Security University Whitepapers & Webinars
SU's Learning Library is the place to gain additional information through free webinars, for free and helpful information, including webinars, training videos and more.
Whistleblower policy: Preventing insider information leak incidents
MacDonnell Ulsch, Contributor
Edward Snowden , now of universal fame (or infamy) due to his disclosure of U.S. National Security Agency classified information, has been charged with a number of crimes, including espionage. The case will prove to be a long and difficult one, and its adjudication, whatever the outcome, promises to be as complex as it is uncertain.
Don't break the law, don't tolerate those who do, and encourage integrity and honesty.
Of the actions undertaken by Snowden, whether hero or villain, only one thing seems to be certain: He is a whistleblower of the highest order with unclear motives, offering disclosure of top-secret government information to the media rather than first seeking in-house alternatives.
Snowden worked for defense contractor Booz Allen, a third-party contractor to the intelligence agency. This brings into focus the critical need for a company to be able to manage the risk associated with a company whistleblower. While a whistleblower incident of this magnitude is rare, particularly for the private sector, enterprises should rightly be concerned with the degree of risk associated with this type of unauthorized information disclosure. Most would agree that an organization that conducts illegal or unethical activity deserves punishment, but some malicious whistleblowers seek to expose an organization even though its actions may be legal, ethical and justifiable.
In the Snowden case, the risk is multifaceted and includes diplomatic, intelligence, national security, military and civilian risk. For enterprises, equal concern regarding the potential for a similar incident is justifiable because of the risk to customer data privacy and overall information integrity, as well as the obvious ramifications for the organization's brand, perception among customers and viability in the marketplace following such an incident. In this tip, we'll examine how to put a framework in place based on the tenets of sound information security risk management to prevent a whistleblower incident from ever happening to your organization.
Whistleblowers: Definition is a contradiction in terms
It's interesting that despite the damage whistleblowers often cause to the governments and organizations from which their information originates, the public at large has a mixed, if not often favorable, view of them. Whistleblowers receive comprehensive protections in a dozen countries, and about 50 nations have adopted various programs encouraging whistleblowers to come forward to root out corruption, fraud and other wrongdoing.
While sometimes it is easy to identify criminal behavior (say, dumping toxic waste into public water reservoirs or defrauding financial investors), it isn't always a simple process of discovery and reporting. Employees, contractors and other insiders, for example, may "blow the whistle" prematurely or even inaccurately, based on faulty perception and misunderstanding of certain circumstances. Others may purposefully make allegations against the company as a result of wrongful termination or failure to receive a promotion or even a pay raise. Whistleblowers are like other types of malicious insiders, and organizations should manage whistleblower risk through preemption; it is clearly much more challenging and costly to deal with the impact of a whistleblower after the fact. This is a matter of urgent corporate governance.
Given the accelerating growth of tablets and smartphones and continuous social media access, whistleblowing is more common than might be thought and has assumed a new dimension. Websites offer whistleblowers communication channels that they never had before. Social media whistleblowers complain about work conditions, compensation, their managers, the tone at the top set by executive management, the use of drugs, sexual indiscretions, favoritism, nepotism, racism, even? allegations of criminal behavior, and so on.
Creating an internal whistleblower policy
Companies should have a whistleblower policy in place that dictates how to manage and prevent such an incident. As part of that whistleblower policy, a company should offer employees an internal whistleblowing option to report wrongdoing. In order to be successful, a corporate whistleblower program must be accessible to every employee, offer anonymity and confidentiality within the limits of the law, and provide for some level of compensation to the whistleblower. In the case of a serious fraud reported by an employee to the government, the government offers a substantial reward. This will ensure whistleblowers come forward on the organization's terms, in a way that is nonpublic and manageable. If the company policy offers nothing, guess where the whistleblower will likely disclose? That's right, in full public view.
