The Australian Crime Commission estimates that organised crime, such as cyber fraud,  costs Australia between $10 billion and $15 billion per annum.  Globally, cybercrime is predicted to cost just under one percent of global GDP.  So why are we still seeing limited reporting on cyber security through whistleblower programs?

Analysis of Your Call’s historical whistleblowing disclosure data shows that serious issues such as cyber security breaches are systemically under-reported, compared to other corporate risks.  In fact, in the 2021-22 financial year, < 1% of total disclosures related to cybersecurity breaches.

Are we missing detection opportunities?

What is Cybercrime?

According to the Australian Federal Police (AFP) the term ‘cybercrime’ is used in Australia to describe both:

  • Crimes directed at computers or other information communications technologies (ICTs) (such as computer intrusions and denial of service attacks), and
  • Crimes where computers or ICTs are an integral part of an offence (such as online fraud)

Cybercrime offences are found in Commonwealth legislation within parts 10.7 and 10.8 of the Criminal Code Act 1995 and include:

·       Computer intrusions

·       Unauthorised modification of data, including destruction of data

·       Unauthorised impairment of electronic communications, including denial of service attacks

·       The creation and distribution of malicious software (for example, malware, viruses, ransomware)

·       Dishonestly obtaining or dealing in personal financial information.

Source: Australian Federal Police

How do data breaches occur?

As the saying goes, it takes two to tango! While cybercriminals are the architects of cybercrime, it’s often guileless employees who leave the back door open for criminals to steal valuable information. In fact, Tech Radar suggests a staggering 90 percent of data breaches are caused by human error, with 81 percent of data breaches are caused by weak or stolen passwords.  And leaders, beware, in approximately 30 percent of data breaches, senior non-IT employees were held responsible and dismissed.

Insider risk is another big issue. Analysis, based on anonymized telemetry data from over seven-hundred thousand endpoints, found there was a direct correlation between resignations, departing employees, and data exposure events, including the theft of source code, patent applications, and customer lists.

How can your whistleblowing program support cyber security initiatives?

A robust whistleblower program is an important part of an organisation’s defence against cybercrime. The whistleblower program can hold the organisations to account by providing a mechanism for cyber-security issues to be raised to senior management, independent of the security function.  These could be minor issues, such as a casual approach to sharing links to company systems with third parties, through to disgruntled employees stealing code or customer lists.  A manager tempted to “sweep a data breach under the carpet” might think twice, knowing their organisation has a prominent whistleblower program in place.

In fact, whistleblowers have helped organisations detect major security breaches. In Richard Stiennon’s book There Will be Cyberwar, he says:

In 2006 it was revealed by whistleblower Mark Klein that the San Francisco CO of AT&T had indeed been compromised by the NSA, which installed Narus packet capture gear in its San Francisco data center (Room 641A), which was capable of monitoring billions of bits of Internet traffic a second, including the playback of telephone calls routed on the Internet, in other words, surveillance on an unprecedented scale.

Head of Cyber Strategy and Architecture at Australia Post, Ryan La Roche, says whistleblowing is part of a security team’s toolbox.

Organisations need to employ a wide range of tools to protect their valuable assets. A whistleblowing service has a role to play in helping employees speak up about suspicious or inappropriate activity, said Mr La Roche.

Using a tip off service to report cybersecurity concerns isn’t new. In fact, the Australian Cyber Security Centre uses ReportCyber to encourage members of the community to report a cybercrime, incident or vulnerability.  Likewise, the ACCC provides the ScamWatch service to encourage members of the public to alert authorities to emerging scams. There is also the National Security Hotline, encouraging the public through its call-to-action “if it doesn’t add up, speak up”.

Of course, employees should be encouraged to first alert leaders if they see anything suspicious, and not to delay the process by making a disclosure via the whistleblowing hotline.  But if there are ongoing issues that suggest a fissure in your organisation’s cybersecurity, a whistleblower tip off help leaders act before the issue escalates into something more troublesome.

How do you encourage employees to speak up?

In a Hollywood movie, a cybercrime tip off would be made by a frightened employee, hiding under a desk, calling for the maverick hero to save them from the villain who is stealing top secrets so he can rule the world! But this isn’t the case in most workplaces. It’s more likely breaches in IT protocols are made by people just trying do their job, oblivious to hazards they are creating. So, how do you encourage (mostly) honest and hardworking employees to speak up?

Make it safe

A psychologically safe culture is vital if you want employees to own their mistakes. If employees fear retribution, losing their job or ruining their professional reputation, it’s highly likely they’ll stay silent. Building a psychologically safe culture takes time. It won’t work if leaders try to switch it on in a crisis – leaders must consistently walk the talk to earn employee trust.

Listen! Every time

Employees should always be encouraged to speak up, even if the issue turns out to be minor. In most cases, an issue will be investigated and deemed low risk. But some investigations will uncover serious issues that will otherwise go undetected if employees say nothing.

Let employees speak confidentially

Used well, the whistleblower program is a powerful tool for detecting serious issues in the organisation on a timely basis.  In fact, research by the Association of Fraud Examiners shows 42% of frauds are detected by tip offs. A confidential service allows employees to report what’s happened, without fear of repercussions. But as our data shows, not many tip offs are made via the whistleblowing hotline about cybercrime, which means leaders and IT teams are potentially missing out on an important source information.

Specify IT security in the Code of Conduct

It’s also important every employee knows what to do if they or someone else, breaches IT security protocols. This is where having a clearly articulated and well-understood Code of Conduct is important. The Code of Conduct should specify what to do when there has been breach of IT security protocols.

24/7 reporting anywhere, anytime

Cybersecurity issues don’t always happen during business hours. And leaders aren’t always free for a chat. Perhaps a tired employee checks their email late at night and accidentally clicks on a link. Or an employee working remotely receives a phone call from a bogus helpdesk. This is where a cloud-based, enterprise-wide issues management platform, such as Rely, helps employees to report cybersecurity concerns from anywhere, at any time.  It even guides employees on how to report cybersecurity concerns based on your organisation’s policies and procedures.

What more can senior leaders & boards do?

Most directors keep a watchful eye on the risk register and issues detected through the company’s whistleblower program.  However, how much time on the board’s agenda is given to understanding whether the numbers being reported reflect the true state of the organisation’s risks?

Interrogate the data

The responsibility of boards to have awareness of, and address, improper conduct has been highlighted by the media in recent times. Boards need to consider their blind spots.  How do the key risks reconcile with the matters being raised through the whistleblower program and other detection channels? Are you interrogating the data and asking executives “what am I not seeing?”.

Build psychological safety

Employees must feel it’s safe to speak up about cybersecurity breaches, even if they are responsible.  People who fear retribution, losing their job or damaging their professional reputation won’t be forthcoming.  Leaders must role model that it’s okay to make mistakes and that they will listen compassionately and act accordingly.

Whistleblowing isn’t the silver bullet to ending cybercrime but it is one tool organisations can employ to prevent, detect and respond to this ever increasing risk.

 

Additional resources: