WIXLIB

The Cyber Threat toSports OrganisationsEnsuring fair play onlineNational Cyber Security Centre

The Cyber Threat to Sports OrganisationsContents4Forewords6Introduction5The Cyber Threat to Sports OrganisationsExecutive summarySource of statisticsHow digitally reliant is sport?8Threat overviewNature of the threatNation-state involvementMajor events10Attack trendsTrend 1: Business Email Compromise (BEC)Trend 2: Cyber-enabled fraudTrend 3: Ransomware20Venue securityAttack opportunitiesImplementation of key technical controlsVenue security: mitigation23Risk management & industry trendsHow important is cyber security and whoprovides leadership?What is driving cyber risk management?Risk management guidance2National Cyber Security CentreNational Cyber Security Centre3

The Cyber Threat to Sports OrganisationsThe Cyber Threat to Sports OrganisationsExecutive SummaryForewords Sport is central to British life. It provides massivehealth, social and economic benefits to thenation, contributing billions of pounds to theUK economy each year. This power and profilemake the sector a target for criminals andother cyber attackers. The primary cyber threat comes from cybercriminals with a financial motive. Criminalattacks typically take advantage of poorimplementation of technical controls andnormal human traits such as trust andineffective password policies. Cyber security is regarded as an importantissue by sports organisations. Almost all thosesurveyed reviewed cyber security measures inpreparation for compliance with the GeneralData Protection Regulation (GDPR). Statistically,this approach appears to have been successfulat preventing mass data breaches. There have been a small number ofHostile Nation-state attacks against sportsorganisations; typically, these attacks haveexploited the same vulnerabilities usedby criminals. However, cyber attacks against sportsorganisations are very common, with 70% ofthose surveyed experiencing at least one attackper annum. This is significantly higher than theaverage across UK business.Sports organisations are reliant on IT andtechnology to manage their office functions and,increasingly, their security systems at venues. Asdetailed in this report, cyber attacks can have awide-range of impacts; from multi-million poundfraud to the loss of sensitive personal data. TheNCSC is not just here to look after the IT systemsof the UK government. We are committed tosupporting the sports sector and we encourageyou all to implement the guidance outlined inthis report.Ciaran Martin - Chief Executive Officer, NCSCCyber security is of ever-increasing importanceto sports organisations, from grass roots clubsholding personal data through to nationalorganisations hosting and participating in majorinternational sporting events. Losing access todata, IT or technology can have a significantimpact on sports organisations resulting in databreaches, fraudulent loss of funds and disruptionto event delivery. Improving cyber security acrossthe sports sector is critical. The British OlympicAssociation sees this report as a crucial first step,helping sports organisations to better understandthe threat and highlighting practical steps thatorganisations should take to improve cybersecurity practices.Rt Hon Sir Hugh Robertson, Chair of the BritishOlympic Association (BOA) The most common outcome of cyber attacksis unauthorised access to email accounts(Business Email Compromise) leading tofraud. Ransomware is also a significant issuein the sector.The survey highlights the following key areas for sports organisations to review:Email securityGood email technical controls are not routinely applied in the sports sector.Implementing measures such as anti-spoofing and multi-factor authentication cansignificantly reduce your cyber risk.Staff empowermentUnder half of organisations provide staff training. Staff are an important line of defenceand it is essential to encourage people to report any suspicious activity they spot.Cyber risk managementSports organisations are complicated. Survey results indicate that organisations wouldbenefit from a holistic approach to Risk Management, looking beyond compliance(e.g. beyond GDPR) to ensure all cyber risks are considered across the IT estate.4National Cyber Security CentreNational Cyber Security Centre5

