NCC Group, Oxford, PSMG, release Cyber Threats in Sport research

Dec. 3, 2023
Fitness trackers, health devices and smart stadiums, and other connected systems, all expand the attack surface that can be used to target sports individuals and organizations.

New research from global cyber security experts NCC Group, the Oxford Researchers Strategy Consultancy (University of Oxford) and Phoenix Sport & Media Group (PSMG) has uncovered a pressing need for heightened cyber security measures across the sports industry. It comes as various clubs and organizations become increasingly attractive targets for cyber attack.

“The Hidden Opponent: Cyber Threats in Sport” whitepaper has been based on insight gathered from key stakeholders within the world of sport. IT and security managers working within Premier League and Formula 1 racing were interviewed to discuss their approach to cyber security risks and the protective measures they have in place.

Key findings

Heightened cyber security concerns come as we see an increased reliance on connected technology, across the industry. Fitness trackers, health devices and smart stadiums, and other connected systems, all expand the attack surface that can be used to target sports individuals and organizations. When coupled with the fact that the global sports industry is projected to generate $700 billion in 2026, it makes it an attractive target for hackers looking to exploit for financial gain through fraud or extortion.

Interviews identified several key cyber security concerns. Overall, there are low levels of cyber maturity and widespread outdated approaches towards cyber security among teams and clubs. There is concerningly limited deployment of IT and cyber security roles industry wide, with Chief Information Security Officers (CISO) found to be uncommon in sports organizations, meaning a lack of dedicated roles for protecting against cyber attacks.

Limited financial investment was also a pertinent concern among sports industry professionals. Research reflected a lack of financial resources for security assurance needs, with interviewees finding that convincing boards to spend on cyber security needs was challenging, even in cases where specific risks had been identified.

The absence of industry security benchmarks, in the same manner that sectors like banking and healthcare can follow, could also be contributing to confusion around how much should be spent on cyber security, especially differences between leagues and divisions.

NCC Group also discovered that 60% of generic email addressed used by all Premier League Clubs have appeared in known public breaches, with one club’s email address appearing in 16 unique public data breaches. Alongside industry professionals, fans are also at increased risk of financial fraud relating to tickets as well as privacy breaches due to stolen data.

Ransomware was also raised as a concern for most sports organizations, given there is little to no cyber security governance in place. Cyber security training was found to be light touch, as well as inconsistent approaches to Identity & Access Management (IAM) and outdated use of passwords.

Key recommendations

Recommendations include the prioritization of cyber security spending and the creation of an industry-wide standard towards budgets, ideally scaling dependent on size and annual turnover.

A club which generates over £50 million and is capable of spending at least £5 million on cyber security assurance services, would be able to achieve improved cyber maturity and thus reduced risk exposure.

NCC Group has devised a cyber security maturity model for the industry, based on the key themes and concerns raised during the research, to help organizations benchmark where they currently are in terms of cyber security and the gaps that must be addressed.

Sports clubs are also advised to improve training and awareness around cyber security risks for staff and to invest in resources and third-party support to better prepare them in the event of a breach. As part of this, more emphasis should be placed on employing dedicated cyber security staff such as a Chief Information Security Officer (CISO) on boards of sports teams.

The whitepaper comes amidst growing concern over increased levels of malicious cyber activity. September saw record levels of ransomware attacks for 2023, according to NCC Group’s monthly threat pulse, which monitors global cyber security activity.

Commenting on the research, Matt Lewis, Global Head of Research at NCC Group said: “We’ve seen the sports industry become an increasingly attractive target for cyber security attacks over recent years. From speaking to industry professionals as part of this research, it’s clear that there’s a disconnect between the perception and reality of how at-risk the industry currently is.

“We hope the report provides both clarity on the vulnerabilities the industry faces, and the practical solutions that can be put in place to improve how the industry prevents and prepares for potential cyber-attacks,” he added. “By implementing the relevant strategies and resources outlined in the report, cyber can be reduced to help preserve brand reputation, confidentiality of information, and integrity of industry players and organizations.”  

Carly Barnes, CEO of Phoenix Sport & Media Group added: “The financial power of the sports sector makes it a prime target for cyber criminals. We are proud to have worked alongside NCC Group and the Oxford Researchers Strategy Consultancy (University of Oxford) to produce this unique and valuable research paper.

“The strength of NCC Group’s global cyber security expertise, research excellence from the Oxford Researchers Strategy Consultancy, and Phoenix Sport & Media Group’s deep knowledge and expertise of global sport are combined to foster knowledge exchange at the highest level and, together, to help build cyber resilience in the sector.”