Whistleblowers are often employees who hold companies accountable by anonymously reporting incidents and patterns of non-compliance with policies and security frameworks. These individuals play an essential role in cybersecurity at the workplace. This blog will highlight the importance of whistleblower protections, workplace culture, and the critical importance of an engaged C-suite executive team that prioritizes cyber risk. For additional insights, see SureShield’s recent blog on The Role of Whistleblower Policies in Cybersecurity.
Whether deliberate or unintended, the cost of employee or vendor breaches is significant. IBM and the Ponemon Institute report the average cost of a data breach in 2023 has reached a record high of $4.45 million – an increase of 2% compared to 2022 ($4.35 million). However, the cost of a cyber or data breach extends beyond just monetary losses. It can lead to a loss of customer and community trust, brand reputation damage, intellectual property loss, legal and regulatory fines, costs for investigatory and remediation activities, and decreased employee morale and turnover.
There is no fail-safe roadmap for someone who has seen something to say something. In weighing the benefits of speaking up against the risks, employees must consider repercussions such as retaliation or that their sacrifices will not make a difference. Dana Gold, senior counsel at the Government Accountability Project and director of its Democracy Protection Initiative, states, “Strong whistleblower protection laws and pathways for disclosures are critical to the point of being non-negotiable to responsible private and public governance. We need whistleblowers to be able to come forward – they are not only the best defense against critical threats, but they may sometimes be the only defense we have.”
Whistleblowers have several legal protections to prevent retaliation from their employers. In the United States, federal, and state laws protect whistleblowers, including the Whistleblower Protection Act, the False Claims Act, and the Sarbanes Oxley Act, among others. These laws protect employees who report illegal or unethical conduct or violations of company policies, to their employers or government agencies. However, given the escalating impact of cyber risk in every aspect of our lives, there is room for considerable improvement. For starters, the advancements made on the legislative front must be matched by similar momentum in corporate practices to provide better protections for technology workers.
Whistleblowers often begin by reporting misdeeds internally and only seek external avenues if their concerns are marginalized or ignored altogether. Addressing the whistleblowers’ concerns internally, before they escalate is the optimal approach. A priority for organizations is to establish a clear policy for employees who want to flag issues. Personnel requires timely education, training, and access to relevant policies and procedural guidance.
C-suite leadership plays a crucial role in shaping the overarching cybersecurity strategy of an organization and an essential component of a successful effort includes a transparent and “safe” environment. Transparency in the workplace is a philosophy of sharing information freely for the benefit of the organization and its people. It is an approach that emphasizes being direct with employees in the workplace.
Transparency helps create a culture of trust between employees and employers, resulting in improved employee engagement and morale. It also fosters an environment that makes it more comfortable for employees to freely communicate and feel valued when they suspect illegal or unethical behavior and step forward to report an incident according to the organization’s policies and procedures. Even the most comprehensive cyber compliance systems will only succeed with a solid and approachable leadership team that promotes compliance with reporting policies and alleviates retaliation fears.
In addition to setting the tone for the workplace, C-suite executives are responsible for decisions such as defining risk tolerance and allocating the right resources at the right time to shield the organization’s assets. Cyber risk management is an organization-wide “all hands” responsibility that requires cross-functional collaboration. C-suite executives ensure that the departments of a company work together to protect its assets.
The legal, compliance, and human resource departments also play a crucial role in creating a culture of compliance within the organization. By developing policies and systems around whistleblowing related to incidents involving privacy, security, and cybersecurity, these departments help ensure that the organization is positioned to effectively address any potential issues before they become significant problems.
Executive leadership, organizational transparency, an informed workforce, and a culture encouraging rather than retaliating against whistleblowers are all crucial factors in promoting effective cybersecurity practices. By working together and supporting each other in the absence of fear, we can create a safer and more secure digital workplace.