In 2023, the world faces economic, geopolitical, social, and environmental crises against the backdrop of ongoing physical and mental health challenges among the general population. In this article, first published for Global Sustainable Sport, Managing Director Satinder Soni provides her expertise on the cybersecurity challenges facing the sports industry.
As the world becomes more digital, cybercrime is becoming an increasingly significant threat to enterprises across the globe, including in the sports ecosystem.
Last year, there was a 38% increase in the number of cyber attacks globally, with year-on-year rises of more than 60% in areas like leisure, hospitality, and retail, according to a study by software provider Check Point Research.
Weekly cyber attacks per organization increased by 22% in the Asia-Pacific region, 26% in Europe, 29% in Latin America, and a huge 52% in North America. In Africa, the rise was a more modest 4%, although the continent experienced the highest number of cyber attacks per organization – an incredible 1,875 per week.
Digging further into the statistics reveals that two of the sports industry’s top-tier geographical markets were among the most targeted, with a 57% rise in attacks in the United States and a massive 77% increase in the United Kingdom.
However, the global trajectory underlines the worrying worldwide scale of the issue, with consensus among experts that the sharp increase in cybercrime incidents is down to three broad factors:
- The rising number of smaller, more agile criminal groups involved in exploiting organizations through ransomware software;
- The broader reach of the hackers, who now commonly target business collaboration and communication tools with phishing;
- The fact that academic institutions have become popular targets for criminals due to their digital transformation in recent years, accelerated by the global pandemic. Alongside education/research, the government and healthcare sectors have attracted the most attacks in recent times.
The threat to sports
However, by collecting and managing personal data through ticket sales, memberships, and merchandise, while controlling big-money budgets and bank transfers, it is easy to see why sport is on the firing line of cybercrime.
Indeed the sports industry has been targeted extensively in recent years. According to a 2020 study by the UK government’s National Cyber Security Centre, at least 70% of sports organizations had experienced a cyber incident or breach – more than double the average across all UK businesses at the time.
Ominously, the report also described sports as a “high-value target,” and described how an unnamed English Football League club had suffered an attack that led to CCTV and turnstiles at its stadium being shut down and the match postponed.
Additionally, big names like Manchester United have been among the victims, with hackers having targeted the English Premier League football club’s online system and operations.
Meanwhile, in the United States, the NFL’s San Francisco 49ers American football franchise suffered a breach last year when the details of more than 20,000 individuals were reportedly accessed.
Exploiting weaknesses
Attacks are not only targeted at rights-holders though, with sport’s sprawling industry giving criminals various avenues to exploit weaknesses in security systems.
For example, in January 2023, sportswear retailer JD Sports suffered a security breach that, it is thought, compromised the personal data of some 10 million customers.
Perhaps most famously of all, the so-called ‘Olympic Destroyer’ cyber attack disrupted the IT infrastructure supporting the opening ceremony of the 2018 Winter Olympic Games in PyeongChang, South Korea.
“The increasing reliance on technology has made sports organizations more vulnerable to cyber threats, including viruses, malware, ransomware, distributed denial of service attacks, spam, and phishing,” says Satinder Soni, Managing Director at Ankura, a global consultancy.
“Sports organizations must ensure they have robust cybersecurity measures in place, similar to other comparable organizations in the commercial sector, to protect against these threats.
However, certain areas of the sports industry face higher risks and require enhanced security measures. For instance, organizations involved in anti-doping testing, such as World Anti-Doping Agency-approved testing laboratories, must have secure systems to protect the integrity of testing procedures and prevent any attempts to tamper with results.
Similarly, sports law firms and arbitration panels need to safeguard their clients’ confidential information, including legal strategies and settlements. Bidders for and local organizing committees of major sporting events are also at higher risk, as they handle sensitive data, including personal and financial information of athletes, staff, and spectators, as well as logistical details of the events.
Additionally, certain activities within the industry, such as ticketless stadium access systems and competition results management systems, present a higher vulnerability to cyber threats with the potential for catastrophic failure.”
