In March 2020, virtually overnight, more than 90,000 Boeing employees—approximately three-fifths of our workforce—started working remotely to support the broad public health effort to fight the spread of COVID-19 and reduce risk by limiting the number of employees on-site. Many of our stakeholders, suppliers, and customers experienced the same sudden transition to working from home full time.
I lead Boeing’s Information Security Governance & Supply Chain team, which defines enterprise requirements for information protection and cybersecurity for both our employees and suppliers. Our Boeing Information Security team protects the network, assets and information of a global workforce on a daily basis and supports and protects our customers, suppliers and partners around the globe.
As I think back over the past months, themes and trends emerge that underscore the importance of solid cybersecurity and information protection principles. Our work hasn’t changed during the COVID-19 crisis; but it has been magnified, accentuated and complicated in ways we had not anticipated when the year kicked off.
Telecommuting & Personal Devices
When more than 90,000 employees are suddenly thrust into a remote work environment, the cybersecurity and information protection threat landscape changes drastically. The first challenge we faced was how to support employees taking Boeing devices home to facilitate their new remote work situations. Many employees who had not previously worked from home did not have adequate infrastructure in place to support this change.
No longer do we have gates, guards and physical access controls in place to provide an initial layer of protection for our information and devices. Instead we have housemates and a myriad of unknown factors that each employee has to deal with to comply with our policy requirements in their unique environment.
That pushed InfoSec, along with our End-User Computing team, to focus on tracking, supporting and protecting our computing assets as they headed off to employee homes.
Information Protection and Supporting Safe Cyber Behavior
Boeing employees work with extremely sensitive and highly regulated data on a daily basis. This makes them prime targets for adversaries who would use their access to gain an advantage in the global market. We continually communicate to our employees how critical it is that they be aware of phishing attempts and social engineering and this has become even more critical now that we are all taking our work home with us. In addition to the cyber risk, employees now need to be keenly aware of the sensitivity of the information they are working with as they don’t have the standard protections Boeing facilities provide.
Boeing has also improved the clarity and “consumability” of our information protection training and guidance. We developed targeted information protection training and updated our Information Protection Standards Manual to address many of the complexities employees were (and are) dealing with while working from home.
However, simply publishing updated guidance is not enough to truly move the needle in such unprecedented times, so we took additional, proactive measures to ensure employees both understood the cyber threat and could protect information without having to think about it. To help employees spot and react to phishing attempts and other cyber threats, we added a banner to external email to remind employees to think twice before clicking on links. We also implemented technical controls, such as blocking write access to USBs by default, to help employees stay within the bounds of policy and protect our information and devices from inadvertent loss or compromise.
Our suppliers also face cybersecurity threats, providing an additional dimension of risk that we must account for. Boeing’s supply chain consists of more than 12,000 suppliers that have differing levels of cybersecurity maturity. During the COVID-19 pandemic, we needed to ensure their continuity of operations and continued performance—so they could continue to support Boeing and the aerospace industry, including our U.S. defense and allied customers.
Some suppliers needed virtual work clauses added to their contracts and assessments of their proposed access methods to enable them to handle Boeing information or access Boeing assets during the COVID-19 stay-at-home orders issued by states. Some suppliers have had to deal directly with the rise in cyber-attacks COVID-19 has produced. Boeing’s Information Security team has supported our suppliers through each of these activities over the past several months, revising contracts, assessing proposed connection architecture options, and determining if ransomware attacks on suppliers have had any direct impact to the Boeing network.
More granularly, prior to COVID-19, some suppliers had operated from Boeing facilities or supplier facilities with trusted connections. Now these suppliers around the globe had to use their home WiFi and hop through a variety of VPN connections to conduct their work. Again, we partnered with them to ensure appropriate access and alignment of cybersecurity expectations and execution.
Work doesn’t stop in a crisis. Even prior to COVID-19, our work landscape was increasingly digital and faced burgeoning cybersecurity threats. COVID-19 has proven the resiliency of our information security controls to protect and enable our workforce, information, and infrastructure in support of efficient, stable operations in a dynamic environment.
We have been able to continue our day-to-day operations with clear and thorough guidance for our teams, partners and suppliers, explore new capabilities while reinforcing our foundational principles, and operate securely in a world of uncertainty.
About the author: Amanda Silver is a Boeing Information Security senior manager. In her spare time she raises service dog puppies.