Question #1: How long would it take for someone to download critical data from a repair station computer onto a small thumb drive, put it in their pocket, and walk right out the door? Best guess for even a novice hack – probably a minute or less.
Question #2: How long would it take to detect the incident, or even investigate the scope of the loss? Probably days of IT, legal and management time and effort – if you even notice the breach at all.
Question #3: How long will it take to recover from this type of incident? Getting back to normal will likely take months and the damages could accrue for years into the future.
We don’t think of aircraft repair stations as a hotbed for cybercrime but the shift from the “old school” paper repair manuals and drawings to electronic data and files at each technician’s workstation has opened the door to this risk. The days when the certified maintenance manual was housed in heavy three ring binders filling a wall-sized book shelf are gone. No longer can you spot an employee carrying a roll of drawings and a box of documents out the door to a vehicle. There was a day not long ago when the trunk of a car was the only way to carry a pile of company information out of your facility. Those days are gone. Now the crown jewels can leave the building on a device the size of a postage stamp. Worse yet, now that everything is electronic, this company critical information may be exposed to a hack from outside the facility over a public or private portal. The crime may be committed by an insider or, almost as easily, by someone who has no company connection from anywhere in the world.
So is cyber risk the latest form of corporate scare tactic designed to create another third party audit, a call for immediate action, and more insurance? No, but like most risk management problems the best first step is identifying the risk. Can you articulate the nature and location of your company’s crown jewels? Can you list just the most critical 2% of all the company information you have that accounts for most of the company’s actual value, at least from an intellectual property standpoint? That is the first step – to know what is important and where it is located. Only with this initial accounting can you then start to consider how and to what extent your intellectual property is secure. Start by casting a wide net and work iteratively until you decide you have the crown jewels clearly identified. Then go to work with your IT experts and staff, HR department and lawyers to protect your data and mitigate the risk of loss.