Sustainability Challenges: Cyber Security
In 2023, the world faces economic, geopolitical, social and environmental crises against the backdrop of ongoing physical and mental health challenges among the general population. In the latest in a series of articles in which we turn to experts about the critical issues facing the sports industry this year and beyond, we look at the challenge of cybersecurity.
As the world becomes more digital, cyber crime is becoming an increasingly significant threat to enterprises across the globe, including in the sports ecosystem.
Last year, there was a 38% increase in the number of cyber attacks globally, with year-on-year rises of more than 60% in areas like leisure, hospitality and retail, according to a study by software provider Check Point Research.
Weekly cyber attacks per organisation increased by 22% in the Asia-Pacific region, 26% in Europe, 29% in Latin America and a huge 52% in North America. In Africa, the rise was a more modest 4%, although the continent experienced the highest number of cyber attacks per organisation – an incredible 1,875 per week.
Digging further into the statistics reveals that two of the sports industry’s top-tier geographical markets were among the most targeted, with a 57% rise in attacks in the United States and a massive 77% increase in the United Kingdom.
However, the global trajectory underlines the worrying worldwide scale of the issue, with consensus among experts that the sharp increase in cyber crime incidents is down to three broad factors:
- The rising number of smaller, more agile criminal groups involved in exploiting organisations through ransomware software;
- The broader reach of the hackers, who now commonly target business collaboration and communication tools with phishing;
- The fact that academic institutions have become popular targets for criminals due to their digital transformation in recent years, accelerated by the global pandemic. Alongside education/research, the government and healthcare sectors have attracted the most attacks in recent times.
The threat to sport
However, by collecting and managing personal data through ticket sales, memberships and merchandise, whilst controlling big-money budgets and bank transfers, it is easy to see why sport is in the firing line of cyber crime.
Indeed the sports industry has been targeted extensively in recent years. According to a 2020 study by the UK government’s National Cyber Security Centre, at least 70% of sports organisations had experienced a cyber incident or breach – more than double the average across all UK business at the time.
Ominously, the report also described sport as a “high-value target”, and described how an unnamed English Football League club had suffered an attack that led to CCTV and turnstiles at its stadium being shut down and the match postponed.
Additionally, big names like Manchester United have been among the victims, with hackers having targeted the English Premier League football club’s online system and operations.
Meanwhile, in the United States, the NFL’s San Francisco 49ers American football franchise suffered a breach last year when the details of more than 20,000 individuals were reportedly accessed.
Attacks are not only targeted at rights-holders though, with sport’s sprawling industry giving criminals various avenues to exploit weaknesses in security systems.
For example, in January 2023, sportswear retailer JD Sports suffered a security breach that, it is thought, compromised the personal data of some 10 million customers.
Perhaps most famously of all, the so-called ‘Olympic Destroyer’ cyber attack disrupted the IT infrastructure supporting the opening ceremony of the 2018 Winter Olympic Games in PyeongChang, South Korea.
“The increasing reliance on technology has made sports organisations more vulnerable to cyber threats, including viruses, malware, ransomware, distributed denial of service attacks, spam, and phishing,” says Satinder Soni, Managing Director, at Ankura, a global consultancy.
“Sports organisations must ensure they have robust cyber security measures in place, similar to other comparable organisations in the commercial sector, to protect against these threats.
“However, certain areas of the sports industry face higher risks and require enhanced security measures. For instance, organisations involved in anti-doping testing, such as World Anti-Doping Agency-approved testing laboratories, must have secure systems to protect the integrity of testing procedures and prevent any attempts to tamper with results.
“Similarly, sports law firms and arbitration panels need to safeguard their clients’ confidential information, including legal strategies and settlements. Bidders for and local organising committees of major sporting events are also at higher risk, as they handle sensitive data, including personal and financial information of athletes, staff, and spectators, as well as logistical details of the events.
“Additionally, certain activities within the industry, such as ticketless stadium access systems and competition results management systems, present a higher vulnerability to cyber threats with the potential for catastrophic failure.”
The impact of a cyber attack can be dire on the Prosperity and Profile sustainability pillars identified by Global Sustainable Sport, damaging the financial outlook of a sporting enterprise or organisation, and also potentially its reputation.
