What airport cyberattacks show us about true cyber resilience

As airports across Europe review their cyber resilience strategies, could your business do better?

In September 2025, several European airports were affected by a ransomware attack on a popular software integration, used widely in the airline industry. The attack encrypted the itinerary data of more than 500,000 passengers, rendering the usual check-in process impossible. Flights were grounded and departure halls became congested with people unable to board.

But amid the chaos a curious phenomenon was emerging: some airports were hit much harder by the attacks than others. There were big differences in the severity of flight delays, cancellations and the impact on wider IT infrastructure.

Why are some airports more resilient to cyberattacks than others – and what lessons can businesses take away?
 

Cyber resilience varies wildly – in airports and businesses

Speed of response and preparedness are two key factors in minimising disruption. When check-in software stopped working, some airlines needed to improvise solutions. That meant creating manual processes on the fly and for some, every IT director's nightmare: squeezing the timelines of a technology rollout from months, to right now, and under media scrutiny. 

Other airports fell back on well-practiced routines, with less disruption, due to not relying on a singular software tool to manage check-ins, and having battled comparable disruptions before. 

The impacts on IT infrastructure, and the associated remediation efforts, also varied. At some airports, the only data corrupted was within the third-party check-in software. At others, the technical set up allowed the ransomware to propagate, causing lasting damage to servers. This meant thousands of corrupted computers or needing to rebuild servers from scratch, with no clear timeline for being operational.
 

It's safe to say that levels of cyber resilience vary wildly between airlines and airports. The same can be said of many industry sectors across Europe. With ransomware attacks on the rise, business leaders have a lot to think about. 

Focus on what you control. Plan to be breached

The ubiquity of popular third-party software platforms makes them a lucrative target to hackers. According to Verizon data, published in The Financial Times, the amount of cyberattacks originating via third party tools has doubled in recent years, from 15 to 30%. 

Third-party software integrations greatly increase the amount of potential entry points for attackers, which makes your whole ecosystem incredibly hard to defend, with much it outside your direct control. As some of Europe’s airports found out, your operations are only as strong as your back up plan.

Cyber resilience: the new trending topic in boardrooms?

We surveyed 1,248 IT leaders in France, Germany, Italy and Spain about their experiences of cyberattacks. Our analysis found that between 2020–2025, half of businesses suffered at least one attack costing, on average,  2% of top line revenue. This adds up to a notable dent in GDP. Across France, Germany, Italy and Spain, five-year combined cyber losses are estimated to be €307bn. Additionally, the UK’s estimated combined losses amount to £44bn.

How to reduce attack costs

If a breached business can identify a breach and respond before the criminals have a chance to steal or lock away your data, attack costs are greatly reduced.

Here, we’re able to present some good news. Our analysis of Sophos data reveals a year-on-year uptick in the number of attacks identified and stopped before hackers can encrypt the data. This figure is up from 28% to 43% of attacks. This is positive because response speed is vital. It can mean the difference between a fast, inexpensive system backup or a full server rebuild.

How are your capabilities in this area? Given that breaches are inevitable, if a ransom attack happened to your business, how would it cope?  If you’re not sure, you’re not alone. Of companies who do not have cyber insurance, less than one in five (14%) have access to incident response teams, a critical resource for containing attacks. In contrast, these services are provided as standard as part of the overall cyber insurance package.

The business case for cyber resilience measures

There is a strong financial case for having detection tools and incident response teams in place – and insurance is the most cost-effective way to deliver them. Our research studied cyber incident costs over ten years of data. We compared companies with cyber insurance, and those without. We found that over ten years, standalone cyber insurance delivers an ROI of 19%. It is not merely a safety net to pay costs after the fact – it is actually a driver of better cyber hygiene and fallback planning. Insurance is a huge driver of resilience.

Having worked with countless businesses on cyber insurance and resilience strategies, anecdotally, I have always been aware of the returns available from investing in a cyber policy. Today, I’m glad to say we have the body of data to help quantify it.

To find out more about the financial arguments for cyber insurance, read our report, Rebooting Growth. I’m sure your CFO would be interested, too.

Download the full report here