The airline industry has a particularly large cyber-attack surface with so many critical systems including maintenance, repairs & overhaul; on-board aviation; in-flight entertainment & connectivity; airport-based industrial controllers, ticketing and customer loyalty systems. Each of the top 20 airlines has over 10,000 vendors and many have limited programs specifically addressing vendor-sourced risk.
One such airline has taken a step forward to securing their vendor base. Given the monumental effort to mobilize risk mitigation in such a large and complex environment, automated & analytical approaches must be used. This airline turned to Fortress as a partner to achieve rapid program effectiveness.
This airline and Fortress partnered to roll out a robust, third-party risk management solution on the Fortress Platform. The program objectives were to:
- classify vendors by business-impact risk
- create and monitor compliance in real time
- implement remediation processes
- All 10,000 vendors were risk-ranked within 2 weeks and made available for browsing within the Fortress Platform.
- Data & analytics were used to create an 80% confidence level in risk ranks. Remaining 20% confidence is obtained through manual processes.
- Automated continuous cyber-security monitoring was put in place within 3 weeks for all vendors. This is a process where publicly-exposed vulnerabilities are detected and serves as an early-warning sign that a third party may have lax security controls.
- Within 30 days, program guidelines were implemented into the Platform.
- A three-phased, three-year approach was adopted.
- Phase 1 targets the top 10% critical vendors
- Phase 2 targets all high-risk vendors
- Phase 3 puts all vendors through the compliance program
- The top 10% critical companies were identified by overlaying the following:
- specific risk factors identified by the airline, cross-referenced to public and proprietary databases
- the automated business-impact risk ranks
- continuous cyber-security monitoring results.
- Fortress Platform maintains all records and evidence, orchestrates workflow and provides real-time, self-service data exploration and dashboards.