“Sports organisations must ensure they have robust cyber security measures in place, similar to other comparable organisations in the commercial sector, to protect against these threats."
According to a report by IBM and the Ponemon Institute, the average data breach cost for a business of fewer than 500 employees is an eye-watering $2.98m. This average total may include a ransom payment, but also additional costs like:
- Handling immediate damages and repairs;
- Providing free credit monitoring;
- Staffing customer service personnel to handle customer enquiries;
- Offering free or discounted products and services;
- Paying fines;
- Hiring additional experts, including IT security consultants, risk-management consultants, lawyers, auditors and accountants, management consultants, public relations consultants.
One of the challenges is that cyber crime is constantly changing and becoming more technologically sophisticated.
Even a decade ago, before many organisations had undergone digital transformation, 46% of organisations told a Forbes survey that they had experienced damage to their reputation and brand value due to a cyber security breach over the previous 24 months.
Ten years on, in an increasingly digital landscape, the challenges will have only intensified, especially as the criminals are becoming more organised. A recent report co-authored by the FBI in the United States said that criminals who work as a remote collective are even setting up internal arbitration systems to resolve payment disputes between different hackers.
Furthermore, there are expectations that cyber attacks will only increase in frequency and complexity due to the emergence of artificial intelligence technologies that enable hackers to create malicious codes and emails more quickly than ever before, according to an expert on the topic, Chuck Brooks, president of Brooks Consulting International.
Equally, it should be noted though, that AI is viewed as potentially part of the solution, as well as the problem.
Tackling the issue
The threat to sporting organisations and their Profile and Prosperity sustainability pillars is therefore significant. However, there are suggestions that the vast majority of operators in the industry are simply not taking it seriously enough.
According to Ekaterina Carayanis, director of cyber security and risk management at Toronto-based Maple Leaf Sports & Entertainment, an operator of multiple major league teams and stadiums, only about 1% of professional teams and leagues have adequate cyber security infrastructure in place.
Speaking at the Sports Business Journal’s AXS Sports Facilities & Franchises and Ticketing Symposium last year, Carayanis outlined a broad six-point plan for a sports organisation to take regarding the threat of cyber crime:
- Prepare for an attack because it’s probably inevitable;
- Know your tolerance for risk;
- Talk to others, such as peers in the industry;
- Ask questions – trust but verify;
- It’s okay to say no;
- Move beyond the sales pitch and read the fine print of the contract.
She also singled out Major League Soccer and the NBA basketball league for their efforts in the cyber security space, but warned that the onus is on sporting organisations to be proactive, given that providers “no longer want to insure sports teams [with cyber security insurance as] … we’re too much of a risk”.
As a first step, according to IT security solutions provider Check Point, it is “imperative to think about prevention first, not detection,” with vital efforts including cyber security training, keeping patches up-to-date and implementing anti-ransomware technology.
In practical terms, Henry Doyle, the co-founder of cyber security provider Altinet, warns that the triple threat of email account takeover, ransomware and copycat cyber fraud should be discussed in the boardrooms of sports organisations.
He also offers six top tips that are applicable across all organisations, and not just in the sports industry:
- Keep software up to date with the latest patches;
- Protect email accounts, as 91% of cyber attacks begin with a phishing email;
- Implement and manage next-generation anti-virus software and firewalls;
- Use a password management tool across all platforms and users;
- Use two-factor authentication;
- Implement a cyber security training service.
According to Soni, it is “essential that the sports industry takes cyber security seriously and establishes a robust cyber security framework” – and crucially do not become complacent over time.
“Organisations must conduct regular risk assessments, invest in cyber security technology and staff training, and ensure they have a response plan in case of an attack,” he adds. “Failure to do so can have severe consequences, including loss of data, financial losses, and reputational damage. By prioritising cyber security, the sports industry can mitigate the risks and continue to provide safe and secure experiences for athletes, fans, and stakeholders alike.”
The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
What do you think are the greatest risks facing the sports industry in 2023? Add your own comments and join in the discussion by clicking on the link below.