The destruction of United’s brand highlights the role of employees in cyber defense

By now we all know that Oscar Munoz (CEO of United Continental Holdings) is Satan incarnate and his employees are the minions of hell. At least, that is what people are thinking after viewing the video taken over the weekend, which shows passenger David Dao being beaten and forced off a flight from Chicago to Louisville. The short clip taken by a passenger with a cell phone has permeated almost every social media site in the world and United has been tried, convicted, and sentenced in the court of public opinion.

As you read further please remember this critical fact about information security: People, not systems, are the greatest threats and always have been.

Lose reputation (and money) at the speed of light

The damage to United is very tangible and likely long lasting. At one point earlier in the week the company had lost over a billion dollars in market cap. In addition to the ongoing furor in the United States, by Wednesday of this week the video of the incident had been viewed by well over 100 million people in China (Dao is of Vietnamese dissent). Many of these viewers are now calling for a complete boycott of United Airlines.

It’s no secret that all the major domestic airlines are lacking in their treatment of passengers. In this article by John Paul Rollert published in Fortune, we see that the federal government has created a number of regulations that allow air carriers to routinely treat passengers with little regard. There are hundreds of thousands of complaints lodged each year with the FAA that yield only trivial punishment against airlines. And the treatment isn’t relegated to just the lowest paying customers. Even first class fliers like Geoff Fearns have been threatened with handcuffs and rough treatment for failing to yield to even more important passengers.

As most veteran fliers will tell you, these incidents have been part of air travel for decades. United probably felt the same way when the Dao incident first happened, which is why their initial press releases seemed so tone-deaf to the general public.

Security breaches can take many forms

So what makes this situation so different and why? For all of the outrage being expressed about the incident, many people are missing exactly how United got into such trouble. Every single problem originated from a one source – the passenger taking the video. Think about that for a second. Air carriers have been mistreating passengers for decades. But it wasn’t until this incident that the world got a first person view of what can actually happen to people within the opaque walls of a jetliner.

At first it may seem like a stretch to claim that the beating of Doctor Dao could be compared to a cyber security breach. Nobody hacked United and no cyber systems were breached. Yet, the passenger taking the video exposed a secret side of United that directly contradicts millions of dollars that they spend in marketing every year (“Fly the Friendly Skies”). Without the video there would have been no tangible proof of the misconduct of United Employees that the world could see and thus no outrage.

For comparison, let’s take a look at a classic case with actual cyber penetration and compromise. In November of 2014, the networks of Sony Pictures were hacked. The people responsible for breach were able to gain almost unlimited access to all of Sony’s information. A large amount of material from the hack was ultimately released including movie scripts and personal employee data. One of the most damaging leaks centered on email correspondence from a producer named Scott Rudin. In multiple emails he was shown to have disparaged such people as Angelina Jolie, whom he referred to as a “minimally talented spoiled brat” and then President Barack Obama. The comments about Mr. Obama were apparently racist in nature. Rudin’s behavior was well known within the industry but because it wasn’t public, his actions were considered contained and “contextualized”. But when the information was exposed to the world at large Sony endured a great amount of public shaming. Reputation damage is sometimes hard to quantify but Sony estimated that they lost at least $35 million as a result of the breach.

Begin with your people

In both the case of United and Sony, the true damage was caused by a lack of employee training and awareness. At Sony, it was Rudin’s behavior and lack of personal awareness that contributed most significantly to their losses. With United it was the lack of training for their personnel that ultimately led to the mistreatment of Doctor Dao. The written statements by CEO Munoz also point to an utter failure at the highest levels to prepare executives to handle the situation with which they were faced.

One of the most important components of cyber security training is to convey to employees an awareness that they should consider everything they say, do, and write is being recorded at all times.

Think about your own organization. Despite every investment made in hardware, software, or services to strengthen cyber security, how much trouble could a single person cause with simply a cell phone camera, if he or she was in the right place at the right time? We can all learn from the pain of United right now. Without proper training and education for the actual people in our workforces, no amount of technology will protect us. Because people are our biggest risks, the foundation of any serious cyber security defense starts with training.