Rob, tell us a bit more about yourself, your route into the industry and your career, and what wisdom you'll be sharing at the conference.
I'm Rob Shapland, and I run Cyonic, a consultancy focused on social engineering, training and tabletop cyber exercises. I've been an ethical hacker for the last 18 years.
My main niche is infiltrating companies' head offices, and then stealing information or planting devices into the network, to test both their physical and cyber security together. I then record it all on hidden cameras and use it in really fun and engaging face-to-face cyber training.
ITT conference 2026
The 2026 ITT conference will take place over 8-10 June at the Higueron Hotel Malaga on the Costa del Sol, with TTG serving as media partner.
Besides bringing together a diverse line-up of industry leaders and thought-provoking keynote speakers, the conference creates valuable networking opportunities for industry professionals and new entrants.
Registration is open for member and non-member delegates, and there are also sponsorship opportunities available.
Baroness Ayesha Hazarika will return as conference moderator, and she will be joined by speakers from across the agency, tour operator, destination and technology sectors, and beyond.
I started off as an intern many years ago, and worked my way up learning all the technical hacking techniques, then began to specialise in Red Teaming and social engineering.
During my session at ITT, I'll be talking about how I plan and execute the combined physical and cyber attacks against companies, telling a story of a company that I successfully infiltrated. I'll then share some top tips to help delegates protect their businesses.
What are the main cybersecurity threats in 2026? Do businesses really know the current risks that are out there?
There are two primary threats that are used in most attacks. Social engineering, whether it be via email phishing, text messages, LinkedIn or even phone calls, is increasing rapidly, especially with the rise in sophistication of deepfakes and voice cloning.
The second is vulnerability exploitation, because systems aren't patched fast enough in the real world and AI tools are being used (and misused) to help criminals rapidly identify and exploit vulnerabilities before they can be patched.
Both of these then often lead to ransomware attacks, which is the primary way for most criminals to convert the access they have gained into financial reward. I have worked with travel clients, who tend to be just as vulnerable to these two most common attack methods as other industries.
Cyber incidents can come down to a single lapse by a single individual in a massive organisation, and can be fatal for businesses – how can travel firms teach and practise good cybersecurity?
It's a huge challenge, as it only takes one person to be fooled into opening a malicious link or attachment, or letting a social engineer into the building. My firm belief is that firms rely too much on e-learning as the primary (and usually only) method to raise cyber security awareness.
The problem is, we've all done training like that and we know we pay very little attention to it – we'll usually be doing something else at the same time, and very quickly forget what we learned.
I believe training should be run by a trainer in real-time, be engaging and entertaining and use real-life examples people relate to at home and at work. This also provides an opportunity for staff to share their own experiences and ask questions if there's anything they don't understand.
I think comparing this sort of training to e-learning is like night and day, and really helps protect the human element in our cybersecurity defences.
Cyber criminals often thrive at times of crisis, and the world is in an unstable place right now. Is this a particularly risky time?
Absolutely. Global instability creates more opportunities for hackers. Keeping up with the tactics and techniques used by the criminals in impossible – you have to specialise in certain areas and keep up as best you can in others.
However, it can be easy to over-emphasise the sophistication of the criminal groups – in the vast majority of cases, they target the low-hanging fruit, such as unpatched technical vulnerabilities, weak passwords and poor security awareness training for staff.
It's not so much that governments, regulators and big business are hugely behind, it's that they have a huge attack surface to protect, and it only takes one chink in the armour for the attackers to get through.
Are there any trends you foresee taking shape over the coming months or years in the cybersecurity, or existing ones you expect to peak? And how positive do you feel about travel's ability to fight off any threats and protect itself?
I see extensive use of AI by cybercriminals in the coming months, primarily in two main forms. Firstly, automating the discovery and exploitation of vulnerabilities, as we're already seeing with tools such as Mythos, is going to advance rapidly.
This means that organisations have to adapt fast to patch and remediate issues at a much, much greater pace than before. The ability for large travel firms to adapt to this will only be possible if they start the process right now.
The second use of AI I see growing massively is deepfake video and voice cloning in social engineering attacks. We're seeing some criminal groups start to incorporate it, but there's limited use so far.
It's such a powerful tool if you're trying to fool someone into doing a money transfer, I can only see its use growing. This will require travel firms to provide much more relevant cyber training to their staff to protect against it.
