Football faces up to a new threat – cyber attacks
Despite recent disruptions, the football transfer market, and the small windows in which teams can buy and sell players, is still big business. In 2019, transfer fees totalled USD 7.35 billion, 5.8% more than the previous year.
Yet where there’s money, there are individuals that want to profit illegally. It’s, therefore, no surprise that transfer deals are now being targeted by cybercriminals – a report by the UK’s National Cyber Security Centre highlighted how, amongst other attacks, the emails of a Premier League club’s managing director were hacked before a transfer negotiation. Bad actors almost got away with the £1 million fee. In fact, the study found that 70% of sporting institutions suffered a cyber incident in just 12 months.
It’s clear that football clubs are going to find their data protection and privacy increasingly under attack, with a broader surface area to defend. Why? Because, like many organisations, they’re digitising their operations. This was happening before the pandemic – now, with remote working prevalent, they have gone from centralised operations to hugely disparate ones.
The weak point of football’s defence – their people
How does this impact their efforts to fight off cybercriminals? It’s likely that, as with most other sectors that have had to rapidly embrace remote working in the last few months, many football clubs have relied on whatever collaboration tools they can get their hands on to keep their operations running. This is why we’ve seen a spike in the use of freemium video conferencing and easy-to-use messaging tools.
The problem is these services are consumer-grade products at best. That means they’re unsuited to business-level security requirements. Hackers can gather huge amounts of information from unsecured video calls or messages. When combined with other easily accessible data, such as that available from social media profiles, this can very quickly understand who decision-makers within organisations are, the level of access they’re likely to have, and elements of their personal life that are potentially going to be the inspiration for security mechanism such as passwords.
That’s if they’ve gone with a code that’s personal to them. A significant proportion of people still chose 123456, qwerty and password, highlighting why 95% of security breaches are caused by human error.
Human error is exactly what caused the attack on the Premier League club, according to the NCSC report. An email, claiming to be an Office365-based login, was sent to the director, who entered his details, thereby unwittingly giving the criminals access to his email and contacts. Once they had access, they could identify an opportunity to monetise their access when a transfer came up.
Another football club may also have been the victim of an email-based, or phishing, attack. Playing in the English Football League, the club was hit by ransomware, which encrypted and blocked access to the club’s devices, several servers (stopping officials from using corporate email) and even affected the operations of stadium CCTV and turnstiles, which almost led to the cancellation of a fixture, thereby causing a potential hit on revenue.
Gifting attackers opportunities
However, in this instance, how the attackers gained access is not yet clear – while one way in was the aforementioned phishing email, another possibility was remote access via the CCTV system.
This highlights another issue with today’s modern business operations – the cloudification of IT. The use of a physical security system to bypass cybersecurity may seem ironic, but it happens because organisations do not take a holistic view of their defences. In this instance, remote connecting CCTV will have no doubt helped in terms of storing data and managing the cameras, yet by not securing it properly, it becomes a gaping hole in the back of the defence. The club in question might have multi-factor authentication on all devices, the latest software protecting applications, and data with stringent access policies, and yet they still overlooked a backdoor. It’s like leaving a window open in a house downstairs when the occupants go out – just because you might think no one can get through, a burglar will see it as a way in.
What football clubs need to do
So, what do football clubs need to do? Broadly speaking, they have to consider four points:
1. Educate people
As we’ve seen, if employees, no matter how senior, are not careful, they will allow bad actors access. It’s therefore vital that clubs educate their staff on the threats that may target them, from secure password protocols and what phishing attacks may look like, to social engineering tactics, the risks of using consumer-grade collaboration tools and why software needs to be updated.
2. Limit access
Linked to that is limiting access to data. Does any single employee need access to all the data? Information should be categorised with varying degrees of commercial and legal sensitivity, stored appropriately and access strictly controlled in order to stop hackers gaining access via one or two people.
3. Prioritise security in any collaboration tool
While it’s hard to replicate face-to-face collaboration when working remotely, football clubs need to avoid sacrificing security for ease of use. Rather than simply using whatever messaging apps and tools their employees use at homes, they need to integrate secure, fully end-to-end encrypted solutions that protect both data and endpoint devices and don’t allow hackers a way into the organisation. Plus, secure video conferencing and phone can prevent any unwanted listening ears.
4. Check every point of access
As the EFL club attack highlights, any weak link is a potential open window. That’s why, if a system is going to be connected in any way to the corporate network, it needs to have the same levels of security and rigorous policies applied to it as any other application or service. This is where having a zero-trust approach, whereby nothing on the network is trusted until it proves itself, is vital. Clubs need to ensure that every app, service, device, and user can authenticate itself before allowing access to their systems and data.
Combatting a growing threat
Football clubs need to realise that they are big businesses, that transfer windows are short periods of time in which huge financial transactions are made, and that the two combined make tempting targets for bad actors. They need to establish clear security policies and practices to be in compliance with data protection, ensure everything related to the club is covered, and close any open windows, no matter how small, to keep attackers out and sensitive data safe.