From secure data handling procedures to effective risk cyber management, protecting sensitive information, people and assets should be a priority for any operator
There is no denying that data is now one of the world’s most valuable resources. With a wide variety of technology-based products on offer, operators have even more opportunities to access vast amounts of data from which they can gain significant value.
From enhancing the passenger experience to controlling costs and maintaining safety, technology and the data it collates can be used to improve day-to-day operations and journeys.
However, with a rise in data collection and the adoption of smart technology comes greater risks. Not to mention accidental insider threats to contend with. Therefore, effective cyber protection is increasingly critical for operators to safeguard people, sensitive information and assets.
There are technology suppliers that help operators collect, process and access data more smartly and securely.
For instance, Journeo has a portal designed to give operators real-time data and historical reporting for on-vehicle systems and Internet of Things (IoT) sensors on a cloud-based platform.
The portal collects data from connected on-board systems such as CCTV, passenger counting and telematics. It presents the information through a user interface or distributes it to third-party systems via a secure application programming interface (API), where appropriate.
Darren Maher, Journeo Group Development and Communications Director, says: “Security plays a big part because the data is being offloaded into the cloud and provided to different members within an operator’s organisation.
“There are two aspects of security; the security of the Journeo solution as a whole and user access permissions to make sure data can’t be accessed or viewed by someone who shouldn’t have access to it.”
Human cyber risk
While such technology as Journeo’s solution does not collect personal data like credit card details, operators must be aware that the data is sensitive. Particularly CCTV footage. Therefore, it needs to be correctly managed.
Says Darren: “We offload the footage remotely over 4G or wi-fi from a vehicle to our cloud-based service. So, we use an encrypted virtual private network (VPN) to make sure that the data is secure in transit.”
This automated process is more secure and less labour intensive than manually taking a hard drive from a vehicle to download the footage onto a local PC. It also means operators are in more control of who can access their data.
“Every action completed when accessing data is logged and auditable,” says Darren. “Operators can set permissions on who within their organisation has access rights to different information, can track when they have accessed it and what they have done in their interaction with that data.”
This is an important consideration since people are the primary cause of security incidents or data breaches. According to CybSafe, human error caused 90% of data breaches in 2019.
Effective cyber security is about being proactive and implementing risk management, including measuring human risk, says Darren Curd, Associate Director at passenger transport insurance broker Wrightsure.
The art of tricking or blackmailing individuals into giving away confidential information or taking action, such as authorising a payment, is called social engineering. And it is one of the biggest threats to businesses, adds Darren Curd.
“That’s where real money is lost because you’ve been instructed to do something that looks like it’s come from an official source.
“For example, a colleague opens an email that looks like it comes from the director asking them to pay a customer. All the signs read as if it has come from the director, so the person does it.
“Then you realise you’ve handed thousands of pounds to some sort of underground organisation, and you’re not going to get that money back.”
What steps can operators take to reduce the risk of falling victim to cyber crime?
Backing up systems regularly and using a firewall to protect against outside cyber attackers is critical, says Darren Curd. As is implementing procedures that employees can follow in their day-to-day processes.
“Don’t just pay money to a customer or supplier, as apparent as it is, without going through internal checks first. Have the people processes in place to cross-check and authorise the payment.
“No business wants to fall victim to cyber crime, and what we thought were critical cyber events five years ago have evolved. So, the insurance industry has been steadily evolving cyber products to very good effect too.
“Critical to any quality insurance product is a raft of ‘recovery’ extensions, but more crucial to anything is having a ‘crime’ extension,” adds Darren Curd.
Technology providers like Journeo have a responsibility to provide a secure service. But operators must remember they have responsibilities to ensure it is operated securely too.
Says Darren Maher: “We work to ensure that operators can rely on a secure cloud-based platform. However, there’s always a requirement for the user to ensure they have robust internal IT policies.
“For instance, ensuring that passwords are not shared or stored on shared machines and group mailboxes or shared phones aren’t used for multi-factor authentication tools.”
When partnering with technology suppliers, Darren Maher recommends reviewing their accreditations and security processes. Such certifications as ISO27001:2015 and Cyber Essentials show that independent third parties have audited a company’s information security management procedures.
Partnering with reputable suppliers and keeping informed about where your responsibilities lie is essential for effective cyber security. No firm is immune from cyber attacks. But with robust risk management frameworks and due diligence, operators can minimise the risk of becoming a victim of cyber crime.