Advancing UK Aerospace, Defence, Security & Space Solutions Worldwide
  • Home
  • /
  • Features
  • /
  • Are GDPR and cyber risks on airlines' radar?

Features

Are GDPR and cyber risks on airlines' radar?

Sjaak Schouteren, Partner, European Cyber Team and Paul Waring, Partner, Aviation Team, at JLT Specialty, consider airlines' preparedness for GDPR and cyber risks.

Above: (left to right) Sjaak Schouteren and Paul Waring.

It is no secret that airlines are businesses that run on very tight margins even during the good economic periods, let alone when conditions are more difficult.

That reality means that disruption, of any sort, on a large scale can have a massive knock on effect. This is particularly true when this involves technology, which is increasingly at the core of just about everything in the industry.

Advertisement
Marshall RT 2

Last year’s British Airways tech troubles – described by the company itself as a “major IT system failure” - resulted in more than 1,000 flight cancellations and 75,000 stranded passengers. It was no doubt a costly endeavour, given the fact Europe’s Flight Compensation Regulation 261/2004 gives passengers the right to claim compensation up to £532 (€600) if a flight has been delayed by at least three hours.

The stark reality is that airlines are facing even more turbulent skies in the future, with cyber storms bearing down on all fronts. However, rising levels of cyber incidents isn’t the only issue airlines currently have to deal with. The long shadow of the impending General Data Protection Regulation (GDPR) and the ever-present risk of human error all have the potential to bring airlines to their knees.

GDPR Ready
One of the most imminent issues for every industry, including airlines, is the launch of GDPR later this month on the 25th of May. It is the most sweeping data and privacy regulation in history.

Fundamentally, the airline business is perhaps one of the most truly international industries, given the simple reality of moving people, along with their data, from place to place around the globe. So in addition to GDPR, airlines have to contend with other data protection laws and privacy regimes across different legal jurisdictions, creating enormously complex challenges. The industry is coming to grips with the need to be keenly aware of what data is stored and where, in order to make sure they are fully compliant with any data protection regulations in the countries they service.

One central and unique pillar of how the industry works – the now ubiquitous codeshare agreement – adds even further complications. Allowing two or more airlines to publish and market the same flight under their own airline designator, codeshares mean that different airlines will necessarily hold data together, with obvious implications for data protection and risk management. If someone is on a flight with a codeshare agreement, their data may well be in the hands of an organisation that they are not necessarily dealing with directly.

Getting to grips with GDPR and wider data protection challenge is not necessarily an easy task, with the industry’s data coming from varied and sometimes unlikely sources. The airline and security office will hold key customer data in their booking system, while the social media team will likely have access to a whole trove of data on customers and potential customers. That kind of data will need to be looked at carefully and either stored correctly or destroyed, with GDPR in mind.

Cyber risks on the radar
Even as GDPR looms large, the risks of disruption from cyber incidents and exposure seems to grow exponentially by the day. Technology sits at the core of the airline industry, with all systems on a flight completely interlinked and the customer experience driven by mobile apps and online booking. The verdict is still out as to whether such technological dependence makes it easier or more difficult for hackers to penetrate and disrupt airlines systems, but the outcome can be disastrous regardless.

Looking at a scenario of a cyber incident on a European airline, the airline is required by law to notify any affected parties by both electronic and physical mail. Even just the simple cost of a postage stamp, when extrapolated to millions of customers, will reach into the hundreds of thousands of pounds of cost straight away. Add to that the reinstatement cost of the data that has been breached, and the potential liabilities can be eye watering.

Given a scenario of a system shutdown, on the other hand, can either be carried out by a malicious third party, or merely be the result of human error. The effect can be the same, as a customer turns up to an airport with boarding pass on their mobile phone but no way to check in for their flight (which may be unable to take off anyway). The potential negative effects from such incidents can be hard to estimate. While planes will eventually fly again, the reputational hit can lead to huge losses for the business.

Advertisement
Advanced Engineering RT

What can be done?
In order to face these myriad challenges head-on, airlines must start by carrying out a risk audit and thoroughly understand their cyber capabilities and vulnerabilities. They need to look at where the most exposed areas of the business are and where the metaphorical ‘crown jewels’ are stored. It is impossible to manage cyber risks if the key areas are unknown, and companies must be aware to be able to plan for the worst.

In addition, steps need to be taken to ensure that data security is at the heart of the business and strategic planning. The responsibility for and awareness of these issues must be shared throughout the company, whether that is marketing, HR, the legal department or the finance department. Leaving the onus solely on the Chief Information Security Officer (CISO) will not guarantee cyber safety. Quite the opposite, the issue must have the attention of everyone from the board to the rank-and-file, otherwise there will inevitably be weak links that can and will be exploited.

Even with the best data protection and cyber security measures in place, a breach will still be a possibility. Whether that comes from human error, system failure or the ever-evolving threat of hackers, the final piece of how airlines need to protect themselves and ensure the impact to the bottom line is minimised is, unsurprisingly, insurance. Adequate cover makes sure that no possibilities fall through cracks, increasing dramatically the likelihood of an airline surviving a catastrophic disruption. With such tight margins, speed of payment in the event of a breach is particularly critical. Where insurance was previously limited only to just cyber-attacks, it now includes system outages or even human failure. Such a broad range of cover is increasingly vital, as a cyber-attack is but one of many ways that the systems underpinning an airline can fail.

With the skies darkening, airlines need to be sure to adequately protect against the oncoming storm.

 

 

Advertisement
Advanced Navigation LB 1
The rise of low-carbon aircraft

Features

The rise of low-carbon aircraft

24 April 2024

Stephen Gifford, Chief Economist at the Faraday Institution, examines the potential of three technologies being developed for future low-carbon aviation.

Prioritising sovereign capability

Features

Prioritising sovereign capability

17 April 2024

Martin Rowse, Campaign Director, Airbus Defence and Space, looks at why reinforcing the UK's security requires the prioritisation of sovereign capability across the country's defence and space sectors.

Insider threats: the risks employees can pose

Features

Insider threats: the risks employees can pose

8 April 2024

With insider threats on the increase, Noah Price, G4S Academy International Director, explains the risks and threats employees can pose to your organisation and how to prevent them.

Securing environmental licensing and sustainable data for spaceport operations

Features

Securing environmental licensing and sustainable data for spaceport operations

2 April 2024

Ruth Fain, head of advisory for ITPEnergised, who has worked with SaxaVord Spaceport, launch operators, local authorities and the CAA on environmental consent for UK spaceflight activities, outlines recommendations for future-proofing ongoing data collection for space operator activities in the UK.

Advertisement
Advanced Engineering RT
Securing military connectivity in contested environments

Features

Securing military connectivity in contested environments

14 March 2024

Tristan Wood, founder of Livewire Digital, explores the power of hybrid networking and how it can underpin robust wide area networks across all arms and services, from land, sea and air.

Defining data-centric security in complex future warfare

Features

Defining data-centric security in complex future warfare

1 March 2024

John Dix, Land Communications, Thales, considers the role of data-centric security and evolving soldier systems integration, in complex future warfare.

Advertisement
Marshall RT