Security Risks for Emirates Airline: Contingency Planning

Introduction

This paper is a contingency plan to manage information technology (IT) security risks for Emirates Airlines. The plan specifies key steps the organization could take to address such risks by specifying the policies and procedures that company employees should follow and what the airline’s management should do to maintain them. To demonstrate the merits of the contingency plan, this paper contains a hypothetical incident of an IT security breach at the airline, which will be mitigated by following the policies and procedures outlined in the plan.

The example would also include a timeline for responding to the incident and the period stipulated for undertaking recovery efforts. Lastly, this paper would outline the ethical concerns that are specific to Emirates Airline and provide an explanation of how to plan for them.

Before delving into this analysis, it is first important to address the basic segments of the contingency plan, which include the business impact analysis, incidence response plan, disaster recovery plan, and business continuity plan. These elements of analysis highlight why it is important for Emirates Airline to have the contingency plan in the first place. They also demonstrate the airline’s specific processes that would be affected by the occurrence of the IT security risks and the impact they would have on the organization.

Importance of the Contingency Plan

Many organizations today have realized that it is unrealistic to adopt a one-size-fit-all contingency plan for all types of companies (Schou & Hernandez, 2014). Therefore, a tailor-made risk management plan becomes essential to their processes because it provides a framework for addressing specific risks relating to their organizational operations. It is essential for Emirates Airline to have a contingency plan for its IT processes because most of its operations are automated.

For example, its booking and flight scheduling processes are technologically supported. Furthermore, the airline receives personal data and credit card information (from different customers), which are vulnerable to theft and sabotage. A widespread security risk would affect not only these types of data but also ground the airline’s operations.

A contingency plan would guarantee its business continuity by mitigating any catastrophic scenario that would affect the airline’s business operations. Indeed, as the Institute of Risk Management and Hopkin (2012) point out, different organizations need to plan how they would recover their key business functions in the event that something unexpected happens. The contingency plan outlined in this report has been developed through an evaluation of the company’s priorities and timescales, which were derived from assessing risks and associated data relating to Emirates key processes.

The cutthroat nature of the aviation industry and the changing customer preferences relating to flight management all play an important role in emphasizing the importance of having an effective contingency plan because the failure to do so could see the airline lose its market share and revenues in an elaborate impact assessment report described in the business impact analysis below.

Business Impact Analysis

A security breach of Emirate’s IT infrastructure could cause significant operational challenges for the company. The subsections below explain the potential impacts of such a risk.

Disruption of the Airline’s Activities

One direct cost of a security breach at Emirates Airline is the immediate disruption of the company’s services because, as mentioned in this report, most of the organization’s activities are automated. For example, passenger booking and reservation processes are vulnerable to such a risk. They could also lead to significant delays in airline scheduling and operational planning. Such an outcome may also lead to lost luggage and significant flight delays, which may ultimately cause flights to be canceled or passengers missing their flights (Andreasson, 2012).

Damage to Airline’s Reputation

An IT security breach at Emirates Airline could significantly dent the organization’s reputation. Customer inconveniences and lost time (stemming from flight mishaps or data confusion) could make customers think that the airline is incompetent, even though this may not necessarily be the case (Schou & Hernandez, 2014). Even when passengers are notified that delays were caused by security breaches, the airline could still suffer a negative image because some customers could perceive the airline’s security systems as weak. This belief may make them hesitant to share their personal data with the company in the future.

Thus, the possible lack of credibility and reliability associated with the airline’s IT infrastructure could attract negative reviews, which would ultimately have a negative impact on its image. If this impact were quantified in monetary terms, customer dissatisfaction could cost the airline millions in lost revenue (Schou & Hernandez, 2014).

Theft

Emirates airline often allows customers to key-in their credit card information and personal details on the company’s online platform. A security breach on the company’s IT infrastructure could lead to the theft of this crucial information. Such an act could lead to monetary losses for the airline and the customers as well. Indeed, as Schou and Hernandez (2014) say, cyber-enabled fraud has led to millions of dollars in losses for companies and affected persons.

The situation could be worse for Emirate’s customers because research has shown that their personal information is more valuable to cybercriminals if sold on the “dark web” (Schou & Hernandez, 2014). Intellectual property losses would have the greatest monetary impact on the airline because lost or stolen trade secrets could be worth billions. If they are duplicated, the airline, which is the owner of such property, could suffer similar economic losses.

Fines

Security risks on Emirate’s IT infrastructure could also lead to millions of dollars in paid damages to affected persons (Kosseff, 2017). Such fines may be punitive to the organization if authorities establish that the company failed to comply with data protection legislation. Several jurisdictions are considering implementing tougher measures to force companies to be vigilant about their data protection processes. Some of the proposed fines could amount to millions of dollars, thereby increasing the risk of insolvency for affected businesses (Kosseff, 2017). These possible negative impacts of security risks on Emirate’s IT processes demand an effective response to the peril. An incident response plan appears below.

Incidence Response Plan

Purpose

To protect the airline’s security system against invasion.