An effective whistleblower program requires a commitment from the board of directors and the chief executive. Since there are significant legal considerations, the organization's general counsel should be intimately involved in establishing the program, working closely with human resources and the company's top security and privacy officers. The general counsel should also seek the opinion of external counsel with expertise and experience in employment law and in prosecuting or defending whistleblowers. It is also advisable to confer with the general counsel or external legal counsel on employment practices and liability insurance, which covers whistleblowers' claims in the event an employee seeks retaliation over a whistleblower allegation.
Should an employee come forward, the program should offer employees a method of secure disclosure and follow-up. The program does no good if employee concerns are heard and then discarded; this strategy may delay a public disclosure and, by further frustrating the employee, make the incident more traumatic. An outreach program to employees is essential, making employees aware of the program and encouraging -- though not mandating -- them to report wrongdoing internally first, rather than opting disclosure to a government agency or other organization, including the media. As employees receive onboarding training, inclusion of a strong ethics program should include an ethics policy with specific information about whistleblowing. Employees should sign documentation acknowledging awareness of the program. Documentation should be updated at least annually and reflect any changes in the program. The language should be clear, easy to understand by every level of worker in the workforce -- without exception.
There should be a corporate commitment to transparency within the restrictions established by regulatory compliance and corporate contract requirements. Companies should work closely with government by establishing corporate-government partnerships to encourage legitimate whistleblowing and to discourage the abuse of such programs. The U.S. Securities and Exchange Commission whistleblower program is a requirement of the Dodd-Frank Act , for example. The U.S. False Claims Act was designed to shine the light of culpability in frauds perpetrated against the U.S. government.
The best defense against any type of whistleblower is a strong ethics foundation; operational transparency; and effective, enforceable corporate governance. Don't break the law, don't tolerate those who do, and encourage integrity and honesty. Encourage executives to ensure this approach permeates every aspect of the business, and that it is well-known to employees, customers and partners. But this strategy does not always work.
From the editors: More on preventing insider information leaks
How to begin corporate security awareness training for executives
Expert Ernie Hayden provides advice for enterprises that are establishing security awareness training for their security-unaware executives.
Business partner security: Managing business risk
Allowing outside business partner access to your systems and data always comes with some level of risk. Nick Lewis examines what those risks are and strategies for managing business risk.
One way to proactively assess the risk of whistleblowers and other high-risk behaviors is to analyze corporate email. Employees using corporate assets, such as company-provided email, do not have a right to privacy in the use of that email. Behavioral monitoring of email, as well as social media sites, can provide early-warning risk indicators. Complaining about an employer has become mainstream, largely because of the accessibility of blogs and other forms of social media. The identification of these troubling signals can prevent or reduce legal, financial, regulatory and reputation impact that accompanies the disclosure of proprietary information.
Development and maintenance of a good whistleblower risk management program will pay dividends in the long run. Strong ethics, consistent transparency, and proper operational and board-level oversight not only reduce the likelihood that a whistleblower will make a public spectacle of your organization, but also may reduce or prevent fraud, corruption and other criminal behaviors that would lead to difficult, costly problems for the business. Information security managers would be wise to leverage interest in the Snowden case to broach the importance of whistleblower risk management.
About the author:
MacDonnell Ulsch is CEO and Chief Analyst at ZeroPoint Risk Research LLC in Boston. He is the author of THREAT! Managing Risk in a Hostile World. Currently working on his next book, he continues to investigate client cyberbreaches and develop strategies for mitigating risk impact. Ulsch is a member of the advisory board for SearchSecurity and Information Security magazine.
We've all seen the reports about what goes wrong when proper controls are not implemented while storing and transferring data. Large enterprises face messy notifications, customer dissatisfaction and, in many cases large fines. In fact, a data breach in the U.S. comes with an average price tag of $5.5 million, according to a 2011 Ponemon Institute study.
18 July 2013
Why single sign-on solutions are absolutely essential, but rarely enough.
11 July 2013
Certificate-based network authentication can be a powerful first step towards a safer, more agile business. This paper explains how it works and how it compares to other leading identity and access management solutions.
01 July 2013
Technology continues to make information more readily available to a larger group of people than ever before. Yet even as the latest technological advances bring a greater wealth of opportunities for sharing and distributing knowledge, each advance also increases the risk that sensitive data will land in the wrong hands.
