Don’t leave it to the last defender to tackle threats - cyber security and football clubs
18 June 2018
A (short) summer break and a World Cup give professional football clubs a small window to concentrate on off-field issues. One of the big issues that we are working with top clubs on is their cyber security.
Modern football clubs are effectively global entertainment, retail and hospitality companies, but many are investing a fraction of the amount compared to similarly-sized organisations in these sectors. In fact, the sheer breadth of clubs’ operations makes them vulnerable to a broad range of cyber threats.
Personal data - tackling GDPR is not enough
Football clubs hold significant volumes of fans’ personal and financial data through ticketing and retail operations, and fan engagement. Football clubs also hold more sensitive types of personal data including medical details of players and children’s data. Personal and financial data remain the “bread and butter” commodity for cyber criminals, and at the same time the European General Data Protection Regulation (GDPR) places increasing obligations on organisations to secure personal data under their control, even when it is processed by a third party. However, as they engage fans worldwide, clubs are increasingly coming in-scope of other data protection legislation. For example, Chinese cyber security legislation requires personal information collected or generated in China to be stored domestically.
Confidential business data - keep it in your own half
Football clubs hold significant volumes of sensitive internal correspondence and confidential documentation, much of which has significant value to third parties. For example, there is huge interest in players’ salaries and contract negotiations, clubs’ transfer dealings, commercial deals and sensitive or potentially damaging internal correspondence (e.g. disciplinary information). Such data can be highly embarrassing when made public, or, in the case of sensitive commercial data, could have a financial impact or be market-sensitive (if the club is listed).
Digital channels - disrupt the supply to the front man
The high profile of major clubs makes their websites and social media accounts attractive targets for disruptive attacks (e.g. denial of service or social media account hijacking). High profile organisations are often used by activists, extremists and terrorists to promote their cause; these kind of attacks are often unrelated to the club or the sport, with attackers simply exploiting the profile of the target organisation to get their message to a wider audience and increase media coverage.
Real world impact - match postponed
The Wannacry and NotPetya ransomware attacks in 2017 demonstrated the increasingly wide impact that non-targeted attack are having on businesses’ ability to operate. In common with most businesses, football clubs rely on back-office IT to operate, but also have an increasing reliance on internet-connected systems for stadium or event management. An inability to scan tickets at the turnstiles, pitch sprinklers being turned on mid-game, or stadium management/broadcast systems being taken offline are very real risks which could cause significant disruption.
Performance data - half-a-yard advantage
Performance improvement in football is increasingly data-driven. Analysing training, nutrition, performance and tactical data can give a team a competitive edge or squeeze greater performance from limited resources. This data is of significant commercial value but it’s also valuable to rivals and of interest to the wider public.
So what can football clubs do to tackle cyber risk? I offer four pieces of advice.
- Ownership and accountability - donning the captain’s armband: The first step for any club is acknowledging that it does face these threats and ensuring leadership and accountability at Board level. . Getting this right also requires an understanding of what data is held where, an understanding of the range of business-critical systems in operation at the club and an appreciation of the impact if these were attacked.
- Not just an IT problem - it’s a team game: Studies consistently show that exploiting users (i.e. humans) can bypass expensive technical defences, so an effective cyber security strategy needs to encompass people, process and technology. Moreover, other disciplines such as legal and compliance functions are increasingly important. To cite a well-worn (but still accurate) cyber security cliche, it’s not just an IT issue.
- Get the basics right - playing the percentages: Good architecture and basic IT hygiene (e.g. patching software) will mitigate the majority of attacks.
- Prepare for the worst - shoring up the defence: Despite the best efforts of defenders, a determined or lucky attacker will always stand a chance of getting through. Much of the damage from a cyber attack comes when organisations handle a breach badly, so preparing and exercising for the worst (both in terms of technical and business/media response), and ensuring the club is resilient in the face of attack are really important.