author photo
By Clare O’Gara
Fri | Jul 24, 2020 | 9:17 AM PDT

With sports returning to fields and arenas across the globe, much of the focus lies beyond the games themselves: namely, protecting players, coaches, and staff from the spread of COVID-19.

But athletics are also facing other, less physical challenges.

Among them? An overwhelming number of cyber threats.

Sports and cybersecurity: the intersection

At first glance, they couldn't seem more different. While the connection between sports and cybersecurity isn't obvious, though, it is significant. A recent report from the National Cyber Security Centre (NCSC) examines the relationship between athletics and cyber defense in the U.K.

As it turns out, cyberattacks on sports teams are more common than they seem. In fact, they're more common than the average for other businesses.

"At least 70% of the sports organizations we surveyed have experienced at least one cyber incident or harmful cyber activity. This compares to 32% across general UK business, according to the DCMS annual breaches survey."

The primary motive for these attacks? Financial gain.

"Survey data, quantitative research and the NCSC's own incident data suggests that almost all criminal attacks are conducted using commonly available tools and techniques which don't need a lot of technical knowledge to be effective. These include phishing, password spraying and credential stuffing."

The most damaging single attack resulted in a financial loss of over $5 million.

While some attacks specifically target teams, most sports organizations are merely the victims of mass campaigns. The larger schemes tend to include nation-state involvement:

"The most high profile attacks were conducted by Russian Military Intelligence (GRU) against the World Anti-Doping Agency, in August 2016. The GRU stole confidential medical files from WADA's Anti-Doping Administration and Management System, then leaked sensitive information onto the internet.

The 2018 Winter Olympics in Pyeongchang were hit with an advanced and wide-ranging series of cyber attacks, reportedly causing disruption to the opening ceremony and the event's website. These activities were almost certainly conducted by a nation-state, with intent to disrupt the games."

[RELATED: Like a Spy Movie: How Russia Hacked Its Olympic Enemies]

3 cyberattack trends in sport

Seventy percent is a staggering number, particularly for an industry not commonly associated with cyber threats.

But how does that statistic break down? The NCSC identifies three attack trends:

  1. Business Email Compromise: Research indicates that Business Email Compromise (BEC) is the biggest cyber threat to sports organizations. BEC involves attackers seeking to gain access to official business email addresses, which they then use to engineer such things as fraudulent payments or data theft.
  2. Cyber-enabled fraud: Survey results indicate that 75% of sports organizations have received fraudulent emails, text messages or phone calls. 61% have also identified staff being directed to fraudulent or fake websites. As with BEC, the primary motivation behind cyber-enabled fraud is financial.
  3. Ransomware: Whilst ransomware is less common than BEC and cyber-enabled fraud, the business impact of ransomware attacks can be disastrous. Approximately 40% of attacks on sports organizations involved malware. A quarter of these involved ransomware.

5 cyber mitigation practices for sports organizations

Just like an athletic team, mitigating cyber threats requires strategies, practice, and a game plan.

NCSC offers five actions to help sports organizations begin prioritizing cybersecurity:

  1. Put risk on the agenda: Make time to cover these issues at your management meetings or weekly catch-ups. Find out where cyber security threats sit in the priority list, when compared to physical threats.
  2. Business Continuity: Prepare your business for the most common cyber security threats by developing plans to handle those incidents most likely to occur. The best way to test your staff's understanding of what's required during an incident is through exercising.
  3. Cyber Awareness: Empower your staff by helping them to understand why and how your organization could be attacked online, and what they can do to help protect against these attacks. This will help them play their part in keeping the organization safe.
  4. Make basic attacks more difficult: Implement Multi-Factor Authentication (MFA) for important services such as email accounts. MFA buys a lot of additional security for relatively little effort. Organizations of all sizes can use MFA to protect their information and finances, and the services they rely on for day-to-day business. You should also consider the application of other technologies to manage access to important services, such as conditional access and role-based monitoring.
  5. Reduce the password burden: Review how your organization uses passwords. To take some pressure off your staff, use technical security controls like blacklisting common passwords and allowing the use of password managers. Consider how you can identify or mitigate common password attacks such as brute forcing, before harm is done.

Check out more information from the report here.