Written by Marisa Garcia – Flightchic.com
SITA’s new ‘Cybersecurity Spend and Challenges’ report shows that the air transport industry plans to increase cybersecurity budgets and spending, with a greater focus on detection and prevention.
Over the past few years, the principal driver of security investment has been regulatory compliance and data privacy regulation; 73% of respondents to the SITA IT survey ranked these among their highest priorities.
Airports dedicated 12% of their IT budgets to cybersecurity during 2018, while airlines dedicated 9%. For both, this represents a 2% increase in budget allocation for cybersecurity compared to 2017.
“The importance of cybersecurity is well recognized and airlines and airports are investing in building a solid security foundation,” Barbara Dalibard, CEO, SITA said. “However, the number of cyberthreats continues to grow exponentially every year, as does the sophistication of those threats. Given the complexity and integrated nature of the air transport industry, we need to move far quicker in establishing proactive defenses to ensure we stay ahead of the game.”
Nearly half (44%) of all companies surveyed have a formal Information Security Strategy in place and nearly all organizations surveyed will have a strategy in place by 2021.
Resource Challenges
Aviation companies have recognized the critical role that cybersecurity plays in service continuity and corporate well-being and most have assigned high-ranking executives to oversee this area.
- 66% of aviation companies surveyed have a C-Level position dedicated to cybersecurity.
- 31% have a dedicated Chief Information Security Officer
- 22% have assigned cybersecurity to the Chief Information Officer
- 13% have assigned cybersecurity to another C-Level executive
Even so, aviation companies face a number of challenges to implementing advanced cybersecurity protections, including a lack of resources, budget and skills.
- 78% of those surveyed said they have limited resources
- 70% said they have limited budget
- 56% said they have limitations for staff training
- 51% reported limited visibility of network and IT assets
- 49% reported challenges with data protection
- 47% reported trouble with staff recruiting and retention
- 46% reported challenges with cloud usage, both sanctioned and unsanctioned
Aviation companies also see raising employee awareness as the most important factor in cyber defense.
- 76% of companies are investing in employee awareness and training related to cybersecurity.
Security Foundations
Aviation companies have made advancements on foundational factors of cybersecurity including assessment, detection, and response.
- 40% currently maintain an inventory of critical business processes and 60% have plans to do so by 2021
- 73% currently maintain an inventory of critical infrastructure/applications and 27% plan to do so by 2021
There are still some gaps in detection, however, with 21% of companies having no plans to develop a Security Operations Center (SOC).
- 33% of companies surveyed have currently implemented an SOC
- 46% have plans to implement an SOC by 2021
In terms of threat response, only 9% of survey participants said they had not yet planned to define a Cybersecurity incident process.
- 61% have a Cybersecurity incident process currently in place.
Top Priorities for Cybersecurity
The top concerns driving cybersecurity efforts by aviation companies are continuity of operations, financial loss or loss of customer data, and potential regulatory fines.
- 67% of airports ranked preventing disrupted operations as the top priority of cybersecurity and 47% of airlines did so.
- 18% of airlines saw preventing loss of customer data as the top priority of cybersecurity and 6% of airports saw financial loss as the top priority of cybersecurity
- 58% of airports rank financial loss as one of the top three priorities for cybersecurity
- 78% of airlines rank loss of customer data as one of the top three priorities for cybersecurity.
Loyalty Breach
While continuity of safe operations must be the top priority for aviation, recent incidents of attacks on loyalty programs in the travel sector would suggest that this vulnerability requires more attention from airlines.
Despite the headline-grabbing data breaches at British Airways and Cathay Pacific this year, no airline has yet been struck by an attack on the level of the recent Marriott Starwood hack which exposed 500 million customers. But this attack should concern all airlines and especially those with loyalty programs.
Detection and prevention of attacks are critical, but the British Airways and Cathay Pacific breaches also highlight the importance of having a response plan for when things go wrong. Lack of transparency or delays in notifying customers can dilute brand value and also expose airlines to serious penalties and government scrutiny.
Additionally, many airlines still rely on their loyalty programs as a strong revenue engine. According to the most recent Ideaworks and CarTrawler ancillary revenue report, while airlines have effectively boosted ancillary revenue from A La Carte products and Services, frequent flyer and commission based ancillaries still accounted for $11 billion in revenue during 2017 for traditional global network airlines, which represents nearly 30% of total ancillary revenue ($36.8 billion). For major U.S. airlines, loyalty programs account for $15.6 billion in revenue during 2017, or 58% of all ancillary revenue ($26.9 billion).
Adopting technology innovations to boost ancillary sales should go hand-in-hand with protecting that ancillary revenue by ensuring the security of the data entrusted to airlines by their customers.
Cybersecurity Starts At Home
SITA finds that many air transport companies recognize the importance of protecting from serious outside threats, including ransomware, phishing attacks, and advanced persistent threats. But SITA says that only 10% of companies identify internal threats as a concern.
“This area will receive more attention in thefuture, as analysts report over a quarter of attacks involving insiders,” SITAstates in the Cybersecurity report. “‘Shadow IT’ — ranked lower in priority(7%) today — will need to be watched closer in the future. Shadow IT, inparticular the adoption of 3rd party cloud solutions by employees, is a trendobserved in other industries. It can bring productivity gains but alsointroduces additional vulnerabilities that need to be carefully managed.”
