From the Premier League downwards, UK football clubs demonstrate a critical lack of cyber resilience, putting the data of fans and players alike at risk from a myriad of potential threats, according to a new report prepared by security consultancy NCC Group.
Working alongside the Oxford Researchers Strategy Consultancy at the University of Oxford and Phoenix Sport and Media Group (PSMG), the research highlights a pressing need for IT and security teams in the football industry, and in other sports, to be accorded appropriate resources.
“We’ve seen the sports industry become an increasingly attractive target for cyber security attacks over recent years,” said NCC global head of threat research Matt Lewis.
“From speaking to industry professionals as part of this research, it’s clear that there’s a disconnect between the perception and reality of how at-risk the industry currently is. We hope the report provides both clarity on the vulnerabilities the industry faces, and the practical solutions that can be put in place to improve how the industry prevents and prepares for potential cyber attacks.
“By implementing the relevant strategies and resources outlined in the report, cyber can be reduced to help preserve brand reputation, confidentiality of information, and integrity of industry players and organisations,” he said.
The report, The hidden opponent: Cyber threats in sport, is based on insights gathered from IT and security managers working in the football industry. It identifies several key concerns around a lack of cyber maturity and outdated approaches to the issue, as well as a worryingly limited deployment of IT and cyber security roles in the sector, with dedicated chief information security officers (CISOs) rare.
On top of this, football club boards appear neither willing to listen to pleas for more resources nor spend to improve matters, happy to drop hundreds of millions on players but drawing the line at paying a CISO an appropriate wage – the average CISO salary in the UK over the past six months to 1 December is approximately £127,000, according to ITJobsWatch.
One IT manager interviewed at a club whose owners have a combined worth of billions of pounds said they had less than 10 staffers covering both IT and cyber, and were tasked to secure a major enterprise. Speaking under guarantee of anonymity, they said: “Dealing with a football club is essentially dealing with two entities – you have the playing side, which is a big business, and then you have an SME [small and medium-sized enterprise] on the other side, running IT with limited staff and budget.”
Other issues uncovered included an over-reliance on cyber insurance – which, when appropriately implemented can help cushion the financial blow of a cyber attack but does nothing to prevent impacts on business operations or reputational damage, a big concern for prominent clubs; a lack of industry or peer benchmarking; a lack of third-party due diligence; little to no incident response prep or capability; no cyber training beyond limited phishing awareness exercises; inconsistent approaches to identity and access management (IAM); a complete lack of data management; and little governance or standards in place.
Football clubs also struggled to keep pace with the evolving technology and threat landscapes, which is not uncommon in any sector, but an added headache in an industry where a run of good form can see a previously languishing side suddenly propelled to promotion, making them a more attractive target to cyber criminals and forcing IT and security teams to undergo rapid change to accommodate the heightened risk their newfound prominence brings.
The report sets out a number of recommendations, including a new possible industry-wide standard for cyber security budgets, which scales based on club size, annual turnover and desired level of cyber security maturity – a large Premier League club should target 10% of its spend on cyber for best results, for example.
To help set these budget targets, NCC has also come up with a cyber security maturity model for the football sector, based on the themes and concerns highlighted by those it spoke to, which may help club IT leaders get a start on benchmarking their current cyber posture and identifying gaps.
NCC is also encouraging clubs to improve training and awareness around security risks across the board – from back office to groundskeeping, to management to players – as an absolute priority, and place more emphasis on employing dedicated cyber professionals.