Page 15 - IMDR Journal 2025

P. 15

Research Article
The SFO and BA breaches suggest that their prior security vendors, and compliance, oﬀering an improvement
measures were not adequate for the current threat landscape. schedule towards resilience. When the discussion addressed
In both cases, attackers exploited relatively simple 21 questions, it was noted.
vulnerabilities: unpatched software and single-factor logins.
The issues of frameworks and transparency are potent tools,
This indicates that routine security hygiene (patch
minimising the damage of a breach, and re-establishing
management, MFA, encryption) was lacking. Today’s cyber trust. To sum up, the aviation industry should be prepared to
threats are more sophisticated: attackers use automated live in a world where cyber threats are ubiquitous.SFO and
tools, AI-driven social engineering, and novel exploit kits. BA have now realised that security should penetrate every
For example, recent reports warn of deepfake phishing and operation. Through their strong cyber preparedness and
AI-generated malware. The fact that 95% of breaches technique of consciousness, they will be in a better situation
involve human error shows that social engineering is an to safeguard their customer information and essential
ever-present vector, necessitating continual user education information. The cost of complacency is clear from these
and technical controls (like advanced email ﬁltering). cases: lost trust, regulatory penalties, and compromised
Moreover, supply chain vulnerabilities and state-sponsored safety. Moving forward, constant vigilance and proactive
enemies exist as a risk factor in the aviation sector. This strategy are the only ways to stay secure in a digitalised
implies that the granite sleeping bag of a defender cannot be aviation industry.
used. It is essential to assume that breaches will occur in
organisations and design architectures to accommodate
them (zero trust, segmentation, etc.) Continuous REFERENCES
monitoring. Both BA and SFO will have to keep modifying Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012).
their security posture on a continuous basis. The case in Computer Security Incident Handling Guide (NIST SP 800-
point is a poor library (Modernizr) found in BA, which was 61 Rev. 2). National Institute of Standards and Technology.
considered a known vulnerability since 2012.in use. Such CISOMAG. (2020, April 14). San Francisco Airport
matters would be spotted through frequent threat websites hacked; employee login credentials compromised.
intelligence and patching programs nowadays. Similarly, Retrieved from CISO MAG websitecisomag.com.
SFO needs to 20 consider that their web properties can be the
targets and deploy superior. Defences (such as web Easterly, J. (2025, January 8). Corporate cyber governance:
application ﬁrewalls and content policy). Concisely, Owning cyber risk at the board level. Cybersecurity and
cybersecurity is a shifting target. Measures that once were Infrastructure Security Agency (CISA) blog cisa.gov.
considered “good enough” quickly become obsolete. Edwards, M. (2024, December 19). The Ultimate Guide to
Therefore, SFO and BA must adopt dynamic, forward- ISO 27001. ISMS.online.
looking security strategies (guided by updated NIST/ISO Forbes Technology Council. (2024, May 15). Return on
frameworks) and invest in innovation to stay ahead of investment of cybersecurity: Making the business case.
attackers. Only by treating cybersecurity as a living process Forbescouncils.forbes.comcouncils.forbes.com.
can they hope to defend against the changing face of
cybercrime. French, L. (2025, March 11). 95% of data breaches involve
human error, report reveals. SC Mediascworld.com.
HBR.org. (2015, May). Customer data: Designing for
CONCLUSION t r a n s p a r e n c y a n d t r u s t . H a r v a r d B u s i n e s s
The SFO and British Airways incidents underscore that Reviewcouncils.forbes.com. (Discussion of trust and
cybersecurity is not purely a technical concern but a transparency in data protection.)
fundamental business risk. All the breaches demonstrated Hickman, T., & Timmons, J. (2020, October 16). UK ICO
the lack of risk management, technology, and governance. A ﬁnes BA £20m for data breach. White & Case LLP
proper course of action calls for a blend of cybersecurity whitecase.com.
with organisational strategy at the boardroom level, down to Mahn, A. (2018, October 23). Identify, Protect, Detect,
the level of a playground. Front lines. The structural risk Respond and Recover: The NIST Cybersecurity
administration will identify and address problems in the Framework. National Institute of Standards and Technology
analytical systems (NIST CSF and ISO 27001) reduce such (NIST) blognist.gov.
vulnerabilities before they are exploited. Corporate
governance principles emphasise that cyber risk, as well as NIST. (2023). Multi-Factor Authentication. NIST Small
ﬁnancial and safety, are the priorities of executives. Risks. Business Cybersecurity Cornerist.gov. (Deﬁnitions of MFA
The main lessons are that it can be well-prepared with the and its importance.)
availability of the latest protection ﬁrewalls (patching, Sandle, P. (2018, September 7). BA apologises after 380,000
encryption, MFA), constant observation and the importance customers hit in cyber attack. Reutersreuters.com.
of giving time to these activities. And snappy incident SC Media. (2025, March 11). 95% of data breaches involve
response. These are expensive to invest in the short term, but
h u m a n e r r o r , r e p o r t r e v e a l s . C y b e r R i s k
nothing to what a breach can do to the business. The strategic
Alliancescworld.com.
implications of what we have discussed are accountability of
boards, investment in security, training, monitoring of the

10 11 12 13 14 15 16 17 18 19 20