Cisco whistleblower case blows the lid on risk

Cisco, a worldwide leader in IT, networking, and cybersecurity solutions, reached an $8.6 million settlement with federal, state, and local agencies for a whistleblower case. What made it precedent-setting is it’s the first-ever whistleblower case involving cybersecurity.

James Glenn, a computer security expert for a Cisco reseller, discovered a vulnerability in Cisco’s video security software. The product flaw allows hackers to gain full administrative privileges. Glenn reported the vulnerability to Cisco, but instead of being rewarded for bringing it to the company’s attention, the company terminated his employment. Meanwhile, Cisco didn’t address the vulnerability for five years. Glenn’s lawyers filed a lawsuit under the Federal Claims Act, which permits whistleblowers to report fraud or misconduct in federal contracting. That led to this summer’s settlement.

For many, that’s where the story ends. To us, it’s just beginning. The fallout from The Cisco whistleblower case is risk far and wide, and what can you do to address each new or heightened risk?

Risk of an incident
In its statement regarding the settlement, Cisco admitted that theoretically, the video feeds could have been hacked but that there were no instances or evidence of unauthorized accessed to customers’ video due to the product’s architecture. What’s concerning is the degree of the vulnerability and the value of the asset. According to Glenn’s legal team, hackers could have attacked the entire system without a trace and gained access to other systems tied to physical security. It’s alarming given the number of high-profile customers that use Cisco’s surveillance software, which include the Pentagon, the U.S. Secret Service, and the Department of Homeland Security.

To put it into perspective, traditional risk analysis plots risks on a scale based on likelihood and impact. The likelihood of an incident occurring due to Cisco’s vulnerability would score low since the vulnerability wasn’t compromised for years. However, the impact of an incident caused by a hacker gaining system-wide access would be incalculable. Hackers accessing the Pentagon, for example, is a threat to national security.

Risk creates more risks
What started out as a good thing, awareness brought to an unknown vulnerability, identified a critical cybersecurity risk that opens the door to other risks like operational, fraud, compliance, and reputational.

A cybersecurity risk associated with a vulnerability offering an all-access pass to hackers is a risk to operations. A breach could disrupt the supply chain, create shock waves through product development, and send customer service into a tizzy.

Since the vulnerability went undetected for five years, there is a concern of fraud. Was the software glitch known by management and ignored? Is there a memo somewhere that’s a smoking gun? There is no evidence of fraud in the Cisco whistleblower case, but five years of not addressing the vulnerability warrants an investigation into internal processes.

A compliance risk is also in play here. A security flaw would make the Cisco product non-compliant with NIST, which dictates security measures for companies that do business with the federal government. Risk of non-compliance would be an immediate red flag. Cisco could lose federal contracts for non-compliance with NIST.

A vulnerability associated with national security is a risk to an organization’s reputation. If there is an incident with a customer that is a household name, it will most certainly garner negative publicity. Bad press hurts an organization’s reputation with customers and its standing in the culture. The result is especially noticeable on the bottom line.

Revisit internal reporting processes
How would your organization handle Cisco’s situation? A good place to start is your whistleblower hotline and incident management system. As was noted in a NAVEX Global blog post:

“Every company should spend time thinking through in advance how it will investigate cases of variant natures and severities. This should include a plan for dealing with the individual who comes forward during the process to ensure they do not feel shunned, ostracized, or retaliated against in any way, shape, or form.”

Your organization may have a separate channel for reporting product deficiencies like software bugs. However, for former employees, these internal reporting systems are inaccessible. They turn to their only option for reaching and ensuring a review by leadership — a whistleblower hotline. It’s why you must manage every inbound call or contact regardless of its variant nature and severity. That may necessitate new or revising processes for handling information and escalating issues to the right personnel.

Manage risks holistically
As we noted earlier, a risk often creates more risks. It’s the siren song for holistic risk management, better known as integrated risk management (IRM). Gartner defines IRM as “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.”

The Cisco whistleblower case presents a unique set of risks (cyber, operational, fraud, compliance, reputational) that is best addressed by IRM. It allows vulnerabilities to be identified instantly with continuous monitoring and then remediated based on criticality. With the right technology, it’s highly unlikely that vulnerabilities go undetected for years, much less weeks or even days. By managing risk and creating a more risk-aware culture, you can greatly increase the odds of avoiding incidents.

The case will be remembered as the first of its kind involving cybersecurity. At a glance, it calls for adapting processes to meet a new type of whistleblowing. Dig a little deeper and what you get is the observation of psychologist Carl Jung: “What you resist not only persists but will grow in size.” In other words, you must go beyond adapting internal processes to effectively manage risk.

Related Articles