28 June 2013
Kevin Bocek's presentation slides from his keynote address - Blueprint for the Perfect Attack – Open doors in your advanced attack strategy?
21 June 2013
Maintaining control over the data is paramount to cloud success. In this Whitepaper, learn about Cloud Computing Security Challenges, Techniques for Protecting Data in the Cloud and Strategies for Secure Transition to the Cloud.
19 June 2013
Privileged users and processes have access to the most sensitive data and systems but because their communications are encrypted, they bypass basic security safeguards such as data loss prevention, firewalls and IPS. This latest white paper focuses on how to restore visibility and security to these encrypted pathways in and out of your network.
19 June 2013
Cybercriminals have discovered a new attack vector: Exploiting the trust that keys and certificates establish.
19 June 2013
The new Gartner case study highlights how an organization utilized NAC and mobile device management solutions to establish policies for enabling a BYOD environment with an acceptable level of risk.
01 June 2013
Java vulnerabilities have dominated the security headlines. Some observers now say organizations should simply turn off the ubiquitous software platform.
29 May 2013
Every enterprise is potentially risking upwards of $400 million from attacks against cryptographic keys and digital certificates—yet few enterprises are managing these critical resources.
10 May 2013
Read the Gartner report on Network Access Control with ForeScout as a Magic Quadrant Leader. Find out how all the NAC vendors stack up and the importance of Magic Quadrant leadership for your company.
04 April 2013
Third-party applications, browsers and plugins have become the attack vector of choice for the modern cyber criminal. Computing surveyed over 200 UK business decision makers to understand how they perceived the risks that they faced from third-party applications.
20 March 2013
The Payment Card Industry Data Security Standards (PCI DSS), with its over 200 requirements, can seem like a daunting set of regulations. Nonetheless, if your organization handles any kind of credit card information, you must be PCI DSS compliant.
19 March 2013
After Hurricane Sandy struck, companies with well-architected, thoroughly tested, and fully documented disaster recovery (DR) plans and solutions were able to bounce back quickly.
13 March 2013
This white paper analyses how emerging key management and access control technologies will likely impact PCI compliance mandates and presents SSH's Universal SSH Key Manager as a solution that can be implemented today to both increase security controls and meet the coming, common sense changes to compliance mandates.
22 February 2013
The January 2013 report from ESET covering the top threat trends occurring globally in the past month. Plus a feature article from ESET Senior Research Fellow, David Harley, on how viruses are circulated in email hoaxes.
22 February 2013
Why are so many companies uncomfortable with their ability to manage active business data - and where is this data coming from? Companies are experiencing new challenges from the ever-increasing size, speed and variety of data. Social media has exploded in recent years, but other business issues are contributing to the dilemma.
22 February 2013
The new threat landscape has changed. Next generation firewalls, intrusion prevention systems (IPS), anti-virus and security gateways are not adequately protecting organisations from next generation threats.
18 February 2013
The sheer magnitude of the enterprise vulnerability problem is daunting. In today's enterprise-scale networks, scanners may identify tens of thousands or hundreds of thousands of vulnerabilities at once. Review and remediation efforts may take weeks. New vulnerabilities and threats are introduced daily.
08 February 2013
Keeping track of 10,000+ of anything is a management nightmare. With ongoing compliance oversight and evolving security attacks against vulnerable endpoint devices, getting a handle on managing endpoint becomes more important every day.
07 February 2013
Cyber threats are becoming ever more insidious and affect organizations of all sizes, spanning all industries. Organizations need to take a more proactive stance on security, and focus on only allowing what is good to execute on their networks to create an atmosphere of trust.
05 February 2013
Companies must achieve and maintain compliance with PCI DSS, but also manage geographically distributed networks, usually containing both structured and unstructured data. Learn how Vormetric Data Security helps organisations meet PCI DSS compliance demands with a transparent data security approach that requires minimal administrative support and does not undermine performance.
