In a recent collaborative effort between global cybersecurity experts NCC Group, the Oxford Researchers Strategy Consultancy (University of Oxford), and Phoenix Sport & Media Group (PSMG), a pressing need for enhanced cybersecurity measures within the sports industry has been unveiled. As sports clubs and organizations become increasingly attractive targets for cyberattacks, the "The Hidden Opponent: Cyber Threats in Sport" whitepaper sheds light on the industry's vulnerabilities.
The study, which gathered insights from key stakeholders within the sports world, including IT and security managers from Premier League clubs and Formula 1 racing teams, highlights the industry's growing dependence on connected technology. The proliferation of fitness trackers, health devices, smart stadiums, and other connected systems has expanded the attack surface, making sports individuals and organizations more susceptible to cyber threats.
"The financial power of the sports sector makes it a prime target for cybercriminals," said Carly Barnes, CEO of Phoenix Sport & Media Group. "We are proud to have worked alongside NCC Group and the Oxford Researchers Strategy Consultancy (University of Oxford) to produce this unique and valuable research paper."
Key findings from the research indicate low levels of cybersecurity maturity and outdated approaches to cybersecurity among teams and clubs. "We've seen the sports industry become an increasingly attractive target for cybersecurity attacks over recent years," noted Matt Lewis, Global Head of Research at NCC Group. "From speaking to industry professionals as part of this research, it's clear that there's a disconnect between the perception and reality of how at-risk the industry currently is."
Chief Information Security Officers (CISOs) are uncommon in sports organizations, revealing a lack of dedicated roles for defending against cyberattacks. Limited financial investment in cybersecurity is a significant concern, with boards often reluctant to allocate resources for security assurance needs, even when specific risks are identified.
The absence of industry security benchmarks further complicates the allocation of cybersecurity budgets, leading to disparities between leagues and divisions. Shocking statistics also revealed that 60% of generic email addresses used by Premier League Clubs have appeared in known public data breaches, with one club's email address appearing in 16 unique public data breaches. This not only poses risks to industry professionals but also puts fans at risk of financial fraud related to ticket purchases and privacy breaches due to stolen data.
Ransomware emerged as a prominent concern due to the lack of cybersecurity governance in place, along with light-touch cybersecurity training and inconsistent approaches to Identity & Access Management (IAM) and password use.
Key Recommendations
The research paper recommends prioritizing cybersecurity spending and establishing an industry-wide standard for budget allocation, ideally scaled according to the organization's size and annual turnover. Clubs generating over £50 million in revenue should allocate at least £5 million for cybersecurity assurance services to enhance cyber maturity and reduce risk exposure.
NCC Group has developed a cybersecurity maturity model for the sports industry based on the research's key themes and concerns, enabling organizations to benchmark their current cybersecurity status and identify gaps.
Sports clubs are advised to improve staff training and awareness of cybersecurity risks and invest in resources and third-party support to prepare for potential breaches. Greater emphasis should also be placed on employing dedicated cybersecurity staff, such as a Chief Information Security Officer (CISO), within sports team boards.
This research arrives amid heightened concerns about malicious cyber activities. September 2023 witnessed record levels of ransomware attacks, as reported by NCC Group's monthly threat pulse, which monitors global cybersecurity activity.
Matt Lewis, Global Head of Research at NCC Group, stressed the growing threat to the sports industry and the need for practical solutions to bolster cybersecurity defenses. "We hope the report provides both clarity on the vulnerabilities the industry faces, and the practical solutions that can be put in place to improve how the industry prevents and prepares for potential cyber-attacks," he added. "By implementing the relevant strategies and resources outlined in the report, cyber can be reduced to help preserve brand reputation, confidentiality of information, and integrity of industry players and organizations."