The Offside Trap – Cyber Threat in Sport

The latest event in accordance with the rising cyber threat in sport came to light last week in the news. A £1 million, overseas transfer fee for a Premier League club player brushed the fingertips of cyber criminals, following the compromise of the club’s managing director’s emails; the director unknowingly entered their email credentials into a spoof Office365 login page, providing the hackers with direct access to the account. The attacking imposters then used the stolen credentials to initiate a faux deal between the two clubs, which was approved, and it was only intervention at the last second by the bank’s recognition of a fraudulent account that halted the successful theft of funds.

In the wake of the global pandemic’s disastrous effects to the sports industry, the threat vector for cyber-attack is higher than ever before. The NCSC has recently reported that 70% of sports institutions have suffered a cyber incident in the last 12 months alone, which is double the average for UK businesses. Around 30% of these recorded over 5 breach attempts during the same period. With financial gain appearing to be the modus operandi for the majority of attacks, and with the sports sector already weakened financially as a result of the pandemic, it’s vital that these organisations equip themselves with the tools to protect against the biggest threats that face them from the online world.

The 3 methods of attack used most frequently by cyber criminals are:

• business email compromise (BEC),
• cyber-enabled fraud,
• and ransomware attack.

Perhaps the most memorable example in recent history for us in the UK was the ransomware attack against an English football club, which rendered corporate and security systems useless. It has been assumed that the hackers gained access to the network through either a phishing email, or remote access connected to the CCTV system. They were able to seize control of the entire network, as it was not segmented, and demand a £300k ransom to the club. The resulting effects of breach caused turnstiles to stop working, meaning fans were unable to enter or leave the stadium. It nearly caused cancellation of the fixture, which in turn would have resulted in great financial loss to the club.

Approximately 30% of all cyber incidents to the sports sector over the last 12 months has caused direct financial damage to the organisation, costing approximately £10k each time. The largest individual case resulted in a £4 million loss. Over 80% of businesses in the sector employ systems to manage their operations online, such as ticketing. With such a large volume of customer financial transactions and data being processed, as well as confidential information pertaining to transfers, plans, layouts etc. for the upcoming year, the potential fatalities that face sports institutions head on in the event of a cyber breach is major.

But what can the sports industry do to protect themselves and their systems?

Sporting bodies have been urged by the NCSC to reconsider their cyber threat level, particularly in light of the recent rise in prominent attacks. Now is the time to identify and make improvements to cybersecurity processes to ensure they are protecting both themselves and many fans from serious repercussions.

The NCSC has also pointed out that more needs to be done in implementing secure email controls, something which is currently not “routinely applied” throughout the sector. To protect infrastructure against ransomware and other cyberattacks, organisations must ensure their systems are patched with the latest updates, and a clear, restricted remote device management solution is in place, particularly for employees working pitch side or in remote locations.

To ensure criminals cannot exploit known and unknown vulnerabilities, Serbus offer a secure MDM solution, built around the core of a secure voice and messaging application, to ensure any and every aspect of communication can be safeguarded, and the threat of unsolicited network access via these common passages is not possible.

To speak with us about how our solution has been helping others in your field, and to talk about any requirements, please get in touch on [email protected], or telephone our office on +44 (0)1432 870 879.