Manchester Airport Group’s Tony Johnson reveals top threat to the sector – and it might not be what you’d expect

Fight or flight: How one of the UK's busiest airports defends against cyber-attacks

INTERVIEW Hacking an airport conjures mental images of Bruce Willis blockbusters, hijacked planes, and a moody hacker-in-a-hoody wreaking havoc from some undisclosed location.

But in reality, securing the networks of one of the UK’s busiest airports is a little less Hollywood.

“It’s not like it looks in the movies,” Tony Johnson, head of security operations at Manchester Airport Group (MAG), tells The Daily Swig.

“Don’t get me wrong. We get some incredibly sophisticated looking phishing campaigns – you know, some of them land [in my inbox] and even I’m hovering over it because it looks legit and I’m not 100% sure.

“But of the regular kind of day-to-day threats, I guess the biggest one that we see most often is phishing because it’s such an easy win for attackers.

“It’s fully automated, they haven’t got somebody sitting there in a dark basement trying to get into our environment, and it’s an easy one that you can just push across to millions of recipients in a second. So that’s the big one that we’re managing.”

Nearly 30 million passengers travelled through Manchester Airport in 2019Nearly 30 million passengers travelled through Manchester Airport in 2019

As anyone who works in threat prevention will know, protecting against attacks is often easier said than done – especially at a large business or organization.

MAG, which manages Manchester Airport, East Midlands Airport, and London Stanstead Airport, has an estimated 40,000 employees working across these different locations.

MUST READ Making justice secure again: How New Jersey Courts tackled the rush to remote working at the start of the Covid-19 pandemic

To reduce the risk of successful social engineering attacks, the group’s security operations center (SOC) provides what it calls ‘nano training’ – a series of short tutorials – on a monthly basis.

“They are tiny, bite sized, and web-based – it usually takes two minutes to do, and we’re constantly reinforcing everything.

“So that’s thinking before you click, thinking about spam, are you sure this is the person they claim to be, and things like GDPR and data protection.

“It’s that broad spectrum of potential risks to the organization in terms of cyber-attacks.”

Read more of the latest news about phishing attacks

He also reiterates to colleagues: “If you’re not sure, ask.”

Johnson said that although the training is not mandatory, there is strong uptake due to the simplicity of the material.

He said: “I think it was a deliberate decision not to make it mandatory because [when it does], it kind of becomes a bit of a chore.”

The biggest threat to airports is phishing campaigns, says JohnsonThe biggest threat to airports is phishing campaigns, says Johnson

Moving target

In recent years, critical national infrastructure including airports have become an increasingly attractive target for hackers.

While customer data is a potential big earner for cybercriminals, Johnson said that he believes attackers are mainly just trying to gain insight into the organizations’ networks.

“In my opinion, what they’re trying to do is get a foothold,” he said.

“If they get a foothold, they get a handling in your organization, they may never choose to use that. But it’s quite possible that once they’ve got that, the first thing they’ll do is go straight out onto the dark web and see if anybody else has any interest in a foothold in organization X.

“I think that mostly it’s about trying to get that connection. And if we [the SOC] weren’t paying attention, you know, you’d be amazed what they can get away with.”

“It comes down to the fact that we are part of the UK critical national infrastructure and we’re a nice target in terms of, if you can stop planes taking off, you’re going to get on the news,” he said, adding that “getting their name out there” is a big motivator for international cybercrime units.


MAG recently completed the migration all of its cybersecurity operations from external management to in-house control.

Johnson explained that in addition to a cost-saving bonus, the new team has greater visibility over its network and has been able to streamline policies and procedures for the organization.

When asked whether the group planned to undertake such an effort due to reduced traffic levels caused by the coronavirus pandemic, Johnson said the timing was merely accidental.

“It was a coincidence, but it was also a happy coincidence,” he told The Daily Swig.

READ Bad education: Universities struggle to defend against surging cyber-attacks during coronavirus pandemic

They had already decided to move in-house once a deal with the previous third-party provider had come to an end, which happened to coincide with the travel restrictions put in place.

MAG spoke to colleagues at another airport who had worked with security consultants Bridewell, who were brought in to oversee the change.

With the help of Bridewell, MAG implemented new measures and protections including a migration to the Microsoft Security Stack.

Johnson said they “heavily invested” in the software and can now push around 80,000 data events per second.

The organization manages multiple airports across the UKThe organization manages multiple airports across the UK


Luckily, due to the lower volume of foot and air traffic on premises, the move was perhaps smoother than thought.

“Where we had some advantages is things like 200 servers that were going to need a reboot.

“[Before the pandemic] that would have been a logistically really complex process to go through because you’ve got to fit in with passenger flows.

“It may have [previously] taken weeks to organize business downtime.

“The really nice thing is it did mean that we could massively accelerate the program in terms of just getting it deployed.”

YOU MAY LIKE Aaron Portnoy – ‘There’s no silver bullet for ransomware or supply chain attacks’