The sports sector has been urged to tighten its cyber security after a range of attacks by hackers, including an attempt to sabotage a Premier League transfer deal. The UK’s National Cyber Security Centre (NCSC) has published its first ever report on threats to the sports industry, and it is worrying reading for those in the sector - at least 70% of institutions suffer a cyber incident every 12 months, more than double the average for UK businesses.
It is easy to see why sports organisations are attractive targets for cyber criminals given their public profile and financial muscle, and like most of the UK economy, sports organisations are highly reliant on digital technology. For example, a Premier League football club will have a strong online presence, hold large amounts of sensitive personal data about both customers and employees, process millions of financial transactions online every year and play in a stadium with networked security systems controlling essential functions such as turnstiles and security cameras.
The NCSC’s report highlights the key issues that affect the sports sector along with practical measures to stop, or at least reduce, the impact of cyber attacks. According to survey evidence:
● at least 70% of sports organisations surveyed have experienced a cyber incident or harmful cyber activity, compared to 32% across general UK business, and 30% of organisations recorded over 5 incidents in the last 12 months; and
● approximately 30% of incidents resulted in direct financial damage, at an average cost of more than £10k per incident. The biggest single reported loss was over £4m.
The primary cyber threat to sports organisations comes from cyber criminals with a financial motive. While the method of attack varies greatly, the report identifies three trends:
1) Business Email Compromise (BEC):
BEC, where cyber attackers gain unauthorised access to email accounts, was identified as the most common outcome of cyber attacks in this sector. In one incident a Premier League club almost lost £1m when cyber criminals were able to gain access to the Managing Director’s Office 365 credentials and re-directed a transfer payment to their bank account (fortunately the transaction was blocked by the club’s bank).
2) Cyber-enabled fraud:
Existing crimes such as fraud can be facilitated to a greater extent by cyber technology. A member of staff at a UK racecourse lost more than £15k after attempting to buy grounds-keeping equipment from a fake version of eBay.
Ransomware is a significant issue in the sector. An English Football League club suffered a ransomware attack which prevented them from accessing email accounts and rendered stadium CCTV and turnstiles non-operational, costing them several hundred thousand pounds from lost income and remediation.
While cyber crime may be on the rise there are a number of practical measures that can be taken to reduce the risks. The NCSC highlights the following areas for review:
● Email security:
Good email technical controls are not routinely applied in the sports sector. Implementing measures such as anti-spoofing and multi-factor authentication can significantly reduce cyber risk.
● Staff empowerment:
Staff are an essential line of defence and it is important to train people to recognise and report suspicious activity. Less than half of sport organisations provide staff training on cyber. We regularly provide cyber training to clients both at board, and management level, which can then be flowed down the organisation.
● Cyber risk management:
Survey results indicate that organisations would benefit from a holistic approach to risk management, looking beyond compliance (e.g. beyond GDPR) to ensure all cyber risks are considered across the IT estate, especially given the complexity of many sports organisations. In our experience, cyber should be managed as a broad, enterprise-wide corporate governance risk, not merely as a technology (or GDPR) risk.
This report will be of interest to sports organisations at all levels and its findings and recommendations have a wider application for any company that, due to its profile or finances, becomes a target for cyber attackers.