5 things that your FMS can do to protect you from cyber threats

Both positions at once?

Yep, my spiritual animal is an octopus.... just kidding, in SAAS it's a common thing cause the final product is technology, so it's good to have an overview of the development and the final result.

So, what are your main goals as a CTO in Leon Software?

Well, I try to balance multiple goals, often conflicting. 

My main responsibility is keeping rapid development of functions for customers. And I need to do this equally with maintaining the stability, speed, and security of the service. I also lead the reduction of technical debt at a level that allows efficient implementation of previous goals. 

All these tasks serve one larger goal which is to reach the highest possible customer satisfaction.

 To achieve it, you need to look at the system from the eagle's perspective. So, a good understanding of our customers' business and technological issues is needed. This knowledge is crucial to deliver a technologically advanced product designed to perform specific business tasks as easily as possible.   

Is constantly developing Leon a challenging task?

Yes. We receive a huge amount of valuable feedback from our customers and we need to choose those parts which will bring improvements to the largest group of customers. Unfortunately, we have to reject many good ideas, because we are not able to do everything. These choices are very difficult because we usually do not have a complete picture of the market for which we provide a service. 

This process is challenging also because we try to provide changes as quickly as possible. Every two weeks there is a release of a new version of the system with a very large number of smaller and bigger upgrades. But we always try to make sure that the new features don't fundamentally change the way users use the application. 

We understand that constant changes in UX/UI, for example, can be confusing, but at the same time, we are sure that they will benefit them in the long run. 

Moreover, we need to keep in mind security standards all the time. During rapid system development, maintaining system stability and security is very demanding. We use several tools to monitor system performance and security.

What amount of your work concerns cyber security?

Unfortunately, this is very hard to measure. We mainly work on these issues with our DevOps/SRE department. But as well we use external companies, e.g. those performing pentest audits, which provide us with feedback on security. I just set things in motion and try to make sure they are prioritised appropriately.

Can we say that some of the cybersecurity measures have become a standard in normal work?

I'm sure that in the future companies will only increase IT recruitment in the cybersecurity field. For example, let's talk about the use of encryption of data transmission in browsers. Nowadays it is rare to find websites which do not use SSL certificates. I think there is also a growing awareness that you should use strong passwords and not write them down on a piece of paper stuck to the monitor or written on the edge of your laptop :-)

Are there any upgrades that software can do to ensure its client data safety?

Yes, there are many actions to do. For example, multi-step authentication with a device like a mobile phone. Passwords, even strong ones, can be broken or leaked. Using additionally codes generated on a phone belonging to the user significantly reduces the chances of unauthorised access to the system.

The use of MFA/2FA should be standard in companies just as the "HTTPS" connection. We highly recommend enabling this feature in Leon, especially that this function can be set in a way that doesn't increase inconvenience when logging in. It is possible to configure trusted IP addresses from which no confirmation code is required while logging in. There should not be many such addresses, and ideally, this should include your office IP address.

OK, this is one thing. Are there more?

Yes, the system should also minimise email communication as much as possible. Of course, it is not possible yet to completely eliminate emails. However, it's common knowledge that emails are used for a great many phishing attacks. What is more, they are stored on the servers of many more or less trusted providers. It is not even a question of having an email infrastructure in your own office. It is important to keep in mind that when sending an email with personal data to an email address of your choice, you do not know with which provider the email is hosted. This creates serious risks.

But risks can't overwhelm good usability?

Risks can be manageable. It is worthwhile for the FMS to provide a large set of available integrations, especially for systems that exchange sensitive info such as personal data. In Leon, for example, we have several.

For example, Jetex allows us to order various types of services. Instead of sending the data in a very large number of emails, Jetex itself reads directly all the data needed via an API. The second one is Avinode. We know that brokers very often send personal data via email. Instead, it's much safer to send them directly to Leon via chat in Avinode.

It is also worth reducing internal email communication by replacing it with the dedicated Crew app.

OK, so we have authorization and email issues. Is there anything else?

Yes, we are aware that the possibility of precise control of access to the system is also very important. The permissions system should narrow access to data and system functions as precisely as possible depending on the user's role.

In an ideal scenario, the user should have access to the minimum part of the system needed to perform the tasks assigned to them. Additionally, the system should be divided into modules corresponding to the most standard roles in an airline company (OPS, Sales, Crew, Crew planning). Moreover, these modules should not share high-level components with other modules. The risks involved in sharing too much data just because another module needs it are not worth the apparent speed of development.

It sounds that a lot of power is invested in security measures.

We are trying to do our best in this manner. We also allow us to easily check the history of data changes in the system. The system should be auditable and, of course, unmodifiable. This is crucial for tracing unauthorised changes to data in the system.   

The technological architecture of the system and infrastructure has a huge impact on the security of the system. Unfortunately, this is an element that the user is not in a position to verify himself. The most reliable way to make sure that a system complies with security standards is through external audits. You should ask whether the system passes security audits and penetration tests carried out by external companies.

Are security audits something hard to pass for an FMS?

It is. Security audits should not be treated as exams to be passed, though. A security audit that does not reveal any deficiencies is worthless. You should be happy that the audit has identified potential problems. The problems found should then be corrected so that the next auditor has to work much harder to find something.

Does an FMS need an ISO certificate?

ISO certification is an element that enforces a company's existence and adherence to procedures governing key security issues. It confirms that the company thinks and cares about data security issues. Compulsory annual audits mean that the company is forced to continually seal and correct any deficiencies that are detected. Of course, maintaining and adhering to procedures as well as going through the audits themselves is labour intensive, but this only makes companies more trustworthy. I think that with a certain scale of organisation, such certifications are highly desirable.

So to summarise, if I were a business jet airline, what security features should I demand from an FMS?

You should look for five key elements:

First, check if your FMS offers some kind of additional password protection or 

Second, you can pay double the price for an FMS without certified security measures in the future, so look for the ISO 27001 certificate.

Third, integrations in the system are not only to enhance your work but to provide you with a safe API connection that lowers phishing possibilities.

Fourth, FMS should have easy-to-access an overview of changes done in the workspace this will not only help you in future audits but let you track in quickway unauthorised changes done in the flight.

Five, last but not least FMS which lets you limit access to some users to features that they will not use is not only clean but reduces human errors by a lot.

Can we say that Cybersecurity hygiene is a must for the future of cloud-based software?

I don't think anyone is in any doubt these days. Well, you can always try to choose someone without any security protocols but it will be a painful mistake.

Thank you for this interesting talk.

Thank you. 

Not yet a member of Leon community? Contact our Sales team to find out more or jump straight into the 30-day free trial.