Kamhen is an independent company specialising exclusively in Information Security. Kamhen was founded by internationally recognised industry experts and has become one of the foremost Information Security consultancies.
It reads like a security nightmare. An employee, maybe even someone in IT, contacts a government regulator and reports major vulnerabilities in the company’s infrastructure. The employee says the company knows about the problems but has done nothing, putting people's personal data or maybe even their physical safety at risk.
Even worse, the whistleblower claims to have been punished for complaining too much to management about the problems. An investigation ensues, forcing the company to hire attorneys and consultants, and the regulator levies a hefty fine when several accusations prove accurate. Finally, the whistleblower is given a portion of that judgement, financially rewarded for exposing their employer’s dirty laundry.
When I discuss this scenario with other security professionals, many see it as a classic case of insider threat. The fictive whistleblower is blasted as unprofessional, spiteful, a traitor even. That reaction may be understandable, but it is increasingly misinformed and dangerous. Whistleblowers will be coming to cybersecurity, and a strategy built around blaming and demonizing them will actually make things much worse.
In 2015, the Securities and Exchange Commission (SEC) settled charges that R.T. Jones Capital Equities Management violated the “safeguards rule” by not doing more to prevent a security breach that compromised the information of about 100,000 people. Even though no one appeared to be harmed, the SEC censured R.T. Jones and fined the firm $75,000. Justifying the enforcement, the SEC said,