A key part of a positive security culture is protecting information effectively to ensure vulnerabilities in the aviation security system cannot be identified and exploited.

Your security system is only as strong as the protection of your information. Sensitive information should be stored, transmitted, and disposed of securely, and only shared with those who have a need to know. Information that is vital to the running of your organisation, and that may seem routine or innocuous, could provide a threat actor with critical information that could be misused to cause harm.

Cyber security induction training

Induction training should have a comprehensive cyber security component to ensure inexperienced staff understand how they are required to operate while using corporate systems or handling sensitive security information. New staff may not have a background that includes handling sensitive information, so consider what information your organisation handles that needs protecting and communicate this to new staff to ensure they understand how to keep this information safe.

Promote cyber security by:

  • Standardising induction training for all new starters to your organisation to cover how information should be protected and shared. Training material should be set at a level that those without a strong background in information technology can understand and implement with ease.
  • Offering refresher training on a regular basis to remind staff of key aspects of their cyber security responsibilities.
  • Implementing a simple test or assessment to gauge staff understanding of cyber security requirements.
  • Include specific information on the risks of information security breaches within education and training materials. This information helps to contextualise the reason for information security measures, and the risks should information get into the wrong hands.

Clearly documented policies and procedures

Information security should not be left to chance. Clear, cohesive, and effective policies and procedures are important to set a clear expectation of the information security management practices required of staff. Information security policies should contain relevant measures to help all staff keep your organisation’s information safe and secure.

When creating your policies and procedures:

  • Think broadly about the information that should be protected within your organisation and prioritise security measures for the information most at risk, or most valuable. Information that needs security measures applied may not be immediately obvious. For instance, staff roster information could reveal gaps that could be exploited. Operational data may indicate gaps in security procedures that represent significant vulnerabilities for your organisation or the sector, that could enable a successful attack.
  • Clearly document policies and procedures relating to information security. These should include measures for electronic documents, but also control mechanisms for hardcopy paperwork that may reveal security sensitive aspects of your organisation.
  • Ensure information security policies and procedures are accessible to all staff, and that these are written plainly and simply for staff with a lower understanding of the information security environment.

Regular information security messaging

Regular information security refresher training, and messaging, is important to embed sound practice within the security culture of an organisation. Information security measures can often be seen as a barrier to desired outcomes (e.g, sharing of information may be more difficult), which can lead to complacency and breaches over time. Information security can be more difficult to consider than traditional physical security threats. As a result, it is important to regularly remind staff of the need to keep information secure, and of the basic measures they can take to protect sensitive information. 

Communicate information security messages:

  • Conduct regular information security refresher campaigns to remind staff of their responsibilities. Consider a range of devices to communicate messages effectively: verbal briefings, email updates, posters placed in high traffic areas, or messages on your IT systems or intranet page.
  • Tailor messaging to your environment, and at a level that your staff can understand. Include real-world examples of cyber security breaches and highlight the potential consequences a breach could have on the security of your organisation and the aviation sector.
  • Quickly communicate any new or developing information security risks to staff and highlight any quick wins or key advice regularly to embed a high standard of practice.

Information security response plans

A timely response to a cyber incident is crucial to understanding its impact and minimising the damage caused. It is important to have response plans in place for staff to follow when things go wrong. The security culture of your organisation is enhanced when contingencies and responses are accounted for in any area, including cyber and information security. Staff should be aware of response plans and contingencies, including when these should be initiated and what their role is in any response.

Ensure staff know their cyber response plans:

  • Establish measures for all staff to remain aware of cyber incident response plans, and specifically their role in any follow up response.
  • Test cyber security response plans on a regular basis to ensure measures meet the required standards in relation to the threat and your organisation’s risk profile. Establish mechanisms to assess cyber security incidents and implement any recommended updates to your response plans.
  • Establish means for staff to report suspicious activities, recognise poor cybersecurity practice or policy breaches, and to know when things they encounter might threaten your organisation’s data.
  • Consider creating aide-memoires to help staff recall the steps to take during an incident response.

Institute a process for reporting and assessing risk from the loss or theft of organisational information (electronically, or through a misplaced/stolen laptop, phone, or documents).

Assess your information security [PDF 85 KB]

 

Previous page: Reporting systems and incident response Next page: Measure your effectiveness