Minimise risk by securing data with better controls
Keeping data and comms secure is crucial to all airports, so we’ve compiled some essential points to consider in ensuring you’re secure
Keeping data and communications secure is crucial to all airports. No matter the size, threats posed by cyber criminals can cause severe turbulence in their day-to-day operations – not to mention damage to their reputation.
These days, cyber criminals are finding increasingly innovative and sophisticated ways to compromise systems and steal data, hence why airports must take a proactive approach to minimise risk. The truth is, as damaging as data breaches can be to a business, things will only get harder if you maintain a reactive approach to data security.
Why securing data and comms is essential
In May 2018, the new Europe-wide General Data Protection Regulation (GDPR) came into play, requiring businesses to step up their data protection and amend their existing security policies. The introduction of GDPR represented a significant shift in data security standards with rules differing from the pre-existing UK Data Protection Act.
GDPR affects all organisations within the EU and any organisations outside the EU that collect or process personal information on EU citizens. The regulation intends to help protect the rights of individual consumers. Known as ‘data subjects,’ consumers now have clearly defined rights regarding the data companies hold on them, how they can use it, and when to delete it.
As most airports likely offer services to customers and other businesses in the EU, it ultimately means they need a GDPR compliance strategy. Part of this involves minimising risk by securing data and comms with better controls.
What happens if organisations have a security breach?
You needn’t look far to see the consequences businesses face when they fail to protect their data and communications. In recent years, several airlines, including British Airways and EasyJet, have faced data breaches that have damaged their reputation and had financial implications for their failure to keep customers’ data secure.
In 2018, British Airways suffered a massive data breach, which saw cyber criminals stealing the data of more than 400,000 customers, including credit card details. Following a full investigation, the Information Commissioner’s Office (ICO) fined British Airways (BA) £20 million for failing to protect its customers’ personal and financial details.
In 2020, EasyJet faced a similar mass cyber-attack, with reports claiming the personal data of over nine million customers had been accessed and stolen by hackers. While ICO is currently investigating the data breach, a hefty fine is imminent, judging by what happened to British Airways.
Both airlines have also faced numerous compensation claims, with law firm PGMBM representing the customers of each. The law firm is currently seeking a ‘Group Litigation Order’ against EasyJet, which will combine the claims of customers that opt in to join the action.
But it’s not just about the financial fallout of a cyber breach. The damage to a company’s reputation is the biggest blow of all. According to a recent study by identity firm OKTA and YouGov, 39 per cent of Brits say they have lost trust in a company due to a data breach or misuse, and this figure is even higher in Australia (40 per cent) and the US (56 per cent). Interestingly, the younger generation is even less tolerant of data breaches, with 63 per cent of respondents aged 18-24 admitting to permanently stopping using a firm’s services if they have experienced a data breach.
So what can you do to minimise the risk and secure your data and comms?
To minimise the risk of damaging your airport’s reputation (and receiving an unwelcome fine from the ICO), you need to consider how you can step up your data and communications security. It affects everything from your day-to-day operations to the people you employ and the vendors you work with. Here are a few essential pointers to consider:
1. Develop a security strategy
No matter how small or large your airport is, you need to develop an IT security strategy that details what type of data you store, where it is stored and how it is stored. Your strategy should not only detail how you protect data, but the actions you’ll take should anything go wrong.
Before forming your strategy, carry out a thorough risk assessment to fully understand the potential risks and address them.
2. Encryption is key
Hackers may breach your defences, slip past your firewall or trick one of your employees into clicking a phishing email but if they can’t read your data, they can’t sell or misuse it hence why encryption is so important.
We’ll go into more detail about encryption later, but encryption is crucial when it comes to securing your airport’s data and communications. Whether it’s communications among colleagues or customers, they should all be encrypted as standard operating procedure.
3. Invest in training
You can have the best controls in place to secure your data and comms, but if your team doesn’t understand the software, systems or tools they’re using, it will leave your airport exposed to threats.
Remember, most of your employees aren’t tech experts, so they need training and ongoing support to achieve compliance. Make sure they know what is required of them when it comes to data security. In particular, they need to understand how they can use their technology and your business systems in a way that doesn’t leave them and your business as a whole vulnerable to security threats.
