14 September 2019
AT least two dozen flights were delayed on Aug 21 when a systems disruption affected Kuala Lumpur International Airport (KLIA) and klia2, including its flight information display system, check-in counters, baggage handling systems and Wi-Fi.
This should be a wake-up call for Malaysia Airports Holdings Bhd (MAHB). Based on the current global political climate, there has never been a more important time for airports to seriously reconsider their approach to cybersecurity and risk management.
MAHB must oversee threats to the airport system and the management must further discuss it with the board and stakeholders.
Risk management is important to gain a competitive advantage.
Through enhanced risk management, the board will gain a better understanding of how threats can impact its strategy.
It is vital for MAHB to consider ISO 31000 Risk Management to identify, assess and control risks.
Risk management ensures the highest possible level of safety during all airport activities and requires an in-depth risk analysis and incident analysis, as well as linking the two together to facilitate learning from incidents.
Risk management will add value to MAHB and ensure continuous improvements. It improves performance, encourages innovation and supports the achievement of MAHB’s objectives.
The risk management process involves the systematic application of policies, procedures and practices to the process of communicating and consulting, establishing the context and assessing, treating and monitoring risk.
Risk management has played a strong supporting role at the board level. Now, boards are expected to provide robust oversight of risk management.
ISO 31000 also provides important information to boards so that they can fulfil their risk oversight responsibilities.
Risk Management ISO 31000 helps to mitigate the risks and ISO 27001 helps organisations ensure the three principles of a mission on critical system are taken care of — confidentiality, integrity and availability.
Backup and disaster recovery plans must be in place and maintained for critical systems.
Disaster recovery plans for systems must be reviewed and tested annually. A test schedule must be developed to indicate when each element of the plan is tested.
Responsibility should be assigned for regular reviews of each disaster recovery plan.
The formal change control process should ensure that updated plans are reinforced throughout the organisation.
There may be considerable cost associated with testing the disaster recovery plans.
According to the World Economic Forum (WEF), there is increasing volatility and uncertainty in the world. The current competitive landscape can be defined by one word: disruption.
WEF says the ideas of incremental progress and process optimisations do not work anymore.
WEF acknowledges that practices are necessary, but are insufficient and supports the analysis that stakeholders are more engaged today, seeking greater transparency for managing the impact of risk, while evaluating leadership ability to embrace opportunities.
Even success can bring additional downside risks, such as the risk of not being able to fulfil unexpectedly high demand.
Organisations need to be more adaptive to change. They need to think strategically about how to manage the complexity and ambiguity of the world. It is no longer acceptable for organisations to find themselves in a position where unexpected events cause disruption to operations.
WEF encourages intelligence sharing and the development of cyber norms.
Have collective development and tests and implement cutting-edge knowledge and tools to protect against cyberattacks.
Implement capacity-building and training programmes to produce the next generation of cybersecurity professionals and establish a Global Rapid-Reaction Cybersecurity Task Force comprising experts to mitigate the negative impact of cyberattacks.
The Malaysian Association of Standards Users believe MAHB should consider current and future risks that may cause non-compliance, disruption and inefficiency within operations. This is so that MAHB is equipped to face and reduce the turnover time for unexpected situations without affecting airport functionality.
The association prescribes two international standards that may inspire changes in MAHB’s risk management initiatives and prevent new incidents — the ISO 27000 series of standards and ISO 31000 Risk Management — which can allow and improve its ability to reduce risks to as low as reasonably possible.
SARAL JAMES MANIAM
Secretary-general, Malaysian Association of Standards Users