet or sold on the black market. In some situations intelligence concerning these vulnerabilities is provided to product vendors. In some situations a bug bounty may be paid for advanced knowledge by a vendor or supplier. When software defects and vulnerabilities are published without advanced notification they are known as Zero-Day vulnerabilities. In yet another scenario a vulnerability may be discovered and sold to a foreign government or to organized crime for profit. The motivation to take intellectual property is normally for profit whereas the gathering of intelligence data concerning foreign governments is tactical and strategic in nature. Providing protection to whistleblowers is a fundamental requirement that could prevent the negative economic impact of unmitigated vulnerabilities.

Mark Bernard is the author of our NIST Cybersecurity Foundation Course. The knowledge captured and communicated in this course can be immediately applied by organizations around the globe to ramp up to meet their legal obligations defined by newly introduced statutory and regulatory acts.

Adopt the NIST Cybersecurity Foundation Course to your portfolio and help your clients learn about the basic information security concepts and techniques.

Mark E.S. Bernard
Mark has 24 years of proven Executive level Information Security, Privacy Experience. Mark has led teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million+. Mark helps professionals around the globe with free advice and knowledge sharing in an effort to make our world a safer place. In addition, Mark has volunteered at schools, Boy Scouts, Girl Guides, Amateur Hockey and Baseball and has also helped to raise money for Amateur sports and the Mustard Food Bank.