Problem solve Get help with specific problems with your technologies, process and projects.

Whistleblower policy: Preventing insider information leak incidents

NSA-level incidents are rare, but they do happen. Learn how to prevent a whistleblower scenario and limit the risk of insider information leaks.

Edward Snowden, now of universal fame (or infamy) due to his disclosure of U.S. National Security Agency classified information, has been charged with a number of crimes, including espionage. The case will prove to be a long and difficult one, and its adjudication, whatever the outcome, promises to be as complex as it is uncertain.

Don't break the law, don't tolerate those who do, and encourage integrity and honesty.

Of the actions undertaken by Snowden, whether hero or villain, only one thing seems to be certain: He is a whistleblower of the highest order with unclear motives, offering disclosure of top-secret government information to the media rather than first seeking in-house alternatives.

Snowden worked for defense contractor Booz Allen, a third-party contractor to the intelligence agency. This brings into focus the critical need for a company to be able to manage the risk associated with a company whistleblower. While a whistleblower incident of this magnitude is rare, particularly for the private sector, enterprises should rightly be concerned with the degree of risk associated with this type of unauthorized information disclosure. Most would agree that an organization that conducts illegal or unethical activity deserves punishment, but some malicious whistleblowers seek to expose an organization even though its actions may be legal, ethical and justifiable.

In the Snowden case, the risk is multifaceted and includes diplomatic, intelligence, national security, military and civilian risk. For enterprises, equal concern regarding the potential for a similar incident is justifiable because of the risk to customer data privacy and overall information integrity, as well as the obvious ramifications for the organization's brand, perception among customers and viability in the marketplace following such an incident. In this tip, we'll examine how to put a framework in place based on the tenets of sound information security risk management to prevent a whistleblower incident from ever happening to your organization.

Whistleblowers: Definition is a contradiction in terms

It's interesting that despite the damage whistleblowers often cause to the governments and organizations from which their information originates, the public at large has a mixed, if not often favorable, view of them. Whistleblowers receive comprehensive protections in a dozen countries, and about 50 nations have adopted various programs encouraging whistleblowers to come forward to root out corruption, fraud and other wrongdoing.

While sometimes it is easy to identify criminal behavior (say, dumping toxic waste into public water reservoirs or defrauding financial investors), it isn't always a simple process of discovery and reporting. Employees, contractors and other insiders, for example, may "blow the whistle" prematurely or even inaccurately, based on faulty perception and misunderstanding of certain circumstances. Others may purposefully make allegations against the company as a result of wrongful termination or failure to receive a promotion or even a pay raise. Whistleblowers are like other types of malicious insiders, and organizations should manage whistleblower risk through preemption; it is clearly much more challenging and costly to deal with the impact of a whistleblower after the fact. This is a matter of urgent corporate governance.

Given the accelerating growth of tablets and smartphones and continuous social media access, whistleblowing is more common than might be thought and has assumed a new dimension. Websites offer whistleblowers communication channels that they never had before. Social media whistleblowers complain about work conditions, compensation, their managers, the tone at the top set by executive management, the use of drugs, sexual indiscretions, favoritism, nepotism, racism, even? allegations of criminal behavior, and so on.

Creating an internal whistleblower policy

Companies should have a whistleblower policy in place that dictates how to manage and prevent such an incident. As part of that whistleblower policy, a company should offer employees an internal whistleblowing option to report wrongdoing. In order to be successful, a corporate whistleblower program must be accessible to every employee, offer anonymity and confidentiality within the limits of the law, and provide for some level of compensation to the whistleblower. In the case of a serious fraud reported by an employee to the government, the government offers a substantial reward. This will ensure whistleblowers come forward on the organization's terms, in a way that is nonpublic and manageable. If the company policy offers nothing, guess where the whistleblower will likely disclose? That's right, in full public view.

An effective whistleblower program requires a commitment from the board of directors and the chief executive. Since there are significant legal considerations, the organization's general counsel should be intimately involved in establishing the program, working closely with human resources and the company's top security and privacy officers. The general counsel should also seek the opinion of external counsel with expertise and experience in employment law and in prosecuting or defending whistleblowers. It is also advisable to confer with the general counsel or external legal counsel on employment practices and liability insurance, which covers whistleblowers' claims in the event an employee seeks retaliation over a whistleblower allegation.

Should an employee come forward, the program should offer employees a method of secure disclosure and follow-up. The program does no good if employee concerns are heard and then discarded; this strategy may delay a public disclosure and, by further frustrating the employee, make the incident more traumatic. An outreach program to employees is essential, making employees aware of the program and encouraging -- though not mandating -- them to report wrongdoing internally first, rather than opting disclosure to a government agency or other organization, including the media. As employees receive onboarding training, inclusion of a strong ethics program should include an ethics policy with specific information about whistleblowing. Employees should sign documentation acknowledging awareness of the program. Documentation should be updated at least annually and reflect any changes in the program. The language should be clear, easy to understand by every level of worker in the workforce -- without exception.

There should be a corporate commitment to transparency within the restrictions established by regulatory compliance and corporate contract requirements. Companies should work closely with government by establishing corporate-government partnerships to encourage legitimate whistleblowing and to discourage the abuse of such programs. The U.S. Securities and Exchange Commission whistleblower program is a requirement of the Dodd-Frank Act, for example. The U.S. False Claims Act was designed to shine the light of culpability in frauds perpetrated against the U.S. government.

Whistleblower prevention

The best defense against any type of whistleblower is a strong ethics foundation; operational transparency; and effective, enforceable corporate governance. Don't break the law, don't tolerate those who do, and encourage integrity and honesty. Encourage executives to ensure this approach permeates every aspect of the business, and that it is well-known to employees, customers and partners. But this strategy does not always work.

From the editors: More on preventing insider information leaks

How to begin corporate security awareness training for executives
Expert Ernie Hayden provides advice for enterprises that are establishing security awareness training for their security-unaware executives.

Business partner security: Managing business risk
Allowing outside business partner access to your systems and data always comes with some level of risk. Nick Lewis examines what those risks are and strategies for managing business risk.

One way to proactively assess the risk of whistleblowers and other high-risk behaviors is to analyze corporate email. Employees using corporate assets, such as company-provided email, do not have a right to privacy in the use of that email. Behavioral monitoring of email, as well as social media sites, can provide early-warning risk indicators. Complaining about an employer has become mainstream, largely because of the accessibility of blogs and other forms of social media. The identification of these troubling signals can prevent or reduce legal, financial, regulatory and reputation impact that accompanies the disclosure of proprietary information.

Development and maintenance of a good whistleblower risk management program will pay dividends in the long run. Strong ethics, consistent transparency, and proper operational and board-level oversight not only reduce the likelihood that a whistleblower will make a public spectacle of your organization, but also may reduce or prevent fraud, corruption and other criminal behaviors that would lead to difficult, costly problems for the business. Information security managers would be wise to leverage interest in the Snowden case to broach the importance of whistleblower risk management.

About the author:
MacDonnell Ulsch is CEO and Chief Analyst at ZeroPoint Risk Research LLC in Boston. He is the author of THREAT! Managing Risk in a Hostile World. Currently working on his next book, he continues to investigate client cyberbreaches and develop strategies for mitigating risk impact. Ulsch is a member of the advisory board for SearchSecurity and Information Securitymagazine.

This was last published in July 2013

Dig Deeper on Security Awareness Training and Internal Threats-Information