4. Monitor compliance
Are your security controls working? Are your employees following your security best practices and adhering to your policies? You won’t know unless you are monitoring compliance. Create a team dedicated to monitoring your data security and enforcing policies.
Understanding the type of data you store: PII vs Non PII
A key part of developing a sound data and comms security strategy is identifying the type of customer data you store. Data is categorised as either PII (Personal Identifiable Information) or non PII.
Broadly speaking, PII refers to any data you can use to identify, locate or contact an individual, either alone or when linked with another piece of identifying personal information. Some examples of PII include:
- Email address
- Telephone number
- Social security number
- Passport number
- Driving license number
- Bank account details
- Credit / Debit card details
- Personal characteristics, i.e. photo, fingerprints, handwriting or other biometric data
The EU’s GDPR also considers cookie IDs and IP addresses as PII data, as they are trackable unique IDs that enable websites to remember individual users, their preferences and settings.
Businesses use PII data for a wide range of purposes but let’s focus on the context of airport marketing. In this context, airport marketers collect PII data to build more unique profiles of the individual customers to create increasingly personalised marketing campaigns and offers. While this can benefit both the airport and customer, the airport must have the customer’s consent to collect their PII data for marketing purposes and store it securely.
As well as PII data, companies also collect and store non PII data. As the name suggests, this data is considered ‘anonymous’ as it cannot identify or trace an individual alone. Some examples of non PII data include:
- Device type
- Browser type
- Language preference
- Time zone
- Screen size
- Statistics on the use of a product/service
In terms of airport marketing, non PII data is collected to track and understand customer behaviour to improve customers’ online experience and engagement.
Where is data stored?
As well as understanding the type of data you collect, it’s wise to understand where it is stored. There are several ways businesses store data, with common examples including:
Databases are common components of any online application, whether its an ecommerce store, banking financial system or chat applications. They are used to store everything from user information and financial transactional data to communication logs. If you are looking to build a modern secure scalable application, some form of database will be required.
Data warehouses and data lakes
Both data warehouses and data lakes support storing and processing of terabytes of data from multiple sources in multiple formats securely.
A data warehouse is essentially a giant database optimised for analytics. Businesses use data warehouses to store highly structured information from various sources. Typically, a data warehouse might store current and historical data from multiple systems. Using a data warehouse aims to bring disparate data sources together, so companies can analyse the data, look for insights, and create valuable Business Intelligence like reports and dashboards. Thanks to their highly structured nature, analysing the data from a data warehouse is relatively straightforward for business analysts.
Data lakes store structured, semi-structured and unstructured data. Unlike data warehouses, they support the ability to store raw data from various sources without the need to process or transform it at one time. Data lakes also support machine learning and predictive analytics.
Data lakes are often considered less user-friendly for business users as they don’t offer the same reporting capabilities as other alternatives. However, storing data in a data lake is much cheaper than a data warehouse and provides greater flexibility.
Object storage is a technology that treats data as objects and goes hand in hand with cloud storage. All data is stored in one large repository, which may be shared and distributed across multiple physical storage devices instead of being divided into complex hierarchical files or folders.
As more businesses move to the cloud, many use object storage to manage unstructured data, which analysts estimate will represent 80% of all data worldwide by 2025. This includes web-generated content such as emails, videos and social media.
With object storage, each piece of data is stored with metadata or descriptive information associated with it. This is useful for businesses in terms of data retention, deletion and routing or validating content authenticity. Organisations can also customise the metadata with additional context that they can later use to perform business insights and analytics around customer service or marketing.
How is data stored?
So you know the type of data you hold and where it is stored. Next, you need to understand how your data is stored, which brings us to the controls that you can implement to protect it and minimise the risk of breaches.
Stored data is also known as ‘data at rest’.
Data at rest is not actively moving from one device to another or from network to network. For example, it could be data stored on a hard drive, laptop, or in a database or data lake.
Data protection at rest secures static data. While it is sometimes considered less vulnerable than data in transit (more on that in a moment), attackers often perceive data at rest as a more valuable target. It is, therefore, essential that you minimise risk by having the controls in place to keep your data at rest secure.
Encryption of data at rest
One of the main ways airports can protect data at rest is by encrypting sensitive files before storing them. The Advanced Encryption Standard (AES) is one of the most often used encryption algorithms for securing data and is a perfect pick for securing data at rest. Alternatively, they can choose to encrypt the storage drive itself.
