Cybersecurity is a team sport, where every individual in an organization has an important role to keep the company, its proprietary information, and its customers’ privacy secure. As a result, we have gathered three in-house experts: Joe Jones, Director of Cybersecurity, Garrett Stanley, Senior Engineer, Information Security, and Garrett Hatch, Cybersecurity Analyst, Information Security to share their knowledge in a roundtable discussion about inflight cybersecurity, what they do to keep your data, our systems, and our networks safe, as well as best practices for business aviation professionals.
JJ: From Gogo’s perspective, cybersecurity refers to the practices, technologies, and measures designed to protect data, systems, and networks from cyber threats, unauthorized access, and data breaches. It encompasses everything from protecting intellectual property and client information to securing internal communication systems and preventing operational disruptions. Effective cybersecurity involves not only the technical measures to prevent and respond to threats, but also to establishing policies, educating employees, and proactively managing risks to safeguard the organization’s assets and reputation.
In business aviation, cybersecurity is especially critical due to the unique and sensitive nature of the data involved. Here are several key reasons:
1. Protection of Sensitive Data: Business aviation companies handle highly sensitive data, including passenger information, flight plans, and corporate travel schedules. Unauthorized access to this data could expose confidential information, leading to privacy violations or even physical security risks.
2. Compliance and Regulatory Requirements: Many regions have strict data protection and cybersecurity regulations that apply to aviation. Adhering to these laws is essential to maintain customer trust, operate legally, and avoid hefty penalties.
3. Reputation Management: The reputation of business aviation companies heavily depends on the trust of high-profile clients and corporate travelers. A cybersecurity incident could damage this trust and significantly impact customer loyalty and business relationships.
Effective cybersecurity involves not only the technical measures to prevent and respond to threats but also to establishing policies, educating employees, and proactively managing risks to safeguard the organization’s assets and reputation.
GS: Securing the data and technology at any organization is a complex process. One of the unique challenges we face at Gogo is that we must simultaneously secure a geographically distributed static ground-based network and a distributed dynamic satellite-based network for both domestic and international aircraft, that are continuously altering their altitude and speed throughout a wide range of environmental climates and weather conditions.
In such circumstances, the best course of action is to methodically apply foundational security practices and principles at each point with our products and services. We achieve this though assessment and testing before a new product release, reoccurring testing after release, continuous monitoring of production technologies, and adherence to consistent technology maintenance and improvement schedules.
GH: Gogo provides secure network communication for our AVANCE systems by encrypting and protecting customers from threat actors who are trying to sniff traffic. Gogo is committed to a full SSDLC (secure software development life cycle) including vulnerability scanning, penetration testing, and other security tests to secure our AVANCE software aboard customer aircraft. With our over-the-air (OTA) updates program, customers can update their software from the comfort of their cabin seat. In addition, they can be confident they’re upgrading to a secure software that also increases the efficiency of their AVANCE system.
GH: Gogo has a robust security awareness program that trains our employees on the latest news and attack methods in the cybersecurity world. We also challenge our employees with phishing tests to simulate and sharpen their skills so they can better defend against social engineering. As a security team, we stay up to date by learning and researching new security topics within the Aviation-ISAC, other cybersecurity informational resources, and our own professional motivation so we can stay ahead of threat actors.
GS: Some general cybersecurity best practices include:
1) Utilization of anti-malware, anti-tracking, and ad-blocking programs.
2) Keep your operating system, applications, and protection programs up to date.
3) Do not install an untrusted software if you did not initiate the process or plug unknown devices into your technology.
4) Use MFA (Multi-Factor Authentication) whenever possible.
5) Trust but verify.
