Cyber Threat to Sports Organisations

The WSA recently attended an event held by the National Cyber Security Centre on the matter of Cyber Threat to Sport Organisations.  This very informative (and eye-opening) event highlighted the increasing digital reliance of the sport sector, and how the sector is particularly susceptible to cyber threats.

A survey conducted by the NCSC found that 70% of sport organisations experience at least one cyber attack a year –  which is significantly higher than the average across UK business. Alarmingly, 30% of those incidents caused direct financial damage, with an average of £10,000 per incident. The threats and consequences of cyber attacks to the sport sector it seems is all too real.

Whilst sports organisations are vulnerable to may of the same threats as any businesses, the NCSC found three attack ‘trends’ that are most prevalent in the sport sector. These are;

• Business Email Compromise (BEC)

This involves attackers seeking to gain access to official business email addresses, which they then use to engineer such things as fraudulent payments or data theft. BEC is one of the fastest growing cybercrime trends, partly due to its’ ‘low-cost high-reward’ model that is very attractive to cyber-criminals.

The rise of BEC has also been facilitated by the increased popularity of Software-as-a-Service solutions, such as Office 365, which offers access to an organisation’s system from anywhere with a valid username and password. No doubt this has become even more prevalent now with the huge shift towards ‘virtual working’.   

• Cyber Enabled Fraud

This is fraud that is enabled by the very existence of cyber technology. Email spoofing, for example, where a criminal uses a forged email sender address to convince a recipient that they are opening an email from a legitimate or familiar source.

Whilst 30% of those surveyed had experienced instances of email spoofing, very few have implemented the three main anti-spoofing controls recommended by the NSCS, namely – Sender Policy Framework, Domain-Keys Identified Mail, and Domain-based Authentication, Reporting and Conformance.

• Ransomware

Ransomware is a type of malware that prevents you from accessing your computer (or data that is stored on your computer). Hackers can even gain control over an entire network of devices. The devices and/or data can then be effectively held ‘hostage’ whilst the attacker demands payment.

The lack of ‘patching’ strategies was identified as a cause for concern, that is, ensuring that devices’ operating systems and software are up to date. Added to this, the failure of many organisations to back up data means that the impact of successful ransomware attacks are much greater. 

The NCSC have identified three key areas that sports organisations need to review in their approach to cyber security;

Email Security

Implementing simple measures such as two-factor authentication, and anti-spoofing controls can go a long way in significantly enhancing email security.  

It is also suggested that organisations could reduce the password burden on staff by using technical security controls like blacklisting common passwords and allowing the use of password managers.

Staff Empowerment

Threats such as cyber enabled fraud are largely driven by social engineering to trick people into making mistakes. Staff are an important line of defence and it is essential to encourage people to report any suspicious activity they spot.

Whilst staff training and awareness can go a long way in reducing the risk of such mistakes – it should be also recognised that no amount of staff vigilance can completely eliminate all attacks. Organisations should therefore provide adequate support to its team with appropriate technical and business focused defences. 

Cyber Risk Management

Organisations may benefit from a more holistic approach to Risk Management, looking beyond compliance (e.g. beyond GDPR) to ensure all cyber risks are considered across the IT estate. An over-emphasis on ‘defensive risk management’, i.e. being able to show that you haven’t been negligent, can result in organisations focusing on the wrong things. Whilst compliance is of course important, more effort should be put into identifying and prioritising security measures that will actually make organisations safer.

The NCSC is a fantastic resource for all cyber related matters. They have a wide range of guidance notes, instructional videos and even a free online cyber security training course for staff. Links to all of these resources can be found on our cyber security page for sport organisations