Impact
The impact of a cyber attack can be dire on the prosperity and profile sustainability pillars identified by Global Sustainable Sport, damaging the financial outlook of a sporting enterprise or organization, and also potentially its reputation.
According to a report by IBM and the Ponemon Institute, the average data breach cost for a business of fewer than 500 employees is an eye-watering $2.98m. This average total may include a ransom payment, but also additional costs like:
- Handling immediate damages and repairs;
- Providing free credit monitoring;
- Staffing customer service personnel to handle customer inquiries;
- Offering free or discounted products and services;
- Paying fines;
- Hiring additional experts, including IT security consultants, risk-management consultants, lawyers, auditors and accountants, management consultants, and public relations consultants.
One of the challenges is that cyber crime is constantly changing and becoming more technologically sophisticated.
Even a decade ago, before many organizations had undergone digital transformation, 46% of organizations told a Forbes survey that they had experienced damage to their reputation and brand value due to a cybersecurity breach over the previous 24 months.
Ten years on, in an increasingly digital landscape, the challenges will have only intensified, especially as criminals are becoming more organized. A recent report co-authored by the FBI in the United States said that criminals who work as a remote collective are even setting up internal arbitration systems to resolve payment disputes between different hackers.
Furthermore, there are expectations that cyber attacks will only increase in frequency and complexity due to the emergence of artificial intelligence technologies that enable hackers to create malicious codes and emails more quickly than ever before, according to an expert on the topic, Chuck Brooks, president of Brooks Consulting International.
Equally, it should be noted though, that AI is viewed as potentially part of the solution, as well as the problem.
Tackling the issue
The threat to sporting organizations and their profile and prosperity sustainability pillars is therefore significant. However, there are suggestions that the vast majority of operators in the industry are simply not taking it seriously enough.
According to Ekaterina Carayanis, director of cyber security and risk management at Toronto-based Maple Leaf Sports & Entertainment, an operator of multiple major league teams and stadiums, only about 1% of professional teams and leagues have adequate cybersecurity infrastructure in place.
Speaking at the Sports Business Journal's AXS Sports Facilities & Franchises and Ticketing Symposium last year, Carayanis outlined a broad six-point plan for a sports organization to take regarding the threat of cyber crime:
- Prepare for an attack because it is probably inevitable;
- Know your tolerance for risk;
- Talk to others, such as peers in the industry;
- Ask questions – trust but verify;
- It is okay to say no;
- Move beyond the sales pitch and read the fine print of the contract.
She also singled out Major League Soccer and the National Basketball Association for their efforts in the cybersecurity space, but warned that the onus is on sporting organizations to be proactive, given that providers “no longer want to insure sports teams [with cyber security insurance as] … we’re too much of a risk.”
As a first step, according to IT security solutions provider Check Point, it is “imperative to think about prevention first, not detection,” with vital efforts including cybersecurity training, keeping patches up-to-date, and implementing anti-ransomware technology.
In practical terms, Henry Doyle, the co-founder of cyber security provider Altinet, warns that the triple threat of email account takeover, ransomware, and copycat cyber fraud should be discussed in the boardrooms of sports organizations.
He also offers six top tips that are applicable across all organizations, and not just in the sports industry:
- Keep software up to date with the latest patches;
- Protect email accounts, as 91% of cyber attacks begin with a phishing email;
- Implement and manage next-generation anti-virus software and firewalls;
- Use a password management tool across all platforms and users;
- Use two-factor authentication;
- Implement a cybersecurity training service.
According to Soni, it is “essential that the sports industry takes cybersecurity seriously and establishes a robust cybersecurity framework” – and crucially do not become complacent over time.
“Organizations must conduct regular risk assessments, invest in cybersecurity technology and staff training, and ensure they have a response plan in case of an attack,” he adds. “Failure to do so can have severe consequences, including loss of data, financial losses, and reputational damage. By prioritizing cyber security, the sports industry can mitigate the risks and continue to provide safe and secure experiences for athletes, fans, and stakeholders alike.”
This article was first published for Global Sustainable Sport.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.