ISACA: organisations not ready for drone operations
ISACA survey shows 65% of organisations not prepared for security and privacy risks of running drone programs
Most organisations are not prepared for the potential security and privacy risks of operating their own drone programs, according to a new study by IT security industry body ISACA.
A survey of ISACA global membership indicated that 65% of organisations that could benefit from the use of drones, are unprepared to address the necessary security and privacy requirements. Only one quarter of respondents believe that the benefits of drone programs outweigh the risks at the present time.
In addition, three quarters of organisations state that security or privacy are the biggest concerns about running their own unmanned aircraft systems (UAS).
ISACA has released a whitepaper, titled Rise of the Drones, which aims to raise awareness among organisations of the requirements of a drone program.
The whitepaper notes that organisations in every sector are rushing to develop the potential of unmanned aircraft systems, for roles including monitoring, inspections and surveys, logistics and deliveries, film making and photography, security and surveillance, maintenance, emergency/civil defence, underground inspections, and pesticide delivery.
In the US, in the nine months since the Federal Aviation Administration (FAA) created a drone registration system, more than 550,000 unmanned aircraft have been registered with the agency. That agency now forecasts there will be more than 1.3 million licensed drone pilots by 2020. Registered users are required to report to the FAA on a monthly basis, covering the number of flights and pilot duty time, and report any malfunctions, deviation from instructions from air traffic controllers and unintended loss of links between the aircraft and remote pilot.
ISACA notes that the complexity of drone operations means that unless the organisation has previous experience managing aviation operations, they are likely unprepared for the regulatory, financial, safety and operational requirements. The ISACA survey found that 63% of organisation don't believe their staff have sufficient expertise to evaluate the security of drones.
Among the considerations for drone programs, which may affect their governance by aviation rulings are the weight of the UAS, whether it operates with line of sight control, the expected area of operations - controlled airspace, pilot certification and responsibilities, provision of collision avoidance systems, proper maintenance and inspection programs, and administration of documentation and policies related to the drone program.
The whitepaper warns: "Rushing to implement drone technology without first being properly prepared can result in both a legal and financial disaster. An uncontrolled drone program can also cause significant damage to the organization's reputation."
Among the risks to organisations from either their own drones or third party drones is the potential for breach of perimeter security, potentially for spying on the organisation; the risk of drones being hacked and misused; the possible theft or abuse of data gathered by drones; invasion of privacy of third parties; and the risk of operational failure or some other sort of collision or crash.
The report points out that outsourcing of UAS operations does not relieve the organisation from the risk and responsibilities associated with any wrongdoing associated with the operation of the UAS.
"Rushing to implement drone technology without first being properly prepared can result in both a legal and financial disaster. An uncontrolled drone program can also cause significant damage to the organisation's reputation," said Albert Marcella, PhD, CISA, CISM, author of the ISACA paper. "However, with the right controls, policies and procedures in place, a drone program can offer significant technical and competitive advantage."