Boeing Rep Speaks Out On Laptop Thefts And Security
The aircraft behemoth is dealing with the third stolen company laptop in two years, despite new security policies, employee education and technology.
The latest theft of a laptop containing identifying information on 382,000 Boeing employees came as a real blow to the employees who have to worry about identify theft now, and to the company that has been working hard to prevent this from happening.
The computer that was stolen from a Boeing employee in early December was the third laptop theft that the company has had to deal with in the past two years. This latest missing laptop contained the names, Social Security numbers, and in some instances the home addresses of both current and former (mostly retired) employees. The employee who lost it was fired for violating company policy by downloading the information onto the laptop and not encrypting it, says Tim Neale, a spokesman for Boeing.
"Boeing is trying to figure out how to best protect data in this portable world we live in," says Neale. "We've been working this issue hard in the past year. Laptops are great tools, but you have employees traveling all over the world with data from their organization, so people are trying to figure out how you improve the security. We're getting there, but I'm sure these 382,000 people would say, 'You're not there yet.' But we are getting there."
Boeing is in a tough position, says Beth Givens, director at the Privacy Rights Clearinghouse, a nonprofit consumer advocacy.
"There's always the wild card," says Givens. "That wild card is an employee who doesn't follow the required practices, procedures and policies. But [Boeing] fired the person, making a huge statement to all the other employees. What else could they do, really? The damage is done."
Neale says there is more they can do, and they're in the process of doing it.
In November 2005, Boeing had to deal with its first laptop theft. That machine, which still has not been recovered, contained identifying information on 161,000 current and former employees. Neale says that after that first incident, company executives and managers started working to keep it from happening again. One of the first things they did was to instruct workers to get sensitive data off their hard drives and then managers had to check to make sure it had been done.
Company policy discourages saving sensitive employee files on their laptops, notes Neale. Workers are supposed to work off the servers whenever possible, keeping the data behind the company firewall. "If you do download the information onto a laptop, it's supposed to be temporary and the information is supposed to be encrypted," he says, adding that the employee who was just fired didn't follow this policy.
Employees have had training on the security policies. Neale says the fired worker 'had fair warning."
Neale notes that the latest stolen laptop was not turned on when it was taken, so the thief would have to deduce the password to get access. Ken van Wyk, principal consultant with KRvW Associates, however, says, a hacker could easily get around the simple BIOS startup password by removing the hard drive and putting it into a new computer. If the hard drive had been encrypted, would have been much more difficult to hack.
Neale says Boeing also is looking to get around human error issues by making some of the security automatic and by removing some of workers' identifying information from their files.
The company, for example, is getting away from using Social Security numbers as identifiers for employees. "We are well along in replacing Social Security numbers in a lot of databases," says Neale. "That reduces the number of files out there with that kind of data in them."
They're also in the process of pushing software out to employees' machines that will automatically encrypt information saved to the hard drive.
"We're looking at all our options," Neale says. "There may be more changes to come."
Automatically encrypting the hard drives is a smart step for the company to take, notes Van Wyk.
"If you have to go in and encrypt one file at a time, that's a pain," says van Wyk. "It's like having your files in a locked cabinet, and every time you want a file, you have to go and unlock the cabinet, take the file out, and then do it all over again every time you want a file. That gets so inconvenient that nobody ends up using it. ... It needs to be automatic."
He also says it's not surprising that a big company that is making a lot of security efforts is still having problems.
"It's like an ocean liner," van Wyk explains. "You can turn the wheel but it takes a couple of miles to get it to turn a little bit. It takes a long time to ingrain this into the mentality of everyone in the corporation. With a small company, you can buy pizza and explain it to everybody and you're done."
Boeing continues to work on cementing security procedures.
"People who I personally have heard from are upset that this has happened again," says Neale. "Seriously, I think employees expect that the company will protect their data, and the CEO fully expects that too. We live in an age with these fantastic technologies and we can cart computers around, and work in a lot of locations, but there are downsides to that."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.