Editor’s Note: This article series was originally penned by Dominic Nessi, AeroTech Partners Founder and Senior Technology Advisor for Burns Engineering. In part one of this series, Nessi elaborates on the first half of an approach to the traditional cybersecurity in airports practices with a list of “top-down” steps. These steps can be more cost effective for airport decision makers and engage the entire organization in ongoing cybersecurity efforts.
If you are an airport executive, you may be wondering what it takes for your organization to become completely cyber-secure. Well, the first thing to understand is that you can never be completely cyber-secure. And, even if you could figure out how to do it, it would be short-lived, as your airport’s technology environment changes daily at the same time that new vulnerabilities occur, and new threats emerge.
So now you may be wondering how you can effectively manage the continual investment your technology department is requesting and/or making in new cybersecurity tools. Fortunately, there are two different approaches that you can take to address the pressing issue of managing and implementing comprehensive cybersecurity in airports.
The traditional approach many airport decision makers choose is to “attack the middle”, or heavily invest in IT resources and largely rely on them to fix the issue, which may cost a lot of money and time, with no measuring stick as to how effective the expenditure may have been. Here’s an alternative, which I call the ‘top-down’ or ‘bottom-up’ approach.
In this approach, you should take nine steps ‘top-down’ and nine steps ‘bottom-up’ which are far more cost-effective. Many are IT best practices for any environment and should be practiced by every modern organization using technology in the operation of its business.
Aptly named, the ‘top-down’ approach starts at the top. Not with the head of the IT Department, but at the airport director or chief executive level. Responsibility for cybersecurity in airports is shared by every department and all departments have a stake in ensuring that cybersecurity priorities are achieved.
- Governance – every single department from human resources, risk management, accounting and security are at risk from cyber crime, so the heads of each are invested in a successful cybersecurity program. Creating a cybersecurity governance committee is a simple, free way to get all of your key managers on the same page regarding cybersecurity.
- Education – Those on the governance committee likely won’t become cybersecurity experts, but they need to understand the threats that their own organization is facing and some of the general trends occurring in the cybersecurity world. To help with this education, the IT department should provide regular updates on organizational cybersecurity activities.
- Framework – Your organization can use existing cybersecurity frameworks as a benchmark for measuring its own cybersecurity activities, practices and status. The value of using an existing framework is that you can use the entire framework, just the elements that apply to your organization, or a more limited sub-set when you begin. It has best practices that will help you take the necessary steps to improve your cybersecurity environment.
- Risk Management – One of the most important decisions the cybersecurity governance committee should consider is how to best conduct an objective, comprehensive risk assessment of all airport systems, its network environment, its organizational policies and procedures, and every other aspect of its operation that has a bearing on its cyber-safety. The typical risk assessment ranks potential threats and vulnerabilities to provide a clear, easy-to-understand risk picture.
- Reasonable Response – Once the risk assessment is completed and submitted to the cybersecurity governance committee, decisions need to be made about the highest rated risks. The actions taken by the committee usually amount to one of the following: 1) Mitigate the risk by taking the necessary actions to reduce the impact 2) Avoid the risk by changing business practices which result in the risk no longer being present 3) Accept the risk when the cost outweighs the impact or 4) Transfer the risk by giving it to a third party who then becomes fully responsible for the process.
- Business Continuity and Disaster Recovery – This is a simple one for cybersecurity governance committee. Executive management’s role in these two critical functions is support. The IT department must do the heavy lifting to ensure that, in the face of a cyber-attack, the business has a plan to quickly recover and continue to operate. Of course, the cybersecurity committee must also ensure that these plans exist and are routinely practiced.
- Data Governance Policy – All data is not equal. The cybersecurity governance committee needs to ensure that all of the data in the organization is classified in a manner which prioritizes security on data which has a sensitive or personal nature. It needs to specify how the data is stored, when it may be disposed and the manner in which it is destroyed. It should also detail all of the proper uses of the information, internal and external to the organization.
- Forensics Response – Every organization needs a policy which states what happens when a cybersecurity incident is suspected or verified. Internal administrative violations may involve human resources and public safety. Anything of a serious nature must immediately be referred to law enforcement. In either case, the most critical step is a detailed, step-by-step approach on how to gather and preserve crucial forensic evidence.
- Cyber Insurance – Simply put, consider whether or not you need cybersecurity insurance to protect your organization and to protect third-parties that may have been impacted by your cybersecurity incident.
Stay tuned for the second set of steps in this approach, that tackle cybersecurity best practices in airports from the bottom up.