The Cyber Threat to Sports OrganisationsThe Cyber Threat to Sports OrganisationsIntroductionSport is central to British life. It provides massivehealth, social and economic benefits to the nation,contributing to over 37 billion to the UK economyeach year.Unfortunately, this financial power makesthe sector a target for criminals and othercyber attackers.This report is designed to demystify the cyberthreat to sports organisations by highlighting thecyber security issues that affect the sector on adaily basis: business email compromise, digitalfraud, and venue security.Along with descriptions of these commonattack types, we include some statistics on theiroccurrence and suggestions for measureswhich will stop the vast majority of these attacks- or at least reduce their impact.Sports organisations of all shapes and sizeswill find this guide useful. From local clubs tonational federations.Source of statisticsThe statistics contained in the report are primarilydrawn from an Ipsos MORI survey, commissionedby the National Cyber Security Centre (NCSC).The survey explored experiences of cyberincidents and breaches, attitudes towards cybersecurity and its relation to physical security.All fieldwork was conducted in the spring of 2019.Sports organisations conduct a lot of activityonline and the vast majority hold personalinformation on customers/employeesIpsos MORI completed telephone surveys with57 sporting organisations. This sample includedsporting bodies and specific clubs, from sportssuch as football, rugby, tennis, cricket andathletics. This may seem a small sample sizebut, nonetheless, we feel it is sufficient to illustratesome trends and common challenges faced bythis sector.Eight respondents also completed in-depth,telephone interviews which lasted approximately1 hour. The qualitative sample was made up of amixture of sporting bodies and associations.Which of the following if any does your organisation currently have or use?A website or blog95%Personal information about your (customers/beneficiaries/service users) held electronically95%Personal information about your employeesheld electronically95%How digitally reliant is sport?Email addresses for your organisation or itsemployees or volunteersLike most of the UK economy, sport is highlyreliant on digital technology. Sport is playedin large venues with networked securitysystems controlling essential functions such asturnstiles and security cameras. Sports clubsand organisations hold a significant amount ofsensitive personal data and process millions offinancial transactions every yearInternal online business systemsThe Ipsos MORI report revealed that almost allsports organisations have a website, social mediaaccount, and hold digital records containingpersonal information about customers, staffand volunteers. Over 80% of respondents hadonline business systems and offered customersthe opportunity to make bookings, payments orpurchases via the internet.96%Accounts or pages on social media sites93%88%The ability for customers to order, book or payfor services online82%A systems/database for sharing confidential,medIcal or performance data (players or athletes)77%An online bank account your organisation or yourclients pay into74%40%An online sharing platform (eg Strava)Which of the following if any does your organisation currently have or use?100%89%70%63%30%Non-work approvedpersonal devices6National Cyber Security CentreWork approvedpersonal devicesWorktabletsWork smart phones ormobile phonesWork desktopsor laptopsNational Cyber Security Centre7

The Cyber Threat to Sports OrganisationsThe Cyber Threat to Sports OrganisationsThreat OverviewAt least70%of sports organisationshave experienced a cyberincident or breachNCSC research indicates that the cyber threat tothe UK sports sector is significant.At least 70% of the sports organisations wesurveyed have experienced at least one cyberincident or harmful cyber activity. This comparesto 32% across general UK business, according tothe DCMS annual breaches survey.Around 30% of incidents resulted in directfinancial damage to the victims, with costsvarying considerably from under 500 throughto over 100,000 per incident. The average costwas more than 10,000 per incident.Beyond direct financial costs, 41% of breachesor attacks resulted in new measures being putin place to prevent further incidents.30%of organisations recordedover 5 incidents in thelast 12 monthsNational Cyber Security Centre30%of these incidents causeddirect financial damage,averaging 10,000 perincidentThe biggest singleloss was over 4m(excluded fromaverages)Nature of the threatNation-state involvementMajor eventsThe primary cyber threat to sports organisationscomes from cyber criminals with a financialmotive. Survey data, quantitative research andthe NCSC’s own incident data suggests thatalmost all criminal attacks are conducted usingcommonly available tools and techniques whichdon't need a lot of technical knowledge to beeffective. These include phishing, passwordspraying and credential stuffing.Broadly speaking, the NCSC assesses that thereis a remote chance of nation-states targetingthe sport sector. However, there have been asmall number of highly targeted incidents wherenation-states have conducted cyber attacksagainst sports organisations.We assess that organisations which host majorsporting events face a higher cyber threat thanthe industry average. The 2018 Winter Olympicsin Pyeongchang were hit with an advanced andwide-ranging series of cyber attacks, reportedlycausing disruption to the opening ceremonyand the event's website. These activities werealmost certainly conducted by a nation-state,with intent to disrupt the games.These low level attacks often take advantageof poorly-implemented security controls.For instance, ineffective password policiesand known software bugs that aren't patched.They also exploit normal human traits such astrust, in order to gain unauthorised access toaccounts or business systems. The outcomeof these 'commodity' attacks varies, but oftenresults in Business Email Compromise (BEC) orthe delivery of malware.In most cases, attacks are not targeted, sportorganisations just happen to be victims of masscampaigns. However, major losses have beenexperienced by sports organisations as a result ofbespoke attacks, where criminals have harvestedinformation before undertaking fraudulentfinancial transactions.8ApproximatelyThe most high profile attacks were conductedby Russian Military Intelligence (GRU) against theWorld Anti-Doping Agency, in August 2016. The GRUstole confidential medical files from WADA’sAnti-Doping Administration and ManagementSystem, then leaked sensitive information ontothe internet.The WADA hack was part of a wider campaign ofmalicious activity against sporting bodies likelyconducted in retaliation for its athletes beingbanned from competing under the Russian flag.Consequently, we assess that the Russian threatto sports organisations is focussed on a smallsubgroup of organisations that hold, or haveaccess to, sensitive athlete data. The likelihoodof this threat materialising will increase if Russia’srelationship with host countries or sportinginstitutions deteriorates in the run up to a majorsporting event.It should be noted that major sportingevents also face a heightened criminal threat.Quantitative research indicates that majorevents are targeted by cyber-enabled crime,such as 'spear phishing', and cyber-dependentcrimes such as ticketing scams.National Cyber Security Centre9