Whistleblowers: a defence to insider risk or a sleeping insider threat?
An effective whistleblowing policy and procedure should be an important element of any internal mechanism intended to spot and address when things are going wrong.
With so much focus on insider risk and threat, surely whistleblowers have an essential part to play in the identification of insider risk?
This article discusses the positive role they could have if they are listened to but also the possible challenges if they are not.
Understanding the insider threat
According to the UK National Protective Security Authority, an insider threat arises when ‘an insider, or group of insiders… either intends to, or is likely to cause harm or loss to the organisation’, and an insider event arises when ‘the activity conducted by an insider, whether intentional or unintentional… could result in, or has resulted in, harm or loss to the organisation’. The significance of insider events is growing because of the increasing number of events, their greater seriousness when compared with external events, and the dawning realisation amongst organisations of their vulnerability to insider threats.
Many public and private sector organisations have spent years building defences against external threats because that was where it was perceived that attacks had come from. Whilst such activity is commendable, the threat landscape has evolved in that so-called bad actors, including organised criminals, hostile nation-states, malign lone-actors and cause-celebre movements, have adapted their techniques. These now include physical incursions into locations, cyber penetration of data repositories, of co-opting or implanting people on the inside who can gain access to assets.
Increasingly, asymmetric approaches involving a combination of some of these tactics have been applied. Considerable damage to organisational information asset security can accrue not only through malign attacks but through unwitting or reckless disclosures of information through, for example, social media discourse.
Whistleblowers as part of an organisation’s defence
Given the multi-faceted nature of insider risk and threat, how is an organisation able to protect itself and its critical partners?
A range of defences is required according to the insider risk assessment and the prevailing threat intelligence picture. The effective use of whistleblowing should be part of these defences.
Many well-intentioned whistleblowers become perceived as a threat to the organisation and face detriment as a result of making a disclosure, but the simple rule is if an organisation doesn’t listen to its whistleblowers, someone else outside the organisation will, so how can switched-on employers draw on the information which whistleblowers can provide as a bulwark of the defences to insider risks and avoid regulatory or public disclosures?
Protection under the law
Firstly, do insider risk whistleblowing disclosures qualify for protection under UK law?
The answer is, probably, yes. In UK law, any disclosure must be a qualifying disclosure which would include the circumstances described in Section 43C Employment Rights Act 1996, where a worker brings a relevant failing to the attention of their employer (or other person responsible for the failure where not the employer). The ‘other person responsible’ could include suppliers and critical third parties associated with the employer, an emerging attack vector that is a source of concern to organisations contemplating their internal threats.
The disclosure must relate to one of the six criteria described in Section 43B, namely a criminal offence, breach of a civil law, health or safety breach, damage to the environment, a miscarriage of justice or a cover-up of any of the preceding failures. The disclosure must also satisfy the test that the disclosure is in the public interest.
So far, arguably, so good, but Sections 43B and C set quite a high bar. Also, consider damaging leaks of sensitive information through naïvety or ignorance in an era of sometimes thoughtless social media publication, or as a result of ‘honey traps’ or other forms of social engineering. Fortunately, the UK whistleblower is likely to be protected if they hold a reasonable belief that the ‘leak’ tends to show one or more of the qualifying disclosures.
The value of the whistleblower
It is in the interests of an alert employer to appreciate the value of whistleblower disclosures relating to poor cyber security, sloppy information management, an overly expansive and indiscreet social media presence, or lax physical security at work premises. Nevertheless, these inadequate arrangements do not, of themselves, amount to qualifying criteria under Section 43B and without more, may not attract the statutory protections for whistleblowers. So, employers may need to find other ways to incentivise good information security where the ‘back door’ is being left open.
Paying only lip service to the reasonable treatment of whistleblowers creates at least two risks: firstly, permitting lax information security procedures renders the organisation responsible for failures and draws towards the directors the spectre of one or more of the qualifying failures described in Section 43B applying to them, and secondly, an unfulfilled whistleblower is perceived by the organisation to have stepped over the line into becoming the very insider threat that all this activity was intended to prevent. On either footing, a banana skin awaits the unwary.
If this purview of insider risk management and the appropriate role of whistleblowing within it is of interest, I would be pleased to discuss the topic further.
Dr. Brian Moore QPM
Managing Director
GSA Global