From childhood, we are often instilled with the value of being a good secret keeper. This innocent desire to not be labeled a ‘snitch’ served as our initial introduction into the world of trust, discretion and confidentiality. We proudly labeled ourselves as great secret keepers, where the rhyme, ‘snitches get stitches’ gets thrown around as a dark reminder of the consequences of being identified as an informer.
However, as we mature, a stark transformation unfolds, which demands a different level of loyalty when faced with a moral calling, especially in the realm of digital information. With this fundamental shift in the perception of confidentiality, gone are the days of guarding childhood secrecy with unwavering allegiance; now, we face the difficult challenge of balancing responsibility, transparency and accountability.
In this Guide:
What is Whistleblowing in Cybersecurity?
The origin of the term “whistleblower” came from the role a person played in sports, where they used a whistle to halt games when detecting foul play.
The term was popularized during the 1970s by Ralph Nader, an American civic activist, who introduced it as an alternative to words like snitch and informers which have negative connotations to reporting wrongdoings.
In the context of cybersecurity, cyber whistleblowing refers to the act of reporting cybersecurity vulnerabilities, security breaches, unethical practices, illegal activity, or any company’s failure to adhere to compliance, taking place within an organization or related to information security in a company. It plays an essential role in exposing corruption and mismanagement. It has evolved alongside the increased security risk and storage of consumer data online.
Who is involved in Whistleblowing?
The whistleblowing process is comprised of the individual(s) that comes forward to report what they believe to be a wrongdoing; the entity being exposed; those that document the process of the disclosure; entities that impose sanctions and take corrective measures; organizations that protect the whistleblower(s); and those who promote and support the benefits of whistleblowers.
Types of Whistleblowers
There are two types of whistleblowers, internal and external. Internal whistleblowers are those who report misconduct or fraud within their company, typically addressing the issues with senior management.
On the other hand, external whistleblowing are workers who report wrongdoing to entities outside their organization. This often involves sharing information with external parties such as the media, higher-ranking government officials, or law enforcement agencies.
Ethical Theories Underpinning Whistleblowing
Ethics can be described as ideals and values that determine how people live, how businesses operate and how their employees conduct their work. The main objective is not to dictate the behavior of professionals, but to instill a strong sense of principles that help govern and guide their behavior or conduct.
In the context of cybersecurity, ethics is of utmost importance, as seemingly senseless actions can lead to consequences for the professionals and the organizations they are employed. It should guide cyber security exports to figure out what behavior is expected of them professionally by understanding the rules of ethical behavior.
Though crucial, where ethics comes to play is often debated. For example, if a company is ignoring proper security practices, taking short cuts, or acts maliciously with user data, (acting unethically), then they should be held accountable. However, in doing so, the whistleblower might violate those same users’ privacy in the process of exposing the wrong doings, which others may label as unethical.
Whistleblower Case Study: Twitter
In 2022, the former chief security officer on twitter, now X, disclosed the website’s non compliance with data privacy and consumer protection laws. Peiter “Mudge” Zatko said that Twitter executives misled the public, regulators and the company’s own board about its systemically broken defenses against hackers.
He stated further that Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do.
Though this seems like an ethical choice, Zatki only revealed this information after he lost his job. Twitter later denied the claims and said Zatki lied in response to him being fired.
This case outlines the ethical considerations of whistleblowing. Someone’s relationship with their employer, a company’s history and the level of wrongdoing all need to be considered.
However, after the allegations were made, resulting in a damaged relationship between the two, Twitter only suffered financially, the security vulnerability still exists, and the public has just become aware.
So was it really worth it? Users will continue to use the platform and Twitter will slowly brush the news underneath the rug and hope everyone eventually forgets about it.
Legal Protections for Cybersecurity Whistleblowers
The dangers that come with whistleblowing cannot be ignored. Due to the risk, there are a handful of regulations and laws which a cyber security whistleblower could use to create a claim for whistleblower retaliation, which in this case, would be the employer, firing or laying off, demoting, denying overtime or promotion, or reducing pay or hours. There exist different protections depending on where the whistleblower is employed.Government AGENCY Employees
The Whistleblower Protection Act, initially passed in 1989, was established to ensure federal government employees who chose to disclose unlawful activities or actions related to gross mismanagement, a gross waste of funds, an abuse of authority or a substantial and specific danger to public health or safety, are free from the fear of retaliation for their actions. So, if a person chose to disclose information about the lack of proper security measures implemented to protect citizens’ information, and they were fired, the action would fall under WPA violation.Employees of Publicly Traded Companies
The SOX – Sarbanes-Oxley Act, is a regulatory compliance that requires publicly traded companies doing business in the U.S. It states that no publicly traded company can take adverse employment actions against an employee, because said employee chose to complain about activities they believed constituted fraud or violation of security laws. To ensure the employee can be protected, they need to prove the following:- They carried out the protected activity
- Their employer is aware that they carried out the protected activity
- They suffered an unfavorable personnel action; and
- The protected activity contributed to the unfavorable action
Other WORKERS
Employees who do not fit the publicly traded company or federal government categories still have options to seek protection if faced with wrongful discharge, depending on their location. In some countries, there exist restrictions on employers terminating employees for reasons that defy “public policy”. In fact, courts typically refer to established constitutional laws to identify public policy that has received legislative approval and validation. Okay, now that we have made it clear that there are protections available for those who wish to speak up, let’s now tackle the role of whistleblowers in cybersecurity, and why they are needed.The Role of Whistleblowers in Cyber Security
Despite the negative connotation, Whistleblowers play a vital role in improving security overall. Firstly, they are the main reason we become aware when a cyber incident or data breach occurs in the first place. In doing so, it helps hold companies accountable.
