2018 – the year aviation and financial sectors flew into IT trouble
The airport industry is no stranger to the threat of cyber attacks, but 2018 saw some key aviation and financial services companies in the spotlight after IT glitches. Lev Lesokhin from software consultancy CAST reveals how companies can learn from the past and avoid making the headlines for the wrong reasons.
Come fly with me… or maybe not
The aviation sector probably suffered the most in 2017, most notably British Airways and Amadeus IT Group SA which experienced worldwide delays. The sector clearly didn’t learn its lessons this year. British Airways experienced a data breach and a global IT glitch, resulting in all flights at Heathrow and Gatwick being cancelled. Just a month prior to this, there was Eurocontrol’s air traffic control system failure, causing widespread flight delays and cancellations. In August and September, technical faults caused monitor failures at Gatwick and Heathrow respectively, which incited chaos at the London airports as staff had to rely on whiteboards and market pens to share flight information. Winter began appropriately with an American Airlines computer glitch, which forced passengers to see a desk agent to retrieve their boarding passes.
Airline computers juggle multiple systems that must interact to control gates, reservations, ticketing and frequent fliers. Each of those pieces may have been written separately by different companies. Even if an airline has backup systems in place – which many do – the software running those can be susceptible to coding flaws. Tracking down a software flaw can be very difficult. It’s like investigating crime; there is a lot of data to sift through to figure out what actually happened. Added to the lack of structural oversight, increasingly, is an ageing workforce with fewer people knowing the system being relied on. The departure of critical staff is a major issue as a lot of these older systems are not well documented.
The Black Box inside aviation IT systems
Underlying, and perhaps hidden, software complexity not only costs airlines billions of dollars when it fails but also exposes customers’ data to malicious activity. Software Intelligence – which is the deeper understanding which enables enterprises to upgrade their systems swiftly, safely and without disruption to customer services – reduces spurious findings flagged by traditional tools. It focuses efforts on the flaws that application security tools can’t catch: malicious code gaining forbidden access to data, lack of input validation and back doors. In short, Software Intelligence is needed to cut through the noise and find the biggest threats.
The more insight organisations have on their software, the quicker risk in their IT systems can be acted on and produce trustworthy software that will stand strong as they modernise their IT systems. Only by doing so can anyone avoid making negative headlines in 2019.
The financial sector’s modernisation issues
The repercussions go beyond embarrassment and reputational damage. Perhaps the gravest example is TSB, whose data breach lost 16,641 customers, £176 million and its CEO. So, what are the lessons to be learnt from this year’s biggest IT scandals?
Financial institutions are working hard to update their legacy technology to keep pace with fintech startups such as Monzo and Atom. However, as evidenced by TSB’s replatforming failure, this isn’t an easy job, and TSB is not alone in the struggle to modernise. According to the Financial Conduct Authority (FCA), IT failures at financial institutions have more than doubled in the last year, with UK financial firms reporting a 138 per cent increase in technology outages to the FCA in the past 12 months.
The financial services sector as a whole is underpinned by decades-old, legacy IT systems pulled together through various mergers. It is a very complex task for any bank to update and maintain their current IT infrastructure and the skills required to do this are on the wane. The complexity is leaving banks behind other sectors and some banks are nervous about touching old systems as they do not want to cause an outage. In addition, interfaces to modern apps and web front ends make these older systems even more complex for an individual architect to understand.
Researchers also found, after reviewing 278 million lines of code in 1,388 applications worldwide, financial services institutions had the worst code, according to a benchmark called the Common Weakness Enumeration (CWE). Without a clear understanding of existing application security vulnerabilities, organisations are not addressing some of the biggest software risks that pose a threat to their business.
Carrying the burden of legacy technology, established brands often struggle to upgrade their software and to replatform without disrupting service. Aviva, SunTrust, London Stock Exchange and the Visa card payments system failure are among a long, ever-growing list of casualties. These incidents highlight the need for a deeper understanding of software structure and how these mission-critical applications are designed to help brands avoid complications as they upgrade from old legacy systems to modern, digital platforms.
Software Intelligence is key – upgrading in the dark, without a solid understanding of what their underlying software architecture looks like, will continue to surface issues in software quality, security and robustness as modernisation efforts continue.
Banking on Software Intelligence
IT upgrades are very complex projects, and it’s admirable some banks are braving this to improve customer experience. However, banks should collect software intelligence about their systems and agree on a migration plan before acting. Management teams then have a fact base on which to plan and accelerate the production of reliable systems. Software development is a professional engineering discipline best performed on an orderly schedule to produce trustworthy applications.
If banks are able to not only test but also identify potential software issues through structural analysis, they will be able to complete digital transformation projects within budget and ahead of deadline. Testing on its own will not solve future IT outages as this may only address some of the faulty software. Often there is not enough time to adequately test because development takes longer than planned and, meanwhile, the roll-out deadlines don’t move. Luckily, there is technology out there already which provides software intelligence so businesses can quickly identify the risk they have in their IT systems.
Lev Lesokhin is Executive VP of Strategy and Analytics at Software Intelligence consultancy CAST. He has a passion for making customers successful, building the ecosystem, and advancing the state-of-the-art in business technology. Prior to working at CAST Lev was Director, Global SME Marketing at SAP. Prior to SAP, Lev was at the Corporate Executive Board as one of the leaders of the Applications Executive Council, where he worked with the heads of applications organisations at Fortune 1000 companies to identify best management practices. Lev also served three years as a consultant at McKinsey & Company, dealing with issues of business strategy, IT management, metrics and outsourcing. He began his career at the MITRE Corporation before moving to the private sector, where he spent several years as a developer and project manager, and has managed large client relationships for a systems integrator. Lev holds a B.S. in Electrical Engineering from Rensselaer Polytechnic Institute, and an MBA from the MIT Sloan School of Management.