While sometimes controversial, whistleblowers have the potential to save an organization from millions of dollars in losses, public backlash, or government regulation—unless they are treated with disrespect and not taken seriously.
In September 2021, a senior employee at Volkswagen tried to do the right thing after discovering possible security vulnerabilities in the German automaker's payment platform, Volkswagen Payments SA.
The employee alerted the appropriate people that the system was "open to fraud" following a cyberattack, and claimed that $2.6 million could be stolen from company accounts, according to the Financial Times.
They also mentioned the company could face regulatory action if the vulnerabilities were not addressed.
This led Volkswagen to hire an independent law firm to investigate the claims, which concluded the information was "irrelevant." Volkswagen then terminated the whistleblower "due to fundamental differences in the way we work together."
The incident has sparked discussions among security professionals, who are calling for a more open security culture to avoid situations like these.
Security professionals want open culture for whistleblowers
Some experts have shared their opinion on this Volkswagen incident and what they think organizations should adopt moving forward.
Jamie Akhtar, CEO and Co-Founder of CyberSmart, discusses:
"Although it's unwise to comment on an ongoing case, there is a broader takeaway from this story. Businesses of all shapes and sizes need to do more to foster an open culture where employees feel able to raise concerns about cybersecurity issues.
A huge proportion of successful cyber attacks stem from some form of human error, and the best way to counter this is by staff feeling comfortable in raising concerns or asking questions. After all, you never know who in your business might spot that something isn't quite right."
Martin Jartelius, CSO of Outpost24, shares his thoughts:
"If a member of a team believes something is a risk, it's important to investigate and escalate according to your process and making your decision based on the facts. If after investigation the employee is correct, it's a bad decision to fire that individual.
Now, most organizations have a fraud prevention and whistle blower system, they are generally required to have this for preventing fraud, money laundering and corruption—that would likely have been in place to bring the concerns and have them properly investigated."
Volkswagen does have a whistleblower system like Jartelius suggests, its Together4Integrity program that was created after a 2015 diesel emissions incident. So why was the employee fired?
Join the cybersecurity discussion at one of SecureWorld's upcoming to conferences to learn and share your thoughts.
