Airline Security In A COVID-19 World
Cybersecurity is becoming more critical as the airline industry, like most corporations and governments, stores more personal data using cloud-based software. The recent SolarWinds data breach is a reminder of the importance of information security. It can take months to detect an unauthorized breach. For example, according to the Wall Street Journal, SolarWinds Office 365 email accounts were compromised for at least nine months.
As airlines are a cornerstone of modern transportation, protecting passengers’ privacy and safety is essential for millions of jet setters.
How Do Airlines And Companies Ensure The Security Of Personal Information?
Companies are using multiple security frameworks to protect customer data.
One of the most common is payment card industry (PCI) compliance to prevent credit card data breaches. Data breaches can also result in hefty non-compliance fines. However, a breach of trust with customers and vendors can be detrimental to future operations success.
The best practices for cybersecurity are continually changing to protect personally identifiable information and maintain customer trust.
One of today’s best options is implementing the System and Organization Controls (SOC) 2 framework to enhance trust with vendors, customers and regulatory oversight agencies. Various offerings assist companies with software and controls that help generate a SOC 2 certification. These tools are intended as complete solutions for evidence collection, controls, penetration tests, and ongoing monitoring for security compliance and assurance.
SOC 2 certification has more flexibility than other security protocols while evaluating specific data security practices. These certifications help determine current practices’ operational effectiveness and help companies take proactive efforts to prevent a breach.
Airlines and airline software companies can adapt their SOC 2 framework to their specific operation. They can then measure their data security practices’ effectiveness to guard the many daily passengers’ personally identifiable information.
The American Institute of Certified Professional Accounts (AICPA) incorporates these five trust service categories for SOC 2 compliance:
- Security: Is the system protected from outside attacks or unauthorized use?
- Availability: The system performance level remains intact
- Processing integrity: Information processing quickly
- Confidentiality: Only specific people or organizations can access information
- Privacy: Personally identifiable information is protected from unauthorized use
An external team can conduct an audit to issue SOC 2 compliance. While complying with SOC 2 is voluntary, it is also a leading way to build public trust and remain on the cutting edge for cybersecurity. It’s becoming more common that business services will only partner with businesses that store sensitive customer data to have SOC 2 certification.
SOC 2 Type 1 Report
Seeking SOC 2 compliance can involve receiving two different compliance reports.
The first step is a Type 1 Report. The audit team examines the airline industry’s current internal control to protect passenger data security and privacy. Airlines can use this audit to improve their security practices for passenger data.
When conducting future audits, the audit team will use the Type 1 report as a baseline.
SOC 2 Type 2 Report
A Type 2 report is a follow-up audit to measure the improvement since the initial Type 1 report.
Companies typically run these reports every 12 months but may choose six-month intervals after implementing significant framework changes or migrating to a different software service. The report tests the ongoing data security and privacy practices against the five trust service categories (security, availability, processing integrity, confidentiality and privacy).
Results can ensure personally identifiable information remains safe and the company maintains SOC 2 compliance.
How Can Airlines Benefit From SOC 2?
Up to 1 million leisure and business travelers pass through the TSA-monitored airport security checkpoints each day. Each flight itinerary contains several items of sensitive personal information. In addition to the plane ticket, the airline may also gather personal information for purchases with travel partners, including hotel and rental car agencies.
Passengers trust an airline will protect their personally identifiable information, including passport numbers, loyalty account information and travel history.
While front-end security measures like two-factor authentication reduce the likelihood of imposters accessing passenger accounts and give passengers immediate peace of mind, malware may breach sensitive information on the back end.
Performing a SOC 2 audit using the five trust service categories tests the current cybersecurity framework’s effectiveness for potential weak points.
Using SOC 2 For COVID-19 Travel
What does SOC 2 compliance look for in the airline industry during COVID-19? There are multiple possibilities, but one option can be addressing the COVID-19-related data that airlines are starting to collect from passengers.
Airlines are tasked with collecting more passenger information than before to comply with government travel restrictions. This information gathering trend is projected to increase as flight volumes return to pre-pandemic levels while airlines ensure passengers meet new flight boarding procedures.
For instance, an airline may need to collect the following details at flight check-in:
- Traveler health forms
- Pre-travel diagnostic test results
- Immunity passports
The airline may gather this information to verify the traveler isn’t a health risk. But the airline is also responsible for forwarding the pre-travel testing information and travel health form to the appropriate government agency at the flight destination.
Airlines can utilize their SOC 2 framework to verify that data transfers are secure and instant to the receiving parties with a Type 1 report.
One testing metric can be ensuring that the passenger can arrive at the destination without any immediate data disruptions that can result in delays to exit the airport or process through customs.
An airline may perform a Type 1 report for a travel corridor that currently requires a pre-travel diagnostic test or a traveler health form that logs the traveler’s contact information and lodging details.
After conducting the initial Type 1 report, the airline can improve and implement better security practices for the test corridor and across the entire system. The airline can then conduct a routine Type 2 report to verify the security protocols remain intact as the industry adjusts to new travel processes.
People will be hesitant to fly with an airline that cannot guarantee to safeguard sensitive information. Implementing the SOC 2 framework can be one of the easiest ways to build trust with customers and show how an airline protects its passengers’ personal information.