Volume 93 | Tuesday, April 23, 2023
Jump Seat Logo _New_.png

Corporate and Aviation Cybersecurity 

Welcome back to Jump Seat; we are glad you’re reading! This installment is the second of two articles about cybersecurity. The first, Cybersecurity on a Personal Level, covered useful measures you can take to protect your personal accounts, data, and identity. This time, we’ll cover some of the additional concerns that may apply to corporations and their flight departments. We’re not trying to highlight any present or future ARINCDirect security approaches; rather, we’re surveying the range of steps that companies may need to implement.  


Full disclosure: The first cybersecurity article was partially researched and written using ChatGPT. This article was NOT! 

Why companies worry more / worry differently: There are many reasons why corporations need to beef up cybersecurity, and these include some of the personal cybersecurity best practices from our recent article, but generally go far “above and beyond.” Corporations have different assets to protect, just as important to them as your financial assets and identity are to you: 


  • There are typically larger amounts of money at stake for corporations than individuals. 
  • There are additional high-dollar physical assets to protect. This especially includes aircraft, which are difficult to secure because they are “portable.” 
  • Personnel flying on corporate aircraft are often high-value targets from a personal security perspective. 
  • Reputation and “goodwill” are valuable enough that they can appear on corporate balance sheets, and cybersecurity incidents will undermine them. 
  • Trade secrets are valuable so long as they’re SECRETS. Corporate espionage is an ongoing concern. 
  • The cost of cybersecurity insurance has gone up significantly in recent years, as the frequency and magnitude of attacks increased. The best way to keep that insurance cost down is to aggressively manage your systems and processes following corporate best practices.
  • Some companies with military contracts have additional worries about nation-state espionage that can impact national security.  


Attack vectors of corporate concern: Many of the same attacks that concern individuals, apply just as much to corporations; the scale, however, is much larger. Corporation information is necessarily exposed to hundreds, even thousands of individuals in the normal conduct of their jobs, and that information must be protected. Some of the vectors that are mainly of corporate concern are: 


  • Ransomware. These attacks may disable business systems, causing significant expense and reduced revenue. Governments and municipalities are frequently targeted because their protections are not as stringent. That is changing, however, as the cost of phishing attacks becomes more widely understood. 
  • Phishing. This vector usually takes the form of a cleverly crafted email or text message to a wide audience with an attractive link that facilitates other attacks. A subset is called spear-phishing, where the message is sent only to a few carefully selected individuals, with more attention paid to making it look legitimate. 
  • Network intrusions. This is “traditional hacking” and exploits known and unpatched vulnerabilities (sometimes found via phishing attacks) to gain administrative access to internal systems. 
  • Personal data exfiltration. Corporations store a lot of personally identifiable information for their employees and customers, and this is often targeted for theft because it’s so useful for identity theft. 
  • Corporate data exfiltration. With the wide geographical footprint of many companies, online storage of financial, product, and technical data exposes it to online attacks. 
  • Denials of service. These exploit existing and necessary connections from the outside world (such as websites) to reduce or eliminate responsiveness of services. 

 

Typical corporate threat mitigations: From the many possible mitigations that corporations deploy, here are some of the typical ones: 


  • Requiring multi-factor authentication for sensitive online assets. This usually takes the form of a password request followed by invoking a hardware device or phone app that requires a response as the second factor. 
  • Defending against phishing and spear-phishing. This often takes the form of “wrappers” around URLs in emails to allow them to be checked via a third party before sending the user to the real URL. 
  • Implementing session timeouts. This helps close the vulnerability that a lost or stolen device can be used to connect to corporate assets.  
  • Detecting intrusion and exfiltration. Companies will often deploy systems that monitor inbound network traffic for intrusion attempts and outbound traffic for content or usage that looks like illicit data transfers. 
  • Virtual Private Networks. These are referred to as VPNs, and they ensure that any communications to corporate resources are fully encrypted and have appropriate levels of access security. 
  • Education, education, and more education. Some companies go so far as to send fake messages to internal users to see if they’re paying attention to the signs of a phishing message. 

Did you know?
  • A recent Gartner Group notes that “human error” and “social engineering” are responsible for half of all successful cyber-attacks! 

Useful Links

Thank you for reading!

Sign up for Izon today!

Izon offers a free, secure, single sign-on experience

that combines the best of ARINCDirect into

one connected platform
Izon Setup Guide
More Jump Seat
ARINCDirect Support
Arinc Direct | 2551 Riva Road, M/S 6-2566, Annapolis, MD 21401
Unsubscribe caitlin.hess@collins.com
Update Profile | Constant Contact Data Notice
Sent by jumpseat@collins.com powered by
Trusted Email from Constant Contact - Try it FREE today.
Try email marketing for free today!