Discovery

The discovery process involves detecting suspicious activities and reporting the same. Actions may be taken at several information processing points and through different activities, including:

1. Helpdesk.
2. Raising the alarm through the intrusion detection system.
3. Notifying a firewall or system administrator (a monitoring team or manager should also be notified).
4. Security personnel or an external source may also lead to the discovery of a security breach.

Notification

Upon the detection of suspicious activities, contact should be established with the incident response team to inform them of the same.

Analysis and Assessment

Assess the following factors to establish the proper response:

1. Determine whether the intrusion is confirmed or perceived.
2. Find out whether the intrusion has ended, or is ongoing.
3. Establish what kind of information is at stake and whether it is crucial to the fundamental functioning of the airline.
4. Investigate the seriousness of the breach should the attack succeed (assess the effects based on three criteria – minimum, serious or critical).
5. Establish which systems are targeted and determine their physical locations.
6. Find out whether the incident occurred within or outside the network.

Response Strategy

1. Find out whether there is a need for an urgent response, or not.
2. Establish whether the incident could be contained, or not.
3. Determine whether responding to the incident will alert the attacker, or whether such a concern is important in the first place.

Containment

To prevent a further intrusion of the system by the hacker, abide by the following stipulations:

1. Make sure affected systems are disconnected.
2. Change passwords immediately.
3. If possible, flag down suspicious IP addresses and block them.

Prevention of Future Attacks

1. Understand the source of the security breach
2. Take proactive steps to ensure the known sources of intrusion do not lead to similar attacks by adhering to one or all of the following guidelines:

   1. Closing a port on a firewall
   2. Patching affected systems
   3. Disabling infected systems until a fresh installation is done
   4. Reinstall a new system and back it up, but ensure the backup was done before the infection
   5. Change email settings to prevent future hacks from intruding the system this way
   6. Make sure unused services are inoperable within the system

Documentation

Document what happened in the incident, including how it occurred, the source of the breach, the kind of response undertaken, and whether it was effective or not.

Notification of External Parties

Report the incident to external parties, like the police, if there is a need to do so.

Overall Policies and Procedures

1. Follow password policies, intrusion detection guidelines, and data assessment techniques.
2. Ensure backup and recovery procedures are followed.
3. Implement activities that are secured using firewalls and passwords.
4. Notify users against unauthorized access and use of the company’s IT infrastructure systems.
5. Establish the best response for an intrusion by evaluating all possible scenarios.
6. Ensure all employees are educated about IT security through training seminars.
7. The contact of the incident reporting personnel should be availed for all employees to see.
8. Test the process.

Disaster Recovery Plan

The purpose of this disaster recovery plan is to restore the information technology systems of Emirates Airlines. The plan helps to anticipate the loss of the following system components of the airline (which may occur because of a security breach): computer room environment, hardware networks, connectivity to a service provider, software applications, and data restoration processes. The disaster recovery plan outlines what employees should do using three key strategies outlined below.

Business Continuity Planning

According to Schou and Hernandez (2014), an organization’s ability to overcome a crisis relates to its efficacy in developing a strong business continuity plan. Relative to this assertion, industry analysts claim that 2/5 of businesses that experience a significant crisis or disaster will go out of business (Institute of Risk Management & Hopkin, 2012). Therefore, it is essential to have a business continuity plan to manage such types of occurrence. Emirates Airline’s business continuity plan follows the following steps:

Prioritize Critical Organizational Processes for Restoration

Give priority to critical organizational processes for continuity because doing so is integral to minimize the impact of the breach

Ensure There Is a Relocation Site Where the Airline’s Processes Could Be Hosted

Business continuity processes should be redirected to the secondary IT processing site.

Data Backup

Data relating to the airline’s operations should always be backed up. Personnel should accord essential data the first priority for backup. Risk managers should select and configure the most advanced hardware and software backup systems periodically.

Restoration of Hardcopy Files, Forms, and Supplies

Data backup processes should support the restoration of hardcopy files, forms, and supplies.

Policies and Procedures Needed

Emirates Airline complies with all policies and procedures outlined by relevant aviation transport and safety authorities. These policies and procedures are especially important in reviewing issues relating to security breaches and the safety of customer information. However, the rules and procedures described below outline what employees should do in case there is a breach.

1. Stop all affected systems and operations vulnerable to the breach to prevent any attempt to further compromise the system.
2. Notify customers about the shutdown of the systems and inform them that it will be running again shortly.
3. Notify the response team about the security breach.
4. Activate the secondary support system to provide an alternate infrastructure for the continuation of the company’s IT systems (this step should allow for business continuity).
5. Restore all associated and relevant files pertaining to the affected processes from the backup system to allow customers to use the airline’s technology-supported functions.
6. Investigate the source of the security breach and possibly identify who is culpable for it.
7. Notify relevant authorities about the security breach.