01 February 2013
We are pleased to present the results of the 2013 State of the Endpoint study sponsored by Lumension® and conducted by Ponemon Institute. Since 2010, we have tracked endpoint risk in organizations, the resources to address the risk and the technologies deployed to manage threats.
24 January 2013
The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However, traditional “scan-and-patch” vulnerability scanning approaches are inadequate for dynamic, virtualized environments.
22 January 2013
Risk Modeling & Attack Simulation for Proactive Cyber Security
What Is Your Mobile Content Policy? A Checklist for Content Risk Mitigation Sponsored by: SAP AG
This helpful paper discusses how to approach secure content management in the age of mobility, examining how to implement secure mobile content risk mitigation and what you can do to ensure your mobile data stays in the right hands.
Manage with ease: Get peace of mind with HP and Windows Embedded Sponsored by: HP
In this short white paper, you will gain insight into an innovative virtualization approach to alleviate the headaches of security processes and password logins.
Mitigating DDoS Attacks with F5 Technology Sponsored by: F5 Networks
This exclusive white paper examines a set of solutions that can securely deliver applications while protecting the network, the session and the user, with mitigation technologies that map directly to individual DDoS attacks.
Presentation Transcript: Emerging Technologies for the Next Wave of Enterprise Mobility Sponsored by: Fixmo
This informative transcript discusses the emerging security technologies that are helping to address some of the important challenges the next wave of mobility will inevitably bring. Read on to learn how you can bring work to devices in a secure and compliant manner.
Sponsored by: GeoTrust, Inc.
In this searchCompliance.com e-guide, uncover the core benefits data privacy programs, data protection strategies, and data-loss incident readiness plans have to offer and key steps for achieving them, with a particular focus placed on BYOD.
Sponsored by: CA Technologies.
This resource details a cloud-based identity and access management (IAM) solution designed to secure access to cloud-based services and apps, simplify IAM both on-premises and in the cloud, and improve efficiency. View now to learn more!
Without an on-going security testing regiment in place, even the most sophisticated IT defence measures will not guard organizations against crippling attacks, data leaks or internal sabotage.
20 December 2012
Are you considering a secure, managed file transfer solution to address the security of information and data transferred to, from and inside your organization?
31 October 2012
According to the results of a recent survey conducted by Bit9, European IT managers in France, Germany, Spain and the UK are aware of the changing nature of cyber attacks; how these more advanced attacks target their infrastructure; and what they would like to see as the most effective strategies for protecting their organisations.
09 October 2012
Managing risk within today's enterprise network environments represents a significant challenge. Enterprises have more IP addresses, servers, mobile phones, partners, applications and data than ever before.
09 October 2012
Securing any device used by mobile workers is a challenge but laptop computers, still the most vulnerable of all endpoint devices, presents the biggest threat to corporate security. Laptops today are far more numerous that other mobile devices and are more tightly integrated into the enterprise infrastructure. They are prime targets for malware attacks.
26 September 2012
Malnets (malware networks) are extensive infrastructures embedded in the Internet that are designed to deliver mass market attacks to the largest possible audience on a continuous basis. In 2012, Blue Coat expects these infrastructures will be responsible for more than two thirds of all malicious cyber-attacks.
26 September 2012
The FireEye® Advanced Threat Report for the first half of 2012 is based on research and trend analysis conducted by the FireEye Malware Intelligence Lab. This report provides an overview of the current threat landscape, evolving advanced malware and advanced persistent threat (APT) tactics, and the level of infiltration seen in organizations' networks today.
24 September 2012
In the real world the security landscape can be a harsh environment. Hackers are using more sophisticated attack methods to penetrate networks and steal company data; social networks are being compromised and used to distribute malware, and instigate phishing attacks; and the proliferation of mobile and cloud applications are opening new vulnerabilities ripe for exploitation.
10 September 2012
Despite spending more than $20 billion annually on IT security, over 95 percent of companies harbor advanced malware within their networks. Learn how to combat the cybercriminals that continue to outsmart older, signature-based security technologies.
22 August 2012