I had the opportunity to reflect on Air Canada's data breach last week with Alister Campbell, the Chair of BOXX Insurance's Advisory Board. The conversation turned to the risk management practices we, and cyber risk managers, can learn from airlines.
Air Canada has joined the growing list of global airlines that have been victims of a data breach:
Delta Airlines announced earlier this year that customer data was stolen after a security incident at one of its third-party customer support service vendors.
Virgin Airlines admitted last year that a hacker had broken into its internal network, prompting the company to force-reset staff passwords.
While the airline industry may need to do some catching up to better protect their passengers’ data, it continues to improve their record on flying customers safely across the globe. Last year was the safest year yet for air travel — with zero passenger airline fatal accidents involving jets worldwide (Wall Street Journal). In fact, the number of airline accidents have been in broad decline for more than a decade, despite constant increases in passenger volumes. While the fall out from cyber attacks are generally not as dramatic as the often fatal consequences of poor airline safety, it’s actually quite useful to see how the lessons of constantly improving airline safety can be applied to developing new best practices in protecting consumers and corporations from cyber incidents.
What are the lessons from airlines for businesses and their cyber risk managers?
Learning from each incident is the industry’s autopilot response. One lesson cyber security professionals should master, is the airline industry's conception of, and approach to, learning from each event. Airline safety is not seen as a competitive advantage, but seen as an essential and common goal. Today's airline safety measures exist as a result of in-depth analyses of past failures and an honest evaluation of risk. When tragic aircraft accidents occur, transparency and learning are the automatic response; the industry has institutionalized their review of what went wrong in order to minimize the occurrence of having the same thing happen twice. Greater transparency in evolving best practices in cyber risk mitigation, risk management and effective remediation is in everyone’s interests. We all need to learn from each other’s mistakes.
An evolving partnership between government and the private sector can be beneficial Passenger airline travel is now, arguably, one of the most tightly regulated industries in the world. Government oversight of aviation safety has changed dramatically in many parts of the globe, with carriers and enforcement authorities working together more closely than ever to reduce risks. Regulation is strengthened through private and public partnerships and information and data is shared consistently between airlines and governments. This culture of self-reporting is being mirrored and enforced by new regulation across the cyber-world. The USA has led the way in data privacy regulation. California first led the way 15 years ago, and this year California lawmakers passed even tougher data privacy laws. Elements of this data privacy legislation is now being replicated around the world….from Europe through to Australia, Singapore, and Latin America. As of November 1, Canadian businesses can now expect to be named publicly if they breach the provisions in the Digital Privacy Act. While formal, evidence-driven procedures aren’t infallible, they do set a minimum compliance standard and can compensate for varying levels of operational delivery. Many risk managers and businesses see such regulation as an unwelcome intrusion— with fines and costly remediation requirements. But, as these regulations evolve, it will be important to develop preventative processes that help in the evolution of new best practices - akin to the experience demonstrated so well in the airline industry — and these ideas can only come from industry.
Measuring good behaviour Limiting the analysis of airline safety to crashes alone would incorrectly narrow the airline industries’ appraisal of risk, so the industry also looks at the analytics from the millions of flights that operate safely every year. It is a mistake to just look at the handful of flights where something goes wrong. Understanding why one airline, pilot, or airport is safer while another is not, is critical to assessing risk. Cyber risk management should also take a leaf out of this book. Verizon has estimated that c.80% of cyber risks are attributable to human error – i.e, most are avoidable with training and basic cyber hygiene. That is why Boxx Insurance’s cyber risk management product, Cyberboxx, helps policyholders stay ahead of cyber threats by monitoring a range of potential weaknesses and threats to their businesses using the power of predictive analytics and leading-edge threat intelligence - as well as insuring them against the potentially crippling consequences of a cyber breach. Alerts are sent to policyholders via a mobile app, with insights on how to close down the avenues of attack. We track their grade improvement on a daily basis which allows us to reward the behaviours of clients who take a pro-active and best practice approach to fighting cyber attacks.
It goes without saying that the airline industry isn't perfect. No industry is. Accidents still happen. But it has taught us that every accident is an opportunity to make air travel safer. The airline industry may need to do some catching up in how they protect their passengers’ data but their model has much to teach risk managers as we all work to develop more effective responses to the constantly evolving cyber threat.