Over the last year, there were over 4100 data breaches recorded, exposing millions of users and clients private information. Oftentimes, companies do not clean up after these attacks and inform customers. It is whistleblowers who inform the public, which highlights the business failure to disclose the breach. In doing so, it forces companies to confront the issue. If they broke a compliance law or regulation in the data breach, relevant bodies will pursue these companies, and they will be punished accordingly.
Furthermore, when users see that the company tried to conceal the attack, they will lose trust and take their business elsewhere. Their loyalty would be then taken to businesses known for its rigorous security practices and greater transparency. If such incidents were never brought to light, this overall improvement in data security would remain elusive.
Whistleblowers also promote better security. Through outing companies in the past, just the thought of it occurring to one’s own organization holds those businesses to a higher standard. They therefore would take cybersecurity and transparency seriously as to not affect the companies reputation and lose the trust of customers.
On average, 31% of customers stop doing business with a company after a breach and stock prices drop by 5% after one day. The effects are typically even more severe if the company tried to hide the incident.
As whistleblowers bring to light an increasing number of breaches, more businesses will proactively enhance their cybersecurity measures to steer clear of a similar fate. Without mechanisms to hold companies accountable and protect those who speak up, this positive trajectory in security enhancement would not be as robust.
The Future of Whistleblowing in Cybersecurity Landscape
There needs to be an increase in protection and incentive for whistleblowers as they play a vital role in upholding security standards. An incentive program could work to expose more corporate misconduct related to security. Financial rewards also help to compensate whistleblowers for costs from their decision to come forward, especially when they might otherwise hesitate due to concerns about retaliation or job security. Incentivized whistleblowers can also lead to early detection of cybersecurity threats and vulnerabilities, allowing organizations to take proactive measures to mitigate risks. This can result in cost savings by preventing data breaches, financial losses, and damage to an organization’s reputation. Furthermore, there will be an increase in legal protection for whistleblowers. As the importance of whistleblowers in cybersecurity is increasingly recognized, we can anticipate the introduction of enhanced legal protections through cybersecurity laws for those who come forward with critical information. This will encourage more employees to report cybersecurity incidents without fear of retaliation. In addition, there will be an increase in secure encrypted channels that whistleblowers can use to make reports. This encryption ensures that the content of the reports remains confidential and protected from interception by unauthorized parties. Secure channels will use strong encryption algorithms to protect both the content and the metadata of the communication. This will encourage whistleblowers to report knowing they will remain safe and anonymous.Final Thoughts
The realm of whistleblowing has evolved far past its humble beginning in the world of sports, to now encompass a diverse set of workers. These include individuals who expose the wrongdoings, those who protect them, and those who document the disclosure process. As we broke down the process, it is clear that whistleblowing is a vital cog in the cybersecurity machine, ensuring that data and information systems remain secure.
Ethics plays a role in this whistleblowing process, as it guides professionals as to what is expected of them in their conduct. In an era where cybersecurity plays a pivotal role in our daily lives, the importance of ethical behavior cannot be overstated.
We have seen in real world scenarios such as Twitter’s former Chief Security Officer, underscore the complex ethical considerations surrounding whistleblowing. The choice to reveal security flaws, even at the cost of strained relationships, posed a moral dilemma. It, however reaffirms the role of whistleblowers in holding organizations accountable and protecting the public interest.
There also exists protections to shield whistleblowers, ensuring their safety when they choose to come forward and report misconduct or vulnerabilities as they not only bring data breaches to light, but also promote better information security practices. By forcing organizations to uphold a higher standard for security, more businesses will take cybersecurity seriously, maintain customer loyalty and market stability.
Due to its level of importance, the future of cybersecurity leaves room for more protection through federal laws and incentives. Enhanced legal protections and secure reporting channels will bolster their role in safeguarding all our private data whereas financial incentives can further compensate and motivate whistleblowers, promoting early threat detection and saving costs.
In essence, whistleblowers are the unsung heroes of our digital age, advocates for integrity, and guardians of our collective security. Their contributions, though often surrounded with ethical dilemmas and personal risks, are essential for the continued trustworthiness of our digital domains. With increasing protections and incentives, the future of whistleblowing in cybersecurity looks brighter, ensuring that our digital world remains safe, secure, and accountable.
Are you prepared for potential threats in the ever-evolving cybersecurity landscape? Whistleblowers are helping drive the path towards a secure digital future, but it’s vital to stay proactive. Don’t wait for a breach. Reach out to Oppos Cybersecurity Consultants today for top-notch penetration testing and ensure you’re in compliance with the best cybersecurity practices.