The real question is how cyber-vulnerable are you?
Breaches happen constantly to some of the largest, most secure companies in the world — a few recent examples include Global Affairs Canada, Boeing, T-Mobile, 23andMe, Sony and countless others we don’t hear about. It’s costing millions.
As we continue to grow the cybersecurity arm of our company — and as we work towards our ISO 27001, ISO 27017, and SOC 2 Type II certifications — we feel a duty to share a few of the more common vulnerabilities facing commercial aviation operators and the information and cloud systems they use to support their business. For your own protection, it is worth assessing your own risk.
Top vulnerabilities to think about include:
Human Factors
Human error is the leading cause. A joint study by Stanford University and security firm Tessian found that 88 per cent of data breaches were caused by employee mistakes. IBM Security research suggests that number is closer to 95 per cent.
*Training and awareness programs are essential to educate personnel about cybersecurity best practices and what to watch for, some examples include choosing proper passwords, email phishing, lack of multifactor authentication, or neglecting to update security software.
Aircraft Systems
Modern fleets rely heavily on computerized systems for navigation, communication, and control. Vulnerabilities in these systems can potentially lead to unauthorized access.
*Set access controls, employ a password policy that you enforce, user permissions, login credentials, system monitoring, protocols and routine testing.
Network Security
Aviation is increasingly interconnected, with various systems, databases, and communication networks being linked and integrated. This creates potential entry points for cyber-attacks.
*Ensure your network security is robust and encrypted at the file and network levels. Use VPNs for remote access and remote employees who are working from home. If you don’t have someone in-house with expertise, it’s worth the investment in your protection to hire it out to someone who can help you test and improve it.
Flight Operations Systems
Sophisticated systems for navigation, communication, and surveillance can be a target. Companies that are serious about data protection will have taken stringent security measures.
*Subscribe only to software system providers you trust, if you’re subscribing to Software as a Service (SaaS) is the company aware of SOC 2, Type 2 requirements or is that SaaS provider working to obtain their certification? Can they readily provide you with their security policy and detailed information about their servers and back-up systems. Ask them how they securely handle client data and any disruptions that could affect your business.
Private data
Commercial operators store vast amounts of personal, private and confidential data including client and crew information, personal health information and sensitive business information. It’s critical that you comply with federal, provincial or state privacy laws.
*Store your data with additional security measures. If you’re shopping for software, ask them the provider if they are aware of personal privacy regulations. What they do to comply? In Canada, SaaS companies should be familiar with the Personal Information Protection and Electronic Documents Act (PIPEDA) Canadian law relating to data privacy governing how private sector organizations collect, use and disclose personal information in commercial business.
Disaster Recovery
It’s critical to not only have a backup, but to be prepared for risk factors and/or disaster recovery. Risk planning and recovery is a critical business tool to protect your data.
*Have your own protections in place for your company and expect your SaaS provider to have their own procedures and plans for risk and enhanced security measures.
Regulatory Compliance
Operators must adhere to cybersecurity regulations and standards set by aviation authorities. Non-compliance can lead to legal consequences.
*Ensure your software is in compliance — even better if your SaaS provider has support staff with in-house expertise. If they don’t, you’ll be vulnerable by default as a user.
Cybersecurity is ever-changing. Be prepared to investigate your own Cyber Security Framework and Information Security Management System. Be prepared to adopt new tech solutions, robust policies, to seek advice, employ continuous training for employees, and collaborate with the aviation industry to share intelligence about threats and best practices.
At Cirro, we’re invested in cybersecurity and we’re passionate about protecting client data. We have in-house cybersecurity expertise to help, we are here to support you.