Honest mistake, real consequences
Last week, a story surfaced about a Boeing employee who sent his wife a spreadsheet so she could help with a formatting issue. The spreadsheet contained the names, employee numbers, and other personal information of 36,000 Boeing employees. No doubt it’s a facepalm moment, but you have to ask yourself, “Did the employee know that what he was doing was wrong?” Surely that’s not something to be sending outside of the company, for more than one reason.
The employee trusts his wife and was either unaware of the consequences of sending sensitive data unprotected over e-mail or simply ignored it out of desperation to get the work done. As a result of said snafu, Boeing had to issue a data breach notification and purchase credit monitoring for the affected employees.
What’s so bad about e-mailing this data? Without encryption, it can be captured at any point along the way. An ill-intentioned individual could use the data to launch social engineering campaigns to employees, for example. If they were able to view the hidden data, which contained social security numbers, they could sell the information on the Deep Web as part of ID theft packages.
This is why we teach a concept called the “Circle of Trust.” Employees learn that protection mechanisms are only possible for data stored or sent within the circle. The circle is made up of all of the approved equipment, network access points, and provided tools. If information is shared outside of the circle (on personal cloud storage for example), they may be held at fault.
There’s often a disconnect between security awareness and how to apply security rules. As information security professionals, we shouldn’t leave it up to the employee to interpret guidance, particularly if we want to avoid honest mistakes like the one seemingly made by this Boeing employee. Articles discussing the story indicate that the employee will have to take training on PII. Why hadn’t he taken this training before? Was he a new employee? The stories don’t answer these questions, so this is just speculation.
When we look at stories around the U.S. about data breaches, it seems that often they are accidental. As workplaces ramp up their cyber security posture, information security policies are often put in place, an important step in avoiding accidental data disclosures. Someone must put in the time to list, categorize, and prioritize the types of information handled in the workplace. You can’t protect what you don’t know is there. Additionally, because infosec professionals aren’t sitting behind every person’s chair, they can’t know how data is being handled (or mishandled!) at any given moment of the day. That’s why security awareness and training is essential to workplaces. Put the knowledge and tools into the hands of the people and some will help identify workflows, storage locations, and transmission methods you didn’t know existed.
One silver lining in this story is Boeing may have some monitoring controls in place to catch sensitive data leaving their “Circle of Trust.” If that’s the case, kudos to them.