Turbulence ahead: The importance of keeping cyber on your radar

When we think about urgent tasks in the aviation sector, a discussion about culture is probably not making the agenda at most airlines right now. Somewhat justifiably, that conversation is losing out to pressing concerns relating to the pandemic, rising fuel costs, and ongoing airport delays. In this crisis-driven environment, it is tempting to put corporate culture down as something to address when senior leadership “get a moment”.

That is a total cop-out.

Much of the economy is now learning the tough lessons that the aviation industry has been grappling with for decades as workplaces evolve, with many ceasing to be “places” at all. When organisations are actively considering culture, it is generally a debate dominated by how many days employees should be based in the office, and what perks organisations will help retain workers in a tightening labour market. Far too often, the discussion about cyber culture is absent.

Historically, this silence was perhaps understandable; the risk of a business-disrupting incident was low, cyber risks were vague, and the IT department was forever dealing with the jammed printer that never worked and crashing equipment preventing planes from pushing back on time.

In short: the risk was low and poorly defined, and the team responsible for leading the response was inadequately resourced.

But times, in 2022, they are a-changing.

The risk of private sector-targeted cyber crime is large and growing. According to CyberCX, Australia and New Zealand’s largest cyber security company, cyber crime targeting Australian business has skyrocketed, with a cyber crime reported to the Australian Cyber Security Centre every eight minutes.

And airlines are not immune.

VIEW ALL

Carriers and their supply chains are under increasing pressure from these same cyber criminals. Let us not forget the scenes at Bristol Airport in 2018 when ground staff had to deploy whiteboards to issue flight updates during a ransomware attack; or the suspension of SunWing Airlines flights earlier in 2022 when hackers compromised their check-in infrastructure.

The legalities associated with cyber risks and expectations of management are also more clearly defined now than ever before. In May 2022, the Federal Court found an Australian firm breached its licence obligations by failing to adequately manage its cyber security risks. While this case pertained specifically to a financial services firm, the message for all boards and senior leaders is clear: managing cyber risks is now core business.

Which means that under-resourcing your IT and cyber security teams and failing to establish and invest in a proactive cyber culture now represents real fiduciary risk to your board, in addition to the financial and reputation damage that a cyber incident could inflict.

This is to say nothing of the catastrophic implications of a mid-flight cyber compromise.

As always, the most powerful tool available to corporate leaders when building culture is knowing what questions to ask at the outset.

We would urge you to consider:

• Whether cyber security features prominently in your organisation’s strategic plan?
• How and when board and senior leader renumeration is affected by cyber culture development and incident reporting?
• Whether cyber security features regularly in communications, board reports, project plans, recognition and reward programs, partnership agreements, employment contracts, and performance reviews?
• Whether cyber incidents and cyber near misses are communicated and used as learning experiences?

But how to establish a cyber culture that employees participate in?

We need to start with your people.

According to a 2022 Security Cultures report by Tessian, 30 per cent of employees do not think that they personally play a role in maintaining their company’s cyber security, and 45 per cent would not know who to report a security incident to if they had witnessed or been subject to one.

But there is good news.

No one is expected to do this alone – and in fact, working with external experts to reset your organisation’s relationship with cyber may be the circuit breaker your teams need. The same Tessian report found that only 33 per cent of employees surveyed were satisfied with their IT and security department’s communications.

The Cyber Capability, Education and Training (CCET) team at CyberCX specialises in developing and maintaining cyber security cultures by working with organisations, from senior leadership, through to your back office and front-line, customer-facing staff.

There is no “one size fits all” option here. Companies are all different. So are their people. And so are the puzzle of cutting-edge-alongside-legacy-systems that make everything go ‘round.

The CyberCX CCET team brings together experts from cyber security, organisational development, higher education, and game design to create unique and fit-for-purpose solutions. These solutions are based on your real business needs, analysing behaviours, capacity, and overall capability requirements to develop the cyber resilient organisation we all aspire to operate.

As an industry, we can and should work together to ensure that aviation’s “safety first” mantra applies to the cyber realm. It’s the right thing to do for your businesses, your employees, and the millions of Australians and Australian businesses who rely on aviation to keep the country and economy moving.

Murray Goldschmidt is the executive director, cyber capability, education and training at CyberCX.