The UK’s sporting organizations have been told to urgently improve cybersecurity after a new GCHQ report revealed that 70% have experienced a breach or incident in the past year, more than double the business average.
The National Cyber Security Center (NCSC) study also claimed that 30% of these organizations have experienced over five incidents in the past year.
In a sector said to contribute £37bn to the UK economy, it’s no surprise that most threats are financially motivated. Almost a third (30%) of incidents studied caused direct financial damage to the victim organization – on average, £10,000 per security breach, although one organization lost over £4m.
Tried-and-tested techniques are being used to compromise firms in the sector, including phishing, credential stuffing, malware and password spraying.
The most common threat is business email compromise (BEC). The NCSC claimed one Premier League football club nearly lost a £1m transfer fee to scammers after they hijacked the Office 365 account of its managing director. The scam was only stopped after the bank noticed a problem with the payee account.
Similarly, cyber-fraud was pegged as another common threat to sporting organizations: including not just BEC but also mandate fraud, CEO fraud, conveyancing fraud and invoice fraud. Three-quarters (75%) of surveyed firms had received fraudulent emails and at least 30% said they had experienced people fraudulently impersonating the organization in emails. Less than a third have DMARC configured, said the NCSC.
Two-fifths (40%) of attacks on sporting organizations involved some form of malware, with ransomware the biggest threat. One English Football League (EFL) club experienced a serious outage which hit virtually all endpoints, locally stored data and stadium CCTV and turnstiles, almost leading to the cancellation of a match.
“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber-criminals cashing in on this industry is very real,” said NCSC director of operations, Paul Chichester.
“I would urge sporting bodies to use this time to look at where they can improve their cybersecurity – doing so now will help protect them and millions of fans from the consequences of cybercrime.”
Multi-factor authentication, role-based monitoring, improved cyber-awareness programs, business continuity plans and a board-level discussion of risk are all vital actions for the industry going forward, said the NCSC.