Compliance Matters

WP_Post Object ( [ID] => 136145 [post_author] => 34 [post_date] => 2025-12-15 09:00:35 [post_date_gmt] => 2025-12-15 09:00:35 [post_content] => IO’s latest State of Information Security Report highlights a sector that is structurally exposed and acutely aware of it. Transport and travel organisations sit at the intersection of physical infrastructure, digital platforms and tightly coupled supply chains. When something goes wrong, the impact is immediate and highly visible, from grounded fleets and halted production to stranded customers and cascading supplier disruption.This year’s findings show security leaders in transport and travel working to keep pace with AI-driven threats, regulatory acceleration and supply chain fragility, while contending with budget constraints, skills shortages and uneven board engagement.Our respondents included senior cyber and information security leaders across the UK and US transport and travel ecosystem. Their responses reveal where the pressure is most acute, how incidents are playing out in practice, and where the sector is focusing to build resilience.Below, we unpack 11 key statistics every transport and travel leader should understand from this year’s Report.

Key Information Security Statistics for the Transport & Travel Sector

1. 57% say the nature of the transport and travel industry makes it particularly difficult to implement effective information security measures.
2. 46% say senior leadership still treats information security compliance as an afterthought – despite 86% having a clear security strategy and 89% backing board-level responsibility.
3. Budget constraints are the most cited challenge (48%), while 34% struggle with an information security skills gap and 33% with staff turnover and retention.
4. 44% say lack of employee awareness is a key challenge, with common mistakes including phishing clicks (29%), shadow IT (26%) and insecure use of personal devices (23%).
5. Over 74% of transport and travel organisations reported suffering from security incidents in the last 12 months.
6. 54% report receiving at least one fine for a data breach or data protection violation in the past year, with the majority costing between £101,000–£250,000
7. 37% have been impacted by a third-party or vendor-related incident in the last 12 months – 17% multiple times and 20% once.
8. 77% have adopted new technologies such as AI, machine learning or blockchain – but 54% say they adopted AI too quickly, and 33% report tasks being replaced by AI without human compliance checks.
9. 94% feel prepared for AI-generated phishing and spoofing, and 89% for deepfakes and AI-driven malware – yet 20% still report unsanctioned employee use of GenAI tools.
10. 40% say they struggle to determine which security processes can be safely automated.
11. 46% cite streamlined security infrastructure as their strongest ROI from information security efforts, followed by better business decisions (43%), greater investor appeal (40%) and increased sales or new opportunities (37%).

Third-Party and Supply Chain Security

Few industries feel the impact of supply chain disruption as sharply as transport and travel. The Jaguar Land Rover (JLR) cyberattack made that clear: a single incident halted production, suspended IT systems and a shock that rippled across thousands of suppliers and local economies.Our data shows this is not an outlier. More than a third of organisations have been hit by third-party incidents in the last year. Where these occur, the consequences extend beyond the original entry point: data theft affecting customers, employees or partners is common, as are unplanned financial costs, supply chain delays, temporary outages and, in some cases, the loss of key partnerships or contracts.Supplier expectations are tightening in response. Many organisations now require ISO 27001, ISO 27701 and/or ISO 42001 from partners, alongside frameworks such as Cyber Essentials, SOC 2, NIST and regulations like NIS 2 and TISAX. Only a small minority require no security standards at all.Spending plans reinforce this shift. Almost half plan to increase investment in supply chain and third-party security over the next 12 months, with none planning cuts. The direction of travel is away from one-off questionnaires and point-in-time audits towards continuous, structured and evidence-based supplier oversight, aligned with the same frameworks and reporting used internally.

The Changing Threat Landscape

The incident picture for transport and travel is broad and persistent. Traditional threats: phishing, malware and network intrusions, remain entrenched. Around a third of organisations report phishing or vishing incidents and nearly as many report malware infections. Smaller but significant shares report ransomware, DDoS, IoT/mobile breaches, AI data poisoning, deepfakes and supply chain compromise.Data breaches are not abstract. Customer, employee, financial, research, product and IP data have all been compromised in meaningful numbers. For personally identifiable information in particular, the consequences are severe: most affected organisations report regulatory fines, and half say PII breaches contributed to business closure or a strategic pivot.Overlaying this is an evolving AI-driven threat landscape. AI-generated phishing is now the top emerging concern, followed by misinformation and disinformation, deepfake impersonation in virtual meetings and shadow AI. Supply chain compromise and ransomware still feature, but the centre of gravity has shifted towards attacks that use AI to scale and personalise traditional techniques.The risk is not only the sophistication of these attacks, but the operational reality that small lapses at a contractor, logistics partner or niche software provider can quickly cascade through interconnected networks.