Processes to Utilize in Implementing Contingency Plans and its Components, Including Efforts to Maintain the Plans

The success of the above-mentioned contingency plan largely depends on the airline’s ability to formulate and maintain processes that would safeguard the policies underlying the framework. Four guidelines would help to maintain the contingency plan outlined in this report. They appear below.

1. Make sure all employees are aware of the contingency plan and regularly provide them with updates to ensure they understand the latest security threats, including how to manage them.
2. Undertake disaster drills to examine and evaluate how employees would react to risk. Based on the outcome of the drills, adjust the contingency plan accordingly to improve employee readiness.
3. Regularly review the plan to find out whether there are areas that need improvement. Circulate the new plans to all employees and discard the old ones.
4. Ensure the contingency plan is offsite to allow employees to gain access to it in case of an emergency. Keeping the plan on a cloud-based platform is the best way to manage the data management process because it prevents the destruction or loss of data. At the same time, the cloud-based platform allows for easier access to data from anywhere.

Hypothetical Incident Showing the Efficacy of the Plan

A hypothetical incident is hereby described where there is a reported incident of financial information theft, involving the loss of credit card information of 11 customers. The victims have reported to the airline that their cards were used on the company’s platform to make ticket purchases, and they have noted that hackers have made unauthorized purchases and reported the matter to the airline. This security risk will be addressed by following the steps below.

1. Establish whether the credit card theft stems from the airline ticketpurchasing process or any other point of card use. If confirmed that the security breach originated from the company’s IT processes, the second step below should be followed.
2. Stop all ticket purchasing processes to prevent any attempt to furthercompromise the system.
3. Notify the response team about the security breach.
4. Activate the secondary processing system to allow for business continuity.
5. Restore all files and ticket processing facilities from the backup system to allowcustomers to proceed with their ticketing and flight schedule plans.
6. Investigate the source of the security breach and possibly identify who isculpable for it.
7. Notify relevant authorities about the security breach.

Timeline for Incident Response and Recovery Efforts

The schedule below highlights the estimated time that each of the processes mentioned above would take.

Ethical Concerns Specific to Emirates Airline and Its Incident Response Personnel

The foundation of all ethical principles applicable in the formulation of this contingency plan is enshrined in the moral principles and practices that guide employee actions. This statement is premised on the principle that although human beings are part of the solution for controlling security risks, they are also part of the problem. The ethical issues below outline ethical concerns specific to Emirates Airline and its incident response personnel.

Ethical and Responsible Decision-Making

Decision-making processes surrounding the contingency plan need to be formulated by people who have integrity.

Privacy and Confidentiality

Fraudulent persons could use technology to deceive or misrepresent certain issues. The use of computers by airline passengers to book tickets and schedule flights may be a possible area of ethical concern because customers often provide personal information when performing such transactions. In case of a security breach, such personal information may be lost, hence invading the privacy of the customers and infringing on the confidentiality agreement that the airline shares with them. Thus, hackers could steal crucial information relating to the customers, such as banking details and credit information, and use them to undertake fraudulent activities (Graham, Olson, & Howard, 2016).

Piracy

Emirates Airline has its unique software that allows the organization to perform certain operations. For example, its booking system and flight reservation processes are moderated using copyrighted software. An attack on the company’s information technology infrastructure could allow hackers to pirate such information because they would have gained access to copyrighted content relating to the airline’s operations.

Liability

In the event of a security breach on Emirate’s computers, customers may be subject to compensation. The compensation may be attributed to missed flights, stolen credit information, or any other damage suffered because of the inaction of the airline to protect its customers from security breaches. Notably, the airline has to be careful about the legal ramifications of the affirmative promises it makes to its customers because failing to live up to them could lead to litigation (Kosseff, 2017).

Trade Secrets

As mentioned in this paper, the airline industry is a competitive one. Trade secrets are the tools used to outwit rivals in this space. The slightest breach of a company’s computer system could lead to the leakage of these secrets. Emirates could lose significant ground in its competitive airline strategy if this happens. The damage could be much worse if an employee of the airline orchestrates the breach. Thus, it is important for the airline to safeguard its trade secrets.

How Should You Plan for These Concerns?

Planning for the ethical issues raised in this paper requires a concerted effort by all stakeholders of Emirates Airline to make sure that ethical breaches do not occur. Each ethical issue identified above attracts a unique solution that is specific to the concern raised. The table below provides a summary of how the airline should plan for each of the ethical concerns mentioned.

References

Andreasson, K. (2012). Cybersecurity: Public sector threats and responses. New York, NY: CRC Press.

Graham, J., Olson, R., & Howard, R. (2016). Cyber security essentials. New York, NY: CRC Press.

Institute of Risk Management., & Hopkin, P. (2012). Fundamentals of risk management: Understanding, evaluating and implementing effective risk management. New York, NY: Kogan Page Publishers.

Kosseff, J. (2017). Cybersecurity law. London, UK: John Wiley & Sons.

Schou, C., & Hernandez, S. (2014). Information assurance handbook: Effective computer security and risk management strategies. London, UK: McGraw Hill Professional.