The business of sports, from the teams to the fans and regulators, is one of the last bastions of poor cybersecurity hygiene, according to a report released today by NCC Group.

Entitled “The Hidden Opponent: Cyber Threats in Sport,” it describes a series of technology failures, a dearth of funding, the lack of cybersecurity leadership, exposure to cyber criminals and the high visibility of potential social media exploits combine to form a tempting and toxic environment that makes a compelling case for better security practice. The report was jointly prepared by direct interviews of sporting business managers by researchers at the University of Oxford in England and the Phoenix Sport and Media Group.

“We’ve seen the sports industry become an increasingly attractive target for cybersecurity attacks over recent years,” Matt Lewis, global head of research at NCC Group, told SiliconANGLE.

There is “a low level of cybersecurity maturity which exists in many sports organizations and is often at odds with the overall high-profile nature of those organizations,” the authors wrote in their report. A good example is a lack of basic security preparedness that would be shocking in other businesses, and a mistaken assumption that antivirus services and firewalls are sufficient to repel most threats. (They aren’t.) Unlike banking or healthcare industries, sporting organizations have no best practice examples or peers to guide their defenses, recommend products and budgets, or have ready metrics to measure their overall progress and security investments.

Staffing, apart from not having chief information security officers or other technical management in most organizations, is another situation. The lack of these staffers was expressed by a sporting club’s information technology manager, who explained that “the dichotomy of an organization that spends millions on just one player, but where a £75,000 annual salary for a skilled cybersecurity professional is too prohibitive.”

The sporting situation is also complicated by the fact that they exist at the top of a very complex supply chain. Organizations in Formula 1 racing, for example, will typically have hundreds if not thousands of third-party suppliers and partners, from manufacturers of nuts and bolts right up to race team sponsors.

Obtaining any visibility into security practice of these supply chains is nearly impossible. Few organizations had any systematic security processes, robust audits of their equipment, policies or procedures, or really checks on anything cyber-related.

Getting an annual phishing simulation exercise seemed like an advanced strategy and about all that any business could muster, according to the report. Many have never engaged in any attack simulations or tabletop threat response exercises, let alone have developed playbooks to guide their response to a ransomware or DDoS attack, for example.

Then there is the trend toward well-connected stadiums that are owned or at least used by the professional sports teams. As more digital technology is installed to make it easier for fans to purchase tickets, buy souvenirs and drinks, and make it easier for the stadium staffs to manage everything from point of sale terminals to video menu displays to automated lighting controls, this means the attack surface envelope is huge. The resulting risks are also enormous –- particularly if these systems aren’t properly segmented and protected and indeed use the same wireless networks that are present in the stadium for fans.

Some of these threats have been investigated over the years by NCC Group, which has “successfully breached various venue physical security controls from electronic bypass of vulnerable door entry controls, through to more socially engineered approaches such as masquerading as tradespeople.”

The report outlines a series of likely potential cyberattacks, ranging from espionage from rival teams to ticket fraud schemes to fixing games’ outcomes. Some of these aren’t specific to sporting-related businesses, such as ransomware, spyware and insider threats.

The authors also catalog six different European data breaches that resulted in fines to teams of up to several thousand euros for violations of GDPR and other privacy laws. “There is often pushback by the board of directors on cybersecurity spend since it’s not easy to visualize or conceptualize exactly what a cybersecurity product or service is doing,” the authors state.

The report concludes with a series of recommended improvements for sporting organizations, along with an outline of a cybersecurity model that can help benchmark their progress. For example, having password and authentication policies, threat response tactics, and appropriate board of directors’ security awareness just to name a few elements. The report also makes recommendations on appropriate cybersecurity spending based on a percentage of annual revenue, which while a good first approximation is another indication of the lack of security maturity in this particular sector.

Photo: Pexels/Pixabay