This week Charlie discusses the lessons learned from threats from within an organisation.
My blog last month was ‘Beware the cuckoo in the nest!’ which talked about the danger of insider threat. On Wednesday I watched the news reports of the Germanwings aircraft crash in the French Alps. Like with all similar plane crashes there was a lot of speculation about what had caused the crash. Was it the age of the plane, pilot error or a catastrophic mechanical failure?
Since then we have found, seemingly, that the crash was caused by the co-pilot, locking out the pilot from the flight desk, deliberately turning the altitude of the autopilot to 100ft and allowing the plane to crash into a mountain. The news very quickly turned from why the crash occurred, to why the co-pilot deliberately crashed the plane, with the media and German authorities busy searching through his past and questioning anyone who knew him, to find out why.
The link with the previous blog is ‘how much should we prepare’ for an insider threat when an insider uses their knowledge to deliberately supersede controls to cause harm to themselves and members of the public?
Watching Channel 4 News, it appears that some airlines such as British Airways had already recognised that this was a threat. They have procedures to ensure that there is never one member of the crew left alone in the cockpit. This shows that the insider threat is recognised by some airlines but not by the aviation authorities as they have not made the ‘never one person alone in the cockpit’ rule, mandatory. A number of airlines have now announced that they are going to follow the British Airways procedure.
It is also interesting that putting in secure doors to the cockpit, to prevent the counter threat of a 9/11 type hijacking, was used to help the co-pilot carry out a similar crime.
Like all accidents, as mentioned in last week’s blog, this was a threat which had happened numerous times before, but was not recognised as a threat by all airlines. Channel 4 News had a list of similar instances over the last few years. This included an incident in 2013 that resembled the Germanwings crash, when a Mozambique Airlines flight was crashed deliberately by one of the pilots, Captain Herminio dos Santos Fernandes, after he had locked the other pilot out of the cockpit. The crash resulted in all 33 of the passengers aboard being killed. This deliberate crashing of a public flight had not occurred in Europe before, but had happened elsewhere. I think for us, it is that we must continuously horizon scan and look at events which have happened elsewhere to see if there are lessons for our organisation and make any necessary changes to our procedures.
After this incident there will be a flurry of activity with changes made to aviation procedures to make sure that this does not happen again. This leads me to two questions. Do we ever really learn from incidents or are new procedures or precautions taken after an incident geared around preventing an incident which has already taken place? Secondly, do organisations do enough to learn from other events or do we look at events such as the Mozambique air crash and say, for whatever reason, that would never happen here, it is not relevant to us and ignore the lessons?