Cyber risk is business risk: Lessons from the recent airport cyberattack

Co-authored by Dr Rois Ni Thuama.

International airports across Europe faced major disruption recently after a cyberattack on MUSE, the Collins Aerospace check-in and boarding platform used by multiple airlines. Heathrow, Brussels, and Berlin all reported an impact, with electronic check-in and bag drop affected, and manual workarounds invoked.

The Dutch Cyber Security Council captured it best: Cyber risk is business risk. This is not an isolated InfoSec incident - it is a business continuity, customer trust, legal, and governance event.

In this blog, we combine law and governance (Rois) and architecture and resilience (Kathleen) to provide business leaders with clear, actionable insight. The point: Cross-disciplinary effort produces sharper decisions and better outcomes.

The governance angle

Directors globally share a common obligation: To act in good faith for the company's benefit. The wording differs by jurisdiction, but the substance is consistent:

• UK: Duty to promote the success of the company and exercise reasonable care, skill, and diligence. (Companies Act 2006 s.172 and s.174)
• Ireland: Duty to act in good faith in what the director considers to be the interests of the company (Companies Act 2014, s.228).
• U.S. (Delaware): Fiduciary duties of care and loyalty - acting in the best interests of the corporation and its shareholders.
• Germany: Duty to apply the care of a prudent and conscientious manager and act in the best interests of the company. Section 93, Stock Corporation Act (AktG)

This common approach means directors can operate across borders with a sound understanding of their obligations. Their knowledge is transferable, lowering the cost of compliance and avoiding the need for constant retraining.

The UK Corporate Governance Code 2024 reinforces this with Principle A:

A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society. The board should ensure that the necessary resources, policies and practices are in place for the company to meet its objectives and measure performance against them.

And Principle B adds:

The board should ensure that workforce policies and practices are consistent with the company's values and support its long-term sustainable success.

Principles define the substance - what good governance is meant to achieve. Provisions show the form - how boards can demonstrate it. For example, Provision 1 requires boards to explain in their annual report how opportunities and risks to success have been considered, and Provision 2 requires monitoring of culture and corrective action if behaviours are misaligned.

In practice, directors cannot escape three obligations:

1. Adopt a business-first approach. What is the core proposition of the company? What are its values and strategy?
2. Make informed decisions. Seek and use credible technical insight - don't ignore expertise. Ensure decisions align with business risk appetite, with a full understanding of today's risk.
3. Understand what is critical. What must keep running for the company to keep trading?

For airlines, the core proposition is clear: They sell air travel. Everything else - ticketing, check-in, baggage handling, air traffic coordination, customer service - is in service of that proposition. Anything that undermines, disrupts, or delays delivery of that proposition is a business risk.

Your core proposition is your business. If you can't keep delivering it, nothing else matters. Just ask JLR.

The technical angle - architecture is destiny

From a technical perspective, it is difficult to justify that failures of this kind are still occurring. One of the most basic principles of system design is to eliminate single points of failure. It's engineering 101.

We know this works. Isolation matters. In the CrowdStrike outage, American Airlines fared far better than Delta because platform choices and zero-trust points of isolation limited the blast radius. The same lesson applies here: When systems are decoupled, disruption doesn't cascade. When they are not, one fault becomes everyone's fault.

• Avoid common-mode outages. A shared platform like MUSE is convenient until it fails. Even if airports share infrastructure, each airline should be able to keep operating - local check-in against a cached manifest, independent authentication, and alternative kiosk paths.
• Air-gap critical flows. Internet-facing purchase systems should be decoupled from day-of-travel check-in. Purchased tickets should be synced locally so manual or kiosk check-in remains possible if external systems are down.
• Plan the passenger experience. Encourage customers to check in 24 hours early and save or print boarding passes. Small steps reduce pressure when systems wobble. If external purchasing is impacted, local check-in that is decoupled could continue working.

What business leaders should do

Viewed through a business lens, the combined obligations are clear:

• Clarity on the proposition. What exactly are you there to deliver - air travel, banking, energy, healthcare?
• Identification of critical enablers. Which systems, suppliers, and processes are indispensable every day?
• Recognition of concentration risk. Where are the chokepoints, and what's the fallback if they fail?
• Commitment to resilience. Test and prove the workarounds that allow delivery even under stress.

Bottom line

Cyber is not an IT problem. It's a business risk requiring an all-hands, multi-disciplinary approach. Ownership sits with the board, not just InfoSec. Resilience is not a 'better way', resilience is the outcome. To get to resilient, it requires clear duties, informed decisions, smart design, and rehearsed responses. Do those well, and resilience follows.

Kathleen Moriarty is the Founder of SecurityBiaS, a Technology Strategist, CTO, Board Member, Keynote Speaker, Author, CISO, and former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy.

Dr Rois Ni Thuama works at the intersection of law, business, and technology, helping leaders make defensible decisions on cyber risk. Creator of RAPID-T™ and co-author of NATO's cybersecurity manual, Rois advises governments, boards, and regulated industries, and teaches cybersecurity to the Irish Defence Forces.

Adapted from the original at SecurityBiaS blog.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.