Special Report: The cyber challenge

Sports clubs and brands have spent a lot of money beefing up their security in order to secure their assets. However, like many other industries, cyber security can occasionally be overlooked.

A special iSportconnect report found that for some in the sports industry, there is still some work to do to prepare for a cyber attack, especially as hackers become more sophisticated in the way that they are able access systems.

Phill Everson is a partner at Deloitte, and leads Cyber Risk Services unit in the UK, assessed the risks brands and clubs could potentially be exposing themselves to:

“Many companies have been buying technology and establishing security measures to prevent attacks, but unfortunately that is not always enough. No longer risks, these are now obvious threats and criminals will continue to target organisations with great consequence. The challenge now is the difficulty at which companies can implement the necessary security to keep out attackers, even after they are in.”

Both WADA and, more recently, the International Paralympic Committee, have experienced a breach of security resulting in the leakage of athletes’ personal medical records and website outage, respectively.

Everson and his team at Deloitte know a thing or two about cyber security. Part of their work in is to conduct ethical hacking, known as “penetration testing”, to ensure the security of clients’ systems is up to scratch. They ‘attack’ to CBEST standards – which represents the highest benchmark of hacking capability that businesses are expected to withstand.

While sports organisations may not obviously need the level of protection other organisations do, as Everson points out, anyone could be a target.

“There is a lack of understanding amongst some organisations on the danger,” said Everson. “This is across industries, but a sports club may think that they are just in sport and not a target for cyber criminals. Unfortunately this is not the case. More can always be done as the cyber threat evolves.”

Some clubs and brands may be thinking that a successful malicious attack may be nothing more than a temporary outage that can be fixed by a change of passwords.

However, many hackers will seek to remain hidden staying in the system for months potentially, and siphoning off confidential data in this time.

“The duration of a breach can be as much as one hundred days, or more,” explained Everson. “You need a whole set of monitoring and intrusion detection tools to detect a breach, which can take shape in many forms.

“For example, a club can be commercially attacked, with the, e-shop or ticketing system targeted. Likewise, you could also see their reputation attacked, whether it is a denial of service, or changing the website home page. You could even see a breach that changes what is displayed on screens during a game. It may be a case that they simply want information. All are possibilities.”

A few years ago there were only a handful of people armed with the skill to breach almost any system. Sadly, that is no longer the case explained Everson.

“What was once known to the few, is now known to the many. Attackers may not necessarily be focussed on a sport business, but what is certain is that attacks are increasing, both in number and significance.”

This is clearly a serious issue that clubs need to be aware of however unlikely the perceived threat:

“It would be prudent to think about the assets on your system and those that are most valuable.” Continued Everson. “It may be obvious, but there may be less obvious ones, too. What would be the consequence if you were denied access to them, or they were changed without your knowledge, or broadcast to your competitors? What protection should you put on those assets? These are key questions to think through. Of course, attackers only need to be lucky once.”

Everson had this to say for those organisations that are worried about their level of cyber security:

“Make sure you have ways of checking and verifying a breach. Have a plan prepared and rehearsed with the right people. These are things you don’t want to be working out for the first time in reaction to a breach. An external cyber security service provider can run checks for breaches and can quickly begin managing your key information from the inside.”

The thought of your important information available to the highest bidder would cause many CEOs sleepless nights. However, many in the sports industry are recognising the real threat that cyber breaches pose and approaching their electronic infrastructure with the same level of scrutiny as they do keeping stadia, events and staff safe every week.