Cyber Whistleblowing: What Employers Should Know

Frankie Wallace
 

As businesses adopt emerging technologies like AI and VR, professional lives are growing more connected to the internet and, therefore, the world. While this can drastically improve efficiency and contribute to business growth, it has also led to a rise in cyber-attacks — and not just for tech companies.

Cybercrime is affecting industries beyond tech, including real estate, agriculture, and manufacturing. This makes auditing for cybersecurity issues important regardless of your business arena.

Often, the first people to recognize potential cybersecurity flaws are the people who work behind the scenes at your company. This is what makes cyber whistleblowing so important. When your employees feel comfortable reporting security concerns and breaches to upper management, your business can instantly take action to stop the issue before it gets worse.

Unfortunately, all too many employers react poorly to cyber whistleblowing, sometimes going as far as to penalize their employees or brush major concerns under the rug. Here’s what you can do to effectively handle the reports you get, along with some examples of breaches that demonstrate what not to do.

Stay Open to Hearing About Internal and External Threats

When business leaders are overconfident about their security or overly trusting of their team, they often believe that major cyber-attacks are too unlikely to consider. However, any company can fall victim to cybercrime as a result of small mistakes — and the risk is heightened if you’re not actively investigating every potential weakness in your digital shield. In fact, one of the biggest mistakes that employers make when cyber whistleblowing occurs is dismissing their employees’ concerns.

This was the issue that led to the downfall of SolarWinds, a company that was warned about information security issues years before a breach occurred. As a result of its management’s negligence, SolarWinds lost at least $18 million in its resolution of the cyber-attack from a Russian-sponsored hacking group.

Failing to investigate warnings can also make your company blind to costly insider threats, which were behind over 30% of cyber-attacks in 2019. Internal threats are cyber threats that come from within your organization. This can be done intentionally, but it is most often done unintentionally. For example, if your hybrid employee’s device isn’t equipped with a VPN to mask their IP address, they could potentially unwittingly leak sensitive info just by connecting to Wi-Fi in a coffee shop or coworking space.

Employers must be open to hearing every employee’s concern about all sorts of digital threats, both internal and external. Creating a dedicated intake form for cyber whistleblowing reports is a great way to remove the red tape that prevents lower-level employees from speaking up.

Develop Guidelines for Your Cyber Whistleblowing Response

Before you start to receive cyber whistleblowing reports, it’s important to know how you’ll respond. This is the best way to ensure that your team takes action instead of letting a potentially company-saving report slip by unnoticed.

Create guidelines that indicate who is responsible for processing, investigating, evaluating, and solving complaints from employees who notice potential threats. For example, while a portion of your IT team may be in charge of looking into a report, a C-level executive may be in charge of making the ultimate decision about the level of priority of each threat. You can also create evaluation guidelines that make the final decision easier and less biased for the person in charge.

Recruit Professionals When Needed

It can be difficult to identify threats from within a company that has a security system with which you are familiar. It can be helpful to bring in fresh perspectives from third-party professionals. Hiring a lawyer or contracting a cybercrime investigator are two great ways to avoid missing obvious issues and strengthen your security.

When bringing in outside professionals for help, make sure you sign confidentiality agreements with each one. This is the best way to avoid further security concerns that arise when too many people have access to your company’s most sensitive information.

Train Employees Where Your Company Is Most Vulnerable

Employees who aren’t familiar with cybersecurity practices are often the cause behind major attacks. If you don’t employ a zero trust security model, there are more opportunities for employees to fall victim to cyber-attacks and affect the whole team. For example, when Twitter experienced a breach that affected major accounts, the breach was caused by an employee who fell into the trap of a social engineering attack.

If you want to stop simple mistakes from bringing your business down, it’s important to train your employees well. Once you start identifying trends in cyber whistleblowing reports, you’ll know where your vulnerabilities lie — and as a result, you can start educating your employees in the right areas and upskilling them as needed.

Businesses that allow their employees to use personal devices should be particularly well-trained on security tools. When your employees are briefed on network security practices for each tool, like Multi-Factor Authentication (MFA), they’ll have more internal drive to do their part to protect your business. It’s also crucial to equip their devices with added layers of security. There are simple ways to do so, such as cloud VPN services that keep all your employees safe on a private, online network. 

Secure Your Company

Cybersecurity should be a concern for every business nowadays — even in industries that use the bare minimum when it comes to technological tools. If you want to protect your company from major cybercrimes, it’s important to readily accept and act on reports from cyber whistleblowers. Your investigations can be a team effort, or they can be done with the help of a trusted third-party professional.

These professionals can also guide you toward appropriate cybersecurity software and tools. After you’ve addressed all instances of cybersecurity risks and cyber whistleblowing reports, you’ll understand where you need to level up your knowledge and the skills of your employees.


Frankie Wallace

Tags: , , , , ,