Why would a company risk backlash for punishing an employee who was simply trying to do the right thing and ultimately help the business? Generally, an executive would most likely prefer the whistleblower be wrong in his or her assessment of the cybersecurity practices of a business. Rather than fundamentally change how the business protects its data, clients and assets, executives would rather stick with the status quo. The problem is, what worked in cybersecurity five or 10 years ago, most likely doesn't hold up today, since technology is rapidly evolving.
Ultimately, Katz notes that companies that choose to ignore cybersecurity threats and don't take a proactive approach to scan their systems for vulnerabilities, will wind up paying more in the end. When considering the cost of legal fees, hiring people to help fix the issues, SEC fines, the loss of customers, and the damage to a company's reputation, it greatly outweighs the cost of proactive resources businesses could invest to maintain secure cybersecurity system and patch and flaws.
For example, Target's breach in 2013 cost the company $264 million in direct expenses and Home Depot estimates that its 2004 breach cost the company $62 million dollars, not including the legal fees for the 44 lawsuits brought upon the company, according to Katz. The Ponemon Institute released a report earlier this year that states the average cost for a data breach for any company, big or small, is $3.8 million, which means small businesses aren't immune to the staggering cost of cybersecurity threats either. For the healthcare industry, which handles some of the most sensitive client data, Ponemon reports the average cost per stolen record is $363.
For employees, it's important to understand your rights when it comes to reporting ethical issues with your company. "If someone feels they are vulnerable to this retaliation they need to keep a comprehensive log documenting their efforts to raise the issues and the response that they got when they tried to raise these issues," says Katz. And while plenty of companies have ethics hotlines and 800 numbers to call, Katz says it's not always the safest avenue for employees to reach out. In reality, ensuring employee's safety when it comes to whistleblowing, businesses need to create an environment that reassures its workers that they can present questions and concerns around security threats.
Ensuring your business doesn't fall victim to the crippling losses inflicted by cybersecurity breaches starts with a zero-tolerance policy against retaliation, according to Katz. "They should be doing everything possible to really provide the resources and support for these people to effectively do their jobs," she says, "And companies need to understand that obviously it's crucial to their business to not have these kind of breaches, but they also face significant legal liabilities from the whistleblowers themselves."
Sign up for Computerworld eNewsletters.