Best Practices Can Help Airports Mitigate Growing Vendor and Third-Party Cybersecurity Risk


By Michael Corcione, Partner, HKA Global, Inc.

In recent years, cyber-attackers have preyed upon the weaknesses of vendors and third parties to access computer systems at hospitals, banks, financial services firms, retailers, utilities, transportation systems, and other critical infrastructure.

Airports are similarly vulnerable.  Outside vendors or third parties provide services or support for nearly every part of airports’ ecosystems, including air traffic systems, passenger ticketing, baggage handling, transport systems, parking management, communications, security, concessions, and payment systems.

While airports’ security controls may be well hardened, those of their vendors may be more easily breached. Mitigating this growing area of risk requires a thoughtful mix of careful planning, objective monitoring, and diligent management.

Vendor and third-party risk management must start with a solid policy that identifies how an airport will assess, manage, monitor, remediate and, in some cases, accept risks.

Since all vendors and third parties aren’t equal in terms of security protocols, the airport’s risk management policy must outline how it will risk-rate its vendors. This risk-rating has many components, with the heaviest weighting in two categories:  1) What is the vendor or third party’s level of access to the airport’s most sensitive data, key systems, and business processes?  The more access, the higher the risk. 2) What is the vendor’s maturity level?  Maturity is a reflection of several characteristics, including the length of time a vendor has been in business, its size, and the history of the product or service it offers. Generally, the more mature a company is in these categories, the more secure it is likely to be.

Risk assessments also should answer other questions:  Has the vendor or third-party kept up on its security investments? Does it train its own employees in risk management? What are its plans for cyber-incident response and recovery? How does it manage its own vendor and third-party risk? (Which, essentially, becomes a “fourth-party” risk for the airport.)

It may be prudent to request a copy of the vendor’s cyber- and information-security procedures.  Also, scrutinize the vendor’s financial posture, reputation, and compliance with laws and regulations. On-site visits also may be a good idea, especially if the company is providing data-hosting services.

Potential vendors should demonstrate that their cybersecurity program meets industry standards and, ideally, are certified by a reputable external auditor.

Airports should implement their own control systems for vendor and third-party risk-rating, due-diligence, on-boarding, continuous monitoring, and off-boarding. There are several risk management software programs on the market. In most cases, one solution alone may not be enough, and airports should select tools based on their immediate and long-term needs and budgets.

Industry organizations can help. The International Air Transport Association (IATA) provides guidance and latest updates on cybersecurity standards and regulations. Its January 2021 report includes crucial developments and links to knowledge centers of leading industry watchdogs:  Compilation of Cyber Security Regulations, Standards, Guidance for Civil Aviation.

Training can be invaluable in on-boarding new vendors and managing overall vendor risk and should be updated as new technologies—and new risks—emerge.

Finally, it’s important to remember that cyber-attackers aren’t going away. To effectively manage and minimize risk, airports must establish, maintain and continually improve a comprehensive cybersecurity program that manages risk at all levels and at all touch points.  While the task is not easy, it is achievable. Given the nature of an airport’s operations, its place in the community and local economy, and the number of people who pass through it every day, failure cannot be an option.

The information provided in this article is intended for general educational purposes only—it does not constitute legal, accounting, or other professional advice, and it should not be relied upon as the basis for your business decisions.

For HKA’s white paper and expanded thought leadership on how Best Practices Can Help Airports Mitigate Growing Vendor and Third-Party Cybersecurity Risk, please click here.

# # #

Michael Corcione is a Partner at HKA, which provides multi-disciplinary risk mitigation and dispute resolution services to clients worldwide. Mr. Corcione has more than 30 years of experience in advising companies and boards of directors on technology, cybersecurity and privacy and risk management strategies. Over the past decade, he has led the delivery of Virtual Chief Information Security Officer (vCISO) services for advisory firms, which provide a CISO, along with cyber, privacy, and information security subject-matter experts, to organizations of all sizes and verticals. He is a member of the cybersecurity advisory board at Pace University, and a member of the Board of Trustees of the American Management Association International.