As stated by the ICO, ‘Encryption is a mathematical function that encodes data so that only authorised users can access it.’ The two main types of encryption used today are symmetric and asymmetric encryption.
Symmetric encryption means the same key is used for encryption and decryption. It is, therefore, essential to ensure the key transfers securely. For asymmetric encryption, different keys are used for encryption and decryption.
Encryption ensures that your data and comms are not readable, even if someone outside your company accesses them. The data is scrambled and coded so that users can only decipher it with the correct key, i.e. a password. The ability to encrypt shared or copied data is a standard for most CRM and ecommerce platforms, but it’s always worth enquiring before you sign up with a new provider.
How is data transmitted?
Data in transit, or motion, is actively moving from one location to another, for example, across the internet or through a private network. Either way, your data must be protected when it’s travelling from network to network or from a local storage device to the cloud. Data in transit is often considered less secure and easier to intercept.
Encryption of data in transit
To protect sensitive data in transit, businesses often choose to encrypt prior to moving it. These days most online transactions run under HTTPS by default to protect the contents of the data whilst in transit. HTTP is the secure version of HTTP and uses TLS to encrypt data.
What is TLS?
Transport Layer Security encrypts data sent over the internet and prevents hackers from being able to see what you are transmitting. TLS is particularly useful for private and sensitive information like passwords, credit card numbers and personal communications.
TLS is defined as a ‘cryptographic protocol that provides end-to-end security of data sent between applications over the internet’ such as:
- Web browsing
- File transfers
- Video / audio conferencing
- Instant messaging
- Internet services such as DNS and NTP
It’s important to note that TLS does not secure data on end systems but instead ensures the safe delivery of data over the Internet to prevent external parties from eavesdropping or manipulating the content.
Why is TLS important?
Without TLS encryption, data in transit, including logins, credit card details and personal details, can easily be viewed and stolen by others. In addition, people’s browsing habits, email communications, online chats and conference calls can be intercepted and monitored.
While up to date versions of most major web browsers support TLS, it’s not mandatory for email and other comms applications and can be difficult for users to see if their connection is encrypted. With this in mind, we highly recommend quizzing your application and service providers about TLS encryption before signing up to use them. Put data security first for total peace of mind.
What is HTTPS?
HTTPS stands for HyperText Transfer Protocol Secure and is a protocol for securing the communication between two systems like a browser and web server. It establishes an encrypted link between the browser and the web server using the TLS (Transport Layer Security) protocol. Unlike HTTP, which transfers data in a hypertext (and readable) format, HTTPS transfers data in an encrypted form, preventing hackers from reading and modifying the data during transfer.
Why is HTTPS important?
HTTPS is crucial to airport ecommerce websites as it protects the privacy and security of their users, preventing hackers from listening to communications between the browser and server. Even if hackers intercept a communication, the HTTPS protocol will encrypt the message and render it unreadable.
Data security questions to ask a new vendor
Whether you’re investing in a new ecommerce platform, CRM or any other data-storing application for your airport business, it’s important to ask the provider about their data and comms security. Find out:
- What is the company’s approach to security?
- What measures do they have in place?
- Where is your data stored?
- How is it secured?
- What is their approach to data protection?
- Are they GDPR compliant?
- What do they do with your customers’ data?
- Are their disclosures clear and transparent?
- What encryption software do they use? Make sure it meets current standards such as FIPS 140-2 and FIPS 197.
Rezcomm’s approach to securing data and comms
Our Plug-and-Play Airport Marketplace captures and stores a lot of customer data, so you might be interested in the controls we have in place.
First things first, we protect both PII and Non PII data – this means that whatever data and communications are stored, whether they are considered identifiable and trackable or not, are fully secure.
Data is always stored encrypted at rest, so unauthorised users cannot read or manipulate it.
Data is transmitted using HTTPS and TLS protocols to ensure it remains encrypted and secure.
In addition, we ensure PII data is decoupled from non PII data to allow for better security segregation. This process prevents PII data from being duplicated and replicated, and it also dramatically reduces the points of data leaks.
Finally, Rezcomm used encrypted cloud databases purpose-built for various processes to help secure communications and data.
Are you interested in finding out more? Get in touch to learn more about how Rezcomm can help keep your data secure, our approach and the processes we have in place.