Editor’s Note: Excerpts of this post series were originally published by ACI-NA.
In my earlier article, I wrote about the growing concern of the insider threat within the aviation industry. The insider threat can cause organizations and cybersecurity practitioners the most headaches because it often comes down to a human error that opens the doors to new vulnerabilities. Yet, airport management and aviation organizations can proactively mitigate the insider threat by creating a “culture of security.”
An airport’s most important asset is its employees. Fully trained, knowledgeable, and enthusiastic personnel are a must for an airport to meet its mission. Unfortunately, many employees are focused primarily on their own role and responsibilities and security is an after-thought. Many employees are not fully aware of the efforts that are taken to protect an airport’s IT environment, and those that do may not understand the significance of each security policy and protection that has been put in place.
Gaining the full support and contribution from each employee is an essential step in creating a culture of security. While physical security has the same goal, in practice, the issues in maintaining this culture are different.
Common insider issues result from all of the following:
- Downloading and/or installing unauthorized software
- Opening email and attachments from unknown sources
- Web-surfing of dangerous sites
- Weak passwords
- Sharing of access credentials
While the actions above are not taken with malicious intent, without the proper education in place for employees, these missteps often open the door to new vulnerabilities, allowing bad actors to access the network and systems, and causing more serious issues.
For airports looking to create a culture of security, leadership must deliver the following messages to their employees, so they understand the importance of security within the organization and the role that each of them plays:
A Shared Responsibility: An overt and continual message from airport management that cybersecurity is important and that it is the responsibility of all employees, not just the IT department. Employees must be #cyberaware.
A Personal Impact: Letting employees know that cybersecurity issues can impact their own ability to perform their jobs, especially if the availability of systems or data is affected.
An Ongoing Process in Today’s Connected World: Emphasizing that cybersecurity doesn’t just begin and end on the airport campus. It must be pointed out that in the “mobile age,” cybersecurity begins with every mobile device, thumb drive, and wireless communication session— and all these scenarios have the potential of negatively impacting the airport’s IT infrastructure.
Once an airport creates a “culture of security,” it, in effect, creates a multiplier effect with everyone empowered to repel cyber threats from the outside. And it may reduce the inclination of an employee or contractor to perform a malicious or careless act as they know they have a greater chance of getting caught.