BookFlowGo: ISO 27001 And The human Firewall

Most security incidents don’t start with elite hackers launching zero-days from a dark room. They begin with Keith. Or Karen. Or whoever clicked the dodgy link, left the test environment wide open or emailed a full export of customer data to someone they thought ‘probably needed it.’

At BookFlowGo, I call it ‘the meat in the chair’; the well-meaning human sitting between the keyboard and the floor.

You can patch servers and upgrade firewalls. However, until you sort out the people (or the meat in the chair), you remain vulnerable.

And that vulnerability grows exponentially in environments like airports, not because of any single individual, but due to the sheer number of systems, vendors, contractors and frontline staff involved. When dozens of organisations are interlinked across baggage systems, check-in kiosks, booking platforms and car park barriers, it only takes one misstep – one weak link – to create significant disruption.

A single breach can disrupt critical services, delay thousands of passengers or expose sensitive information. From baggage handling to access control and parking systems, modern airports rely on data moving securely between systems and suppliers every second of the day.

Critical infrastructure isn’t just ATC

Airports are complex, interconnected beasts. Everyone thinks of air traffic control (ATC), radar systems and secure zones, and rightly so. But what about parking systems? Or license plate recognition? Or the integration between booking platforms and access barriers?

Attackers don’t care if it’s a glossy bit of infrastructure or a quiet little back-office API. They’ll hit the soft underbelly every time.

In March 2025, Kuala Lumpur International Airport (KLIA) was hit by a ransomware attack that rendered flight information displays, check-in systems and baggage handling systems offline for more than 10 hours. Staff resorted to manual backups, whiteboards and paper logs while attackers demanded a US$10 million ransom, which Malaysia’s Prime Minister publicly rejected.

The ransomware gang Qilin claimed responsibility, stating that they had stolen approximately 2 TB of airport data. Although KLIA hasn’t publicised the exact breach method, reporting on Qilin makes it clear that they typically gain access via phishing against supplier or contractor accounts, rather than exploiting firewalls or zero-day flaws.

This likely wasn’t a firewall failure. It wasn’t a zero-day exploit. It was a lapse in human and supplier vigilance.

People still drive data breaches

The UK’s Information Commissioner’s Office (ICO) regularly reports that the most common causes of reported data breaches are human mistakes, misaddressed emails, unauthorised disclosures and bcc failures.

A 2019 freedom of information request revealed that 88% of data breaches were due to human error. A later analysis of 2021 data still placed that figure near 80%. Globally, the Verizon Data Breach Investigations Report (2023) found that 74% of breaches involved the human element: credential misuse, errors or social engineering.

It’s not usually some criminal mastermind exploiting a system flaw. It’s someone emailing a spreadsheet to the wrong Sarah.

Yes, it really was people.

Those recent UK retail incidents? They weren’t exotic state-sponsored attacks. They were social engineering. Password resets. Help desk impersonation. Old tricks, new targets.

Example 1: In April 2025, a major UK retailer confirmed that attackers gained access through its IT helpdesk. The result? A data breach affecting 6.5 million members’ names, addresses and contact details.

Example 2: Around the same time, another major high-street retailer experienced issues with contactless payments across its stores, resulting in the halt of online orders. The cause? A third-party IT provider was socially engineered, resulting in internal access and the theft of customer data.

These weren’t high-tech breaches; they were trust failures. And they could have been prevented.

That’s why we treat ISO 27001:2022 not as a badge but as a blueprint. It gives our teams, from engineers to our frontline service desk, the language, permission and backing to ask:

“Hang on… why do you need that data?”
“Who’s authorised to see this?”
“Is this even the right thing to be asking for?”

Or simply “Why?”

That one word, backed by process, awareness and ISO, often uncovers the real issue: maybe it’s a reporting gap. Maybe it’s a training need. But it’s rarely a genuine need for all the data.

We don’t ‘just do it”; we get to the root cause and solve the actual problem. Because ‘just doing it’ is how things go wrong.

So… what is ISO 27001?

It’s not just a shiny certificate to frame on the wall, though we hung ours with pride. It’s an internationally recognised standard for managing information security.

Think of it as a blueprint for:

• Identifying risks before they become problems.
• Putting controls in place that work.
• Training people to spot issues, not just react to them.
• Learning from near-misses, incidents and even daft mistakes.

It covers everything from how access is granted to what gets logged to what you do when something inevitably goes wrong.

In short, it tells your customers that you’ve thought this through. That you’ve got the right processes, the right mindset and the right team to keep their data safe. So that when you say ‘we take security seriously,’ you can prove it.

Security-first culture is a choice

Our ParkIT systems are part of the wider airport infrastructure, which means we have a responsibility to treat data with utmost care.

Our principle is simple: If we don’t need it, we don’t keep it.

• We only collect personally identifiable information when necessary.
• Where data is involved, maximum care is applied.
• We deny access by default.
• Privacy and security are considered from the beginning of development, not tacked on later.

ISO 27001 gives us the structure to validate, challenge and improve how we do it

Security isn’t a blocker. If something doesn’t meet our standards for data protection or information security, we find an alternative solution. There’s always another way.

Final thought: Are your vendors this fussy?

If you’re an airport, think about every vendor connected to your ecosystem…

Would they challenge a dodgy request?
Would they know how to respond if something went wrong?
Would they even recognise a problem before it happened?

We’re proud to say that we do. Because ISO 27001 isn’t just a PDF on the shelf. It’s baked into how we think, how we operate and how we protect the people we serve.

If your vendors aren’t asking these questions, perhaps you should.

Ready to work with vendors who take security as seriously as you do? Get in touch.

About BookFlowGo

Drive more revenue from parking and ancillaries with BookFlowGo , the tailored airport solution for smarter bookings, seamless operations and standout customer experiences.

At BookFlowGo, we bring together the best in pre-booking, parking logistics and hardware innovation to help airports, cities and mobility hubs run smarter, more efficient parking operations.

We’re the power behind seamless parking. Whether it’s maximising revenue, optimising capacity or making parking effortless for travellers, we’ve got it covered. Our platform combines the expertise of Parkspace, ParkIT and Future Generation Services (FGS) to create a fully connected parking ecosystem that works better for operators and passengers alike.