Three months ago, on a Friday evening in late November, Manchester United, one of the world’s most valuable football clubs, announced it was the victim of a cyber attack.
The club - ranked third on Forbes’ list of most valuable football organisations - termed the attack “disruptive,” but officials said they were not aware of any fan data being compromised, and their media channels - their app and website - were unaffected.
Manchester United’s breach is just one example of dozens to have hit British sports organisations in recent months. According to the UK National Cyber Security Centre (NCSC), more than 70 percent of sports organisations surveyed experienced some sort of breach in the year prior to the survey. A worrying figure, and more than double the number of entities suffering such breaches in the general UK business sector.
The overall number of cyber attacks has increased since the outbreak of COVID-19. But it is not a phenomenon that emerged over the last 12 months, nor is it reserved only for British sports organisations. In 2018, the PyeongChang Winter Olympics were targeted on the night of the opening ceremony, affecting the event’s Internet, broadcasting systems and website.
The list goes on, and these attacks have proven to be costly, with NCSC statistics showing 30 percent of incidents caused financial damage, averaging £10K per incident and reaching up to £4M per incident.
Big names, big budgets: why sports entities are such enticing targets
This is just the beginning of attacks against the sports world, says Idan Dardikman, Co-Founder and VP Professional Services of Axioma Cyber Services, a boutique consultancy firm. Dardikman served in an elite intelligence unit of the Israeli army, learning the ins and outs of the cyber world and gaining a deeper understanding of the industry and its inhabitants, what motivates them and how they operate.
“I think sports organisations are just beginning to be a very popular target for attackers,” he tells Infront Lab, citing several main reasons - big names, big budgets and publicity.
Oftentimes hackers decide to attack organisations they are familiar with. They know names like FIFA or Manchester United, know their value, and assume they have a lot of money to be extorted.
Another reason is notoriety. Attackers want publicity and targeting big name organisations ensures their names and handiwork will be talked about.
Knowledge is power, but it’s lacking in sports
While attacks against sports entities continue to rise and become more popular, when it comes to securing assets, the sports world is lagging behind. Dardikman attributes this to the fact that massive attacks against sports organisations began only a few years ago. This means that sports organisations either have yet to grasp the magnitude of a continuing and worsening trend, or they have yet to take the right steps in implementing protection methods.
The technologies to protect sports organisations are out there, but what is currently missing is the “know-how.”
“Knowledge is definitely the biggest obstacle right now,” Dardikman explains. “There is already the understanding that cybersecurity is important and it isn’t something that can be ignored anymore, and organisations allocate the budget. What they’re missing usually is the know-how of how the cyber industry works.”
Even when organisations do allocate budgets and purchase security products, they often purchase the wrong ones or use them in the wrong way, having a low understanding of the products they actually need. They are “misconfigured.”
If sports organisations wish to improve their defences, they should begin by bringing in external help from a domain expert and understand the most crucial points in their security and what threats are imposed on them. They can then allocate their budget in a more efficient manner.
Understanding a faceless enemy
The first step to protecting assets is gaining the right knowledge of the threats the sports world faces. To do so, it is imperative to understand who the attackers are and what motivates them.
Dardikman breaks down the types of attackers into five groups, beginning with the least threatening until the most dangerous: Script Kiddies, Hacktivists, Organised Crime, Industrial Espionage, and Cyber Warfare.
Dardikman likens the Script Kiddies, the most amateurish of the bunch, to protecting your home against neighbourhood burglars - you simply need a good lock to keep them out. On the other hand, when speaking about cyber warfare, it’s like protecting oneself from the CIA, and more advanced precautions are necessary.
The bulk of the attacks against the sports world fall into the organised crime category. These are individuals who are motivated by financial gain and are looking to extort money from the victim organisation.
“When we’re talking about these kinds of threats,” explains Dardikman. “We have to take more serious actions to prevent them and be proactive, to actively go and search for the threat in the network.”
Each organisation must protect their “crown jewels.” When it comes to sports, there are numerous assets to protect, but the crown jewels could be categorised as the following: fan data, proprietary assets such as athletes, mobile apps and websites, and, finally, employees.
The latter may be the most vulnerable, and while we now have the technology to protect assets, what is not yet secure is human error.
“I think across the board the most common method of attack is through manipulating the human,” says Dardikman. Sports organisations need to do a better job creating a greater sense of awareness of cyber threats amongst their employees, who can be easily targeted with malicious links and phishing emails.
Prepare and Protect
Visibility is another key to protection. With a vast number of people logging into accounts from numerous devices and locations, there is an overload of information, making it difficult to understand the bigger picture of what is going on within an organisation’s digital ecosystem. When an organisation is able to collect all the information into a single system, it helps paint a clearer picture of the current situation and analyse any potential threats.
With the threat of cyber attacks against sports organisations growing, it is critical for executives to actively prepare for such a possibility.
“It is cheaper to think about these things in advance rather than paying some incident response team to clean up the mess after you’ve been breached,” Dardikman says. “Many times, after the damage has been done there is no going back. Unfortunately, I have seen organisations which have been breached and collapsed, and they wish they had done this preparation job in advance.”
Dardikman cites the Manchester United case as a good example of an organisation being prepared. They had backups for all of their data and walked away with a relatively minuscule amount of damage. For Manchester United, preparing for the worst paid off, big time.
