Business aircraft operators need to be especially concerned with securing digital information in an increasingly mobile and connected world, a trio of information technology and Internet security experts told attendees last week at the 2016 NBAA Schedulers and Dispatchers Conference. Public Wi-Fi, email and social media are among the weakest links in the security chain, they said.
Public Wi-Fi offers an open invitation for any transmitted data to be intercepted, said William Figures of RPM Hosting. “Your only defense is to use secure websites—those where you see ‘https’ in the address bar—or a virtual private network, both of which encrypt data before it is transmitted,” he said. Another alternative is to use a smartphone as a private Wi-Fi hotspot, which prevents snooping.
Blad Slavens of general aviation booking and managing software firm FlightBridge added that email is just as vulnerable: except where Wi-Fi transmissions can be intercepted only within range of the Wi-Fi signal, email can be intercepted anywhere along its route across the Internet. “That means that any aircraft scheduling information, passenger manifests and crew details sent by email could be intercepted and read by outsiders,” Slavens said. “Don’t send sensitive data by email.”
Thanks to social media, “Flight department crewmembers have the ability to derail company acquisitions,” noted UnitedHealthcare global risk vice president Charlie LeBlanc. “Posting on social media that you flew the company jet to a city where the competition is makes people wonder why your boss is there. And when it’s liked or shared with friends, this information is made public to everyone." When in a foreign country, this information could also be used by criminals to kidnap company executives for ransom, he added.
In addition, LeBlanc said that crews posting trip details to social media make themselves vulnerable to thieves. “Last year, the Houston Police attributed 3,500 home burglaries to social media postings where people said they were away on a trip,” he said. “It's easy to find home addresses on the Internet, so telling people you’re not at home can be an invitation to a criminal.”
RPM Hosting's Figures also led a discussion on password security, emphasizing the use of “strong” passwords (meaning a mix of upper- and lowercase letters, numbers and special characters), a password unique to each website and, when available, using two-factor authentication. He said that an eight-character password with only lowercase letters can be cracked in just 29 hours; a “strong” one would take 105 years. To keep track of different passwords, Figures suggests using a password manager such as Dashlane, LastPass, KeePass or RoboForm.