Skills, Burnout and Operational Overload

The Report also highlights a sector under sustained operational pressure. Budget constraints sit alongside a persistent skills gap and difficulty retaining staff. Even where burnout is not explicitly reported, expanding responsibilities, new technologies, new regulations and complex supply chains make capacity a constant concern.This pressure extends beyond specialist roles. Teams are wrestling with tool sprawl, overlapping dashboards and inconsistent workflows. Many plan to prioritise consolidation, and a significant share struggle to decide which processes can safely be automated. Too many tools, not enough integration and uncertainty about automation boundaries make it harder to maintain a single, trusted view of risk and compliance.In a time- and safety-critical environment, this lack of coherence can translate into monitoring gaps, incomplete evidence and heavy reliance on individual expertise. Over time, that is not a sustainable operating model.

Regulatory Pressure and Compliance Complexity

Regulatory expectations around data protection, AI governance, operational resilience and supply chain security are tightening. Six in ten transport and travel leaders say the pace and volume of change make it difficult to stay compliant.Yet capability is uneven. Around a third feel fully equipped to manage frameworks and regulations such as GDPR, NIS 2 and DORA in-house, and another third feel mostly equipped but still rely on external help. The remainder report gaps in time, specialist skill sets or board support.The outcomes bear this out: more than half of organisations in the sector have received data protection fines in the past year, many at six-figure levels.When compliance is executed well, the benefits are clear. Leaders highlight streamlined infrastructure, better decision-making, stronger investor appeal, enhanced reputation and new commercial opportunities as tangible returns. The data supports a shift in mindset: for many organisations, compliance is becoming a route to disciplined growth and resilience rather than a reactive response to regulators.

Employee Behaviour and Internal Risks

Security culture remains a recurring weak point. Although some organisations report no common employee mistakes, many others see a consistent pattern: phishing clicks, use of public Wi-Fi for work, shadow IT, unmanaged personal devices and unsecured file-sharing. Non-compliance with regulations and weak password practices also feature.These behaviours are particularly risky in transport and travel, where staff may have access to operational systems, customer data, logistics platforms or supplier portals. When processes are unclear, cumbersome or fragmented across multiple tools, employees naturally gravitate towards workarounds that feel faster, even if that introduces new risk.The challenge for security leaders is not only awareness training but designing and enforcing processes that make the secure route the default, embedded into the systems people already use.

Leadership and Strategic Direction

There are encouraging signs that security is moving up the agenda. Most organisations report having a clear, well-communicated security strategy, and nearly nine in ten agree that every business should have someone responsible for information security at board level.However, almost half of respondents still feel their senior leadership treats compliance as an afterthought. This misalignment matters. Where leadership signals are mixed, teams must reconcile ambitious security and compliance goals with limited budget and capacity.In a sector where operational risk is tightly linked to safety, service continuity and brand trust, those best placed to succeed will be the organisations whose boards treat information security as a core business dependency, not a box-ticking exercise.

Staying Ahead Through Structured Resilience

The transport and travel sector is navigating global supply chains, AI-enabled threats, tightening regulation and constrained internal capacity. Yet the direction of travel is clear. Organisations are increasing investment in AI defences, incident response, supply chain security and compliance. They are planning tool consolidation, strengthening supplier requirements and formalising governanceThe common thread across this year’s findings is that manual, fragmented and person-dependent approaches are reaching their limits. The organisations best positioned for the next 12 months will be those that adopt integrated, repeatable systems for managing security and compliance, bringing together people, processes, controls and supplier data into a single operating model.By doing so, transport and travel organisations can reduce risk, improve their ability to absorb and recover from incidents, and build a more stable foundation for the innovation and connectivity their customers now expect as standard.Read the full State of Information Security Report. [post_title] => State of Information Security Report: 11 Key Statistics and Trends for the Travel and Transport Industry [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => open [post_password] => [post_name] => state-of-information-security-report-11-key-statistics-and-trends-for-the-travel-and-transport-industry [to_ping] => [pinged] => [post_modified] => 2025-12-15 08:12:18 [post_modified_gmt] => 2025-12-15 08:12:18 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.isms.online/?p=136145 [menu_order] => 0 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw )

WP_Post Object ( [ID] => 136145 [post_author] => 34 [post_date] => 2025-12-15 09:00:35 [post_date_gmt] => 2025-12-15 09:00:35 [post_content] => IO’s latest State of Information Security Report highlights a sector that is structurally exposed and acutely aware of it. Transport and travel organisations sit at the intersection of physical infrastructure, digital platforms and tightly coupled supply chains. When something goes wrong, the impact is immediate and highly visible, from grounded fleets and halted production to stranded customers and cascading supplier disruption.This year’s findings show security leaders in transport and travel working to keep pace with AI-driven threats, regulatory acceleration and supply chain fragility, while contending with budget constraints, skills shortages and uneven board engagement.Our respondents included senior cyber and information security leaders across the UK and US transport and travel ecosystem. Their responses reveal where the pressure is most acute, how incidents are playing out in practice, and where the sector is focusing to build resilience.Below, we unpack 11 key statistics every transport and travel leader should understand from this year’s Report.

Key Information Security Statistics for the Transport & Travel Sector

1. 57% say the nature of the transport and travel industry makes it particularly difficult to implement effective information security measures.
2. 46% say senior leadership still treats information security compliance as an afterthought – despite 86% having a clear security strategy and 89% backing board-level responsibility.
3. Budget constraints are the most cited challenge (48%), while 34% struggle with an information security skills gap and 33% with staff turnover and retention.
4. 44% say lack of employee awareness is a key challenge, with common mistakes including phishing clicks (29%), shadow IT (26%) and insecure use of personal devices (23%).
5. Over 74% of transport and travel organisations reported suffering from security incidents in the last 12 months.
6. 54% report receiving at least one fine for a data breach or data protection violation in the past year, with the majority costing between £101,000–£250,000
7. 37% have been impacted by a third-party or vendor-related incident in the last 12 months – 17% multiple times and 20% once.
8. 77% have adopted new technologies such as AI, machine learning or blockchain – but 54% say they adopted AI too quickly, and 33% report tasks being replaced by AI without human compliance checks.
9. 94% feel prepared for AI-generated phishing and spoofing, and 89% for deepfakes and AI-driven malware – yet 20% still report unsanctioned employee use of GenAI tools.
10. 40% say they struggle to determine which security processes can be safely automated.
11. 46% cite streamlined security infrastructure as their strongest ROI from information security efforts, followed by better business decisions (43%), greater investor appeal (40%) and increased sales or new opportunities (37%).

Third-Party and Supply Chain Security

Few industries feel the impact of supply chain disruption as sharply as transport and travel. The Jaguar Land Rover (JLR) cyberattack made that clear: a single incident halted production, suspended IT systems and a shock that rippled across thousands of suppliers and local economies.Our data shows this is not an outlier. More than a third of organisations have been hit by third-party incidents in the last year. Where these occur, the consequences extend beyond the original entry point: data theft affecting customers, employees or partners is common, as are unplanned financial costs, supply chain delays, temporary outages and, in some cases, the loss of key partnerships or contracts.Supplier expectations are tightening in response. Many organisations now require ISO 27001, ISO 27701 and/or ISO 42001 from partners, alongside frameworks such as Cyber Essentials, SOC 2, NIST and regulations like NIS 2 and TISAX. Only a small minority require no security standards at all.Spending plans reinforce this shift. Almost half plan to increase investment in supply chain and third-party security over the next 12 months, with none planning cuts. The direction of travel is away from one-off questionnaires and point-in-time audits towards continuous, structured and evidence-based supplier oversight, aligned with the same frameworks and reporting used internally.

The Changing Threat Landscape

The incident picture for transport and travel is broad and persistent. Traditional threats: phishing, malware and network intrusions, remain entrenched. Around a third of organisations report phishing or vishing incidents and nearly as many report malware infections. Smaller but significant shares report ransomware, DDoS, IoT/mobile breaches, AI data poisoning, deepfakes and supply chain compromise.Data breaches are not abstract. Customer, employee, financial, research, product and IP data have all been compromised in meaningful numbers. For personally identifiable information in particular, the consequences are severe: most affected organisations report regulatory fines, and half say PII breaches contributed to business closure or a strategic pivot.Overlaying this is an evolving AI-driven threat landscape. AI-generated phishing is now the top emerging concern, followed by misinformation and disinformation, deepfake impersonation in virtual meetings and shadow AI. Supply chain compromise and ransomware still feature, but the centre of gravity has shifted towards attacks that use AI to scale and personalise traditional techniques.The risk is not only the sophistication of these attacks, but the operational reality that small lapses at a contractor, logistics partner or niche software provider can quickly cascade through interconnected networks.

