An effective whistleblowing policy and procedure should be an important element of any internal mechanism intended to spot and address when things are going wrong. With so much focus on insider risk and threat, surely whistleblowers have an essential part to play in the identification of insider risk? This note briefly discusses the positive role they could have if they are listened to but also the possible challenges if they are not.
According to the UK National Protective Security Authority, an insider threat arises when ‘an insider, or group of insiders, […] either intends to, or is likely to cause harm or loss to the organisation’1, and an insider event arises when ‘the activity conducted by an insider, whether intentional or unintentional, […] could result in, or has resulted in, harm or loss to the organisation.’2 The significance of insider events is growing because of the increasing number of events3, their greater seriousness when compared to external events4, and the dawning realisation amongst survey respondents of their vulnerability to insider threats5.
By way of context, many public and private sector organisations have spent years building defences against external threats because that was where it was perceived that attacks had come from. Whilst such activity is commendable (and there is still much to be done by many organisations), the threat landscape has evolved in that so called bad actors, including organised criminals, hostile nation-states, malign lone-wolves and cause-celebre movements, have adapted their techniques to include physical incursions into locations where relevant information is kept, cyber penetration of data repositories, or by co-opting or implanting people on the inside who can gain access to assets. Increasingly, asymmetric approaches involving a combination of some or all of these tactics have been applied. Equally, considerable damage to organisational information asset security can accrue not only through malign attacks but as a consequence of unwitting or reckless disclosures of information through, for example, social media discourse.
Given the multi-faceted nature of insider risk and threat, how is an organisation able to protect itself and its critical partners? A range of defences is required with more or less emphasis on particular elements according to the insider risk assessment and the prevailing threat intelligence picture: effective organisational governance (through insider policy, procedure, and process), thorough and periodic vetting and re-vetting of sensitive posts, staff and management training, physical security of places where sensitive data is held virtually and physically, cyber security including anomaly identification, incident investigation, and whistleblowing. Of these organisational defences, I want to expand here on the whistleblowing element (and I exclude from consideration in this note insider threat where a former employee undertakes a marauding, violent attack on former colleagues at their place of work).
As we know, many well-intentioned whistleblowers become perceived as a threat to the organisation and face detriment as a result of making a disclosure. Whilst not ignoring the risks which whistleblowers face, I want to focus on how switched-on employers can draw on the relevant information which whistleblowers can provide as a bulwark of the defences to insider risks which organisations can erect to protect their assets. Let us consider a couple of the fundamental elements to establish whether there is an arguable case.
Firstly, would insider risk whistleblowing disclosures qualify for protection under UK and EU law? The answer is, probably, yes. In UK law, any disclosure must be a qualifying disclosure which would include the circumstances described in Section 43C Employment Rights Act 1996 where a worker brings a relevant failing to the attention of their employer (or other person responsible for the failure where not the employer).
Interestingly, the ‘other person responsible’ could include suppliers and critical third parties associated with the employer, an emerging attack vector that is a source of concern to organisations contemplating their internal threats. The disclosure must relate to one of the six criteria described in Section 43B namely a criminal offence, breach of a civil law, health or safety breach, damage to the environment, a miscarriage of justice or a cover-up of any of the preceding failures6. The disclosure must also satisfy the test that the disclosure is in the public interest.
Whilst determinations are always fact sensitive, a scenario in which a worker sees or hears something which tends to show that, for example, confidential information is improperly leaving their company, then one of several of the qualifying criteria under Section 43B may be applicable, such as a criminal offence (data protection breaches, corrupt practice), or breach of the express or implied confidentiality term in a contract of employment which could amount to a civil law liability, or the concealment of these transgressions. There would be a strong prima facie case that it is in the public interest for businesses to operate without the prospect of their hard-won intellectual property (and likely source of commercial advantage) being compromised by unfair, indeed illegal, means7.
So far, arguably, so good, but Sections 43B and C set quite a high bar, and further thought would need to be given to circumstances where one or more damaging leaks of sensitive information arise through naivety or ignorance in an era of sometimes thoughtless social media publication, or as a result of ‘honey traps’ or other forms of social engineering. Fortunately, the UK whistleblower is likely to be protected if they hold a reasonable belief that the ‘leak’ tends to show one or more of the qualifying disclosures is occurring, has happened, or will arise. It is very much in the interests of an alert employer, attuned to insider risk, to appreciate the value of whistleblower disclosures relating to poor cyber security, sloppy information management, an overly expansive and indiscreet social media presence, or lax physical security at work premises. Nevertheless, these inadequate arrangements do not, of themselves, amount to qualifying criteria under Section 43B and without more, may not attract the statutory protections for whistleblowers8. So, employers may need to find other ways to incentivise good information security where the ‘back door’ is being left open but no one has yet decided to steal in.
Under EU law, Article 2 of the Directive sets out the 10 areas which fall within the material scope of the legislation9. Of these Article 2 1.(a)(x) establishes protection of privacy and personal data, and security of network and information systems as one issue in respect of which whistleblowing reports can be made. Thus, the Directive also appears to support the management of insider risks and threats.
Yet, it should not be assumed that whistleblowers are seen as part of the solution; indeed, it has been proposed for discussion whether Edward Snowden was a whistleblower who became an insider threat because he perceived no sufficient action was being taken about his concerns10. This point raises that there is an obligation (at least moral, if not contractual, regulatory or statutory) on employers to act on disclosures about poor internal information security. If not, employers risk creating a situation in which more insider threats (at least regarding the reputation of the organisation) arise where frustrated whistleblowers approach regulators (under Section 43F) or other bodies well-placed to act on their reasonable suspicions (Section 43G) or even to the public via the media (Section 43H), because the employer is perceived to have failed to address the disclosures11.
Treating whistleblowers reasonably in order to help protect an organisation’s sensitive assets in the public interest sounds too obvious to warrant serious consideration. Yet, paying lip-service to this aspect of insider risk management creates at least two risks: permitting lax information security procedures renders the organisation responsible for failures and draws towards the directors the spectre of one or more of the qualifying failures described in Section 43B applying to them, and secondly that an unfulfilled whistleblower is perceived by the organisation to have stepped over the line into becoming the very insider threat that all this activity was intended to prevent. On either footing, a banana skin awaits the unwary.
If this purview of insider risk management and the appropriate role of whistleblowing within it is of interest, I would be pleased to discuss the topic further.
Dr Brian Moore
Managing Director
[email protected]
References
- National Protective Security Authority, ‘Introduction to Insider Risk’ (no date) https://www.npsa.gov.uk/introduction-insider-risk accessed 27 February 2024
- ibid.
- Insider threats are said to have increased by 47% between 2022-2023 [Maxim Chekalov, ’22 Insider Threat Statistics to Look Out For in 2024’ (2024) https://techjury.net/blog/insider-threat-statistics/ accessed 3 March 2024].
- 30% of respondents report that consequences of insider harms were more severe than external attacks [Randy Trzeciak, ‘SEI Cyber Minute: Insider Threats’ (Carnegie Mellon University, Software Engineering Insititute Cyber Minute, 2017) http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=496626 accessed 1 March 2024].
- 74% of organisations surveyed say that they are at least moderately vulnerable to insider threats [Sarah Miller, ‘2017 U.S. State of Cybercrime highlights’ (Carnegie Mellon University, Software Engineering Institute Blog, 2018) https://insights.sei.cmu.edu/blog/2017-us-state-of-cybercrime-highlights/ accessed 1 March 2024].
- Employment Rights Act 1996.
- ibid.
- Employment Rights Act 1996.
- Directive EU 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law OJ L 315/17.
- Victor Munro, ‘Applying Insider Risk Mitigation: Contemporary Issues’ (2023) The Journal of Intelligence, Conflict, and Warfare 6(2) 84 85.
- Part IVA Employment Rights Act 1996.