I was going to be click-baity and title this post, “what incident response taught me about mixing up airports”, but honestly, looking at LinkedIn these days, I think the humour would be lost. I’d end up with 50 new followers (75 if I ended the post with the word, “Agree?”
Let me walk you through the timeline.
Initial Detection (23:00 hours)
My last night in Aarhus and just before sleeping I thought I’d do a final check on my 6am flight.
Turns out my 6am flight wasn’t departing from Aarhus. It was leaving from Billund. That’s the difference between Heathrow and Gatwick, except I presume with more Vikings.
I felt that sudden wave of mild panic wave over me. My airport was about 80km further than anticipated.
Threat Assessment (23:05 hours)
Google Maps at 3am has the emotional range of Jared Leto in Morbius. “No transport options available.” Brilliant. Cheers for that.
Uber? Two hundred quid. That’s roughly what I paid for the return flight in the first place. I could almost hear the invoice making its way to finance, complete with accompanying violin music. I imagined the email. “Dear Finance Team, regarding my recent expense claim for £200 to travel 80km…”
Risk vs Reward Calculation (23:15 hours)
I began mentally weighing up my options. Miss the flight entirely? Catastrophic. Take the expensive Uber? Financially catastrophic. Sleep on it and hope? Operationally catastrophic because I had a webinar the next day.
Then there’s the ostrich option… ignore it, do nothing and see what happens in the morning. Maybe if I go to reception at 3am asking the receptionist loudly what the best way to get to Billund airport is, someone nearby would hear this exchange and say that they too are heading to Billund and offer me a lift. When their car would arrive I’d see it was a limousine and I’d realise the person offering me the lift was a CEO, or a self-made millionairre, or someone otherwise important, like a TikTok influencer. We would become friends along the journey, they would ask me about my job and I would tell them about my work in cybersecurity and they would admire what I do and then tell me in confidence that they had an incurable illness and had no children so wanted to leave their entire estate to me.
The “maybe it’ll be fine” approach is essentially the same strategy that leads to most security breaches.
Incident Response (02:00 hours)
Woke up at 2am and did one final check on Google Maps to suddenly discover an airport bus.
This is the security equivalent of finding an unpatched server that shouldn’t exist but somehow solves your entire problem. It was only because it was unpatched that it remained immune from the latest virus… and from that we were able to rebuild our entire active directory and save shareholder value!
I got ready as quickly as I could and ran through the hotel lobby, thinking I could just yell at reception “I’ve got a bus to catch for Billund airport and I’m terribly late, just email me my invoice.” in the hopes that a dying billionairre would be around. Unfortunately, the whole reception area was bare and I had to self checkout.
I legged it. Proper legged it and made it onto the bus with the kind of timing that would make incident response teams weep with envy. It was perfectly synchronised, I walked up to the bus stop as the last of the passengers were getting on. Tapped my payment card and found a seat… a few rows behind me, I heard a couple exchange some words in Danish. I’m pretty sure one said to the other, “OMG that’s Jason Bourne!”
Recovery Phase (03:30 hours)
Now I’m on a bus for ninety minutes. It cost twenty quid. The crisis has been averted through a combination of last-minute detection, rapid response, and the Danish public transport system being inexplicably functional at 3am.
The equivalent cyber press release would say something like, “We detected the intrusion in real time and executed our incident response playbook flawlessly.”
Conveniently, the press releases never mention the bit where you nearly paid ten times the cost because you didn’t check at the right moment. Or the part where your entire recovery plan depended on a bus that may or may not exist according to an app that changed its mind three times.
Lessons Learned
I was going to draw a whole bunch of incident response analogies here. But in reality the entire episode was preventable if I’d just checked the details earlier. But I didn’t. I made assumptions, and because it’s always worked that way before.
I made my connection in Amsterdam. The webinar happened. Finance will have questions about my expense report that I don’t have good answers for.
But I caught the bus.
Sometimes that’s all incident response really is.
Javvad Malik 