Skills, Burnout and Operational Overload

The Report also highlights a sector under sustained operational pressure. Budget constraints sit alongside a persistent skills gap and difficulty retaining staff. Even where burnout is not explicitly reported, expanding responsibilities, new technologies, new regulations and complex supply chains make capacity a constant concern.This pressure extends beyond specialist roles. Teams are wrestling with tool sprawl, overlapping dashboards and inconsistent workflows. Many plan to prioritise consolidation, and a significant share struggle to decide which processes can safely be automated. Too many tools, not enough integration and uncertainty about automation boundaries make it harder to maintain a single, trusted view of risk and compliance.In a time- and safety-critical environment, this lack of coherence can translate into monitoring gaps, incomplete evidence and heavy reliance on individual expertise. Over time, that is not a sustainable operating model.

Regulatory Pressure and Compliance Complexity

Regulatory expectations around data protection, AI governance, operational resilience and supply chain security are tightening. Six in ten transport and travel leaders say the pace and volume of change make it difficult to stay compliant.Yet capability is uneven. Around a third feel fully equipped to manage frameworks and regulations such as GDPR, NIS 2 and DORA in-house, and another third feel mostly equipped but still rely on external help. The remainder report gaps in time, specialist skill sets or board support.The outcomes bear this out: more than half of organisations in the sector have received data protection fines in the past year, many at six-figure levels.When compliance is executed well, the benefits are clear. Leaders highlight streamlined infrastructure, better decision-making, stronger investor appeal, enhanced reputation and new commercial opportunities as tangible returns. The data supports a shift in mindset: for many organisations, compliance is becoming a route to disciplined growth and resilience rather than a reactive response to regulators.

Employee Behaviour and Internal Risks

Security culture remains a recurring weak point. Although some organisations report no common employee mistakes, many others see a consistent pattern: phishing clicks, use of public Wi-Fi for work, shadow IT, unmanaged personal devices and unsecured file-sharing. Non-compliance with regulations and weak password practices also feature.These behaviours are particularly risky in transport and travel, where staff may have access to operational systems, customer data, logistics platforms or supplier portals. When processes are unclear, cumbersome or fragmented across multiple tools, employees naturally gravitate towards workarounds that feel faster, even if that introduces new risk.The challenge for security leaders is not only awareness training but designing and enforcing processes that make the secure route the default, embedded into the systems people already use.

Leadership and Strategic Direction

There are encouraging signs that security is moving up the agenda. Most organisations report having a clear, well-communicated security strategy, and nearly nine in ten agree that every business should have someone responsible for information security at board level.However, almost half of respondents still feel their senior leadership treats compliance as an afterthought. This misalignment matters. Where leadership signals are mixed, teams must reconcile ambitious security and compliance goals with limited budget and capacity.In a sector where operational risk is tightly linked to safety, service continuity and brand trust, those best placed to succeed will be the organisations whose boards treat information security as a core business dependency, not a box-ticking exercise.

Staying Ahead Through Structured Resilience

The transport and travel sector is navigating global supply chains, AI-enabled threats, tightening regulation and constrained internal capacity. Yet the direction of travel is clear. Organisations are increasing investment in AI defences, incident response, supply chain security and compliance. They are planning tool consolidation, strengthening supplier requirements and formalising governanceThe common thread across this year’s findings is that manual, fragmented and person-dependent approaches are reaching their limits. The organisations best positioned for the next 12 months will be those that adopt integrated, repeatable systems for managing security and compliance, bringing together people, processes, controls and supplier data into a single operating model.By doing so, transport and travel organisations can reduce risk, improve their ability to absorb and recover from incidents, and build a more stable foundation for the innovation and connectivity their customers now expect as standard.Read the full State of Information Security Report. [post_title] => State of Information Security Report: 11 Key Statistics and Trends for the Travel and Transport Industry [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => open [post_password] => [post_name] => state-of-information-security-report-11-key-statistics-and-trends-for-the-travel-and-transport-industry [to_ping] => [pinged] => [post_modified] => 2025-12-15 08:12:18 [post_modified_gmt] => 2025-12-15 08:12:18 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.isms.online/?p=136145 [menu_order] => 0 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw )