Summer in the Northern Hemisphere marks an explosion in sports activity - annual events like Wimbledon tennis, the Tour de France cycle race, athletics’ Diamond League, and this year the FIFA Women’s World Cup football and the ICC Cricket World Cup, among others.
In terms of news stories, it’s been a quiet one for cybersecurity.
It’s not always been like this. In 2018, the Winter Olympics’ opening ceremony was reported by the New York Times to have suffered a cyber attack.
The previous year, athletics' governing body the IAAF reported that it had become the victim of an attack which compromised athletes’ medical data - three years after an attack on the World Anti-Doping Agency (WADA) focused on the same type of information.
NTT's threat analysis shows there are sectors that are much more commonly attacked than sport. Finance and technology companies, for example, face 34% of all attacks, according to our Global Threat Intelligence Report 2019. This is partly because of perceived monetary or intellectual property gains from attacking these companies.
These sectors have high levels of connectivity and extensive use of external applications to power their business and drive customer behavior, which provides an expanded threat surface for cyber criminals to harness.
But do not think for one moment that the threat landscape has quietened, simplified, or that threat actors have no interest in sport: nothing can be further from the truth. According to a report, the number of cybersecurity events facing Wimbledon increased 300% year-on-year in 2018.
For most sports organizations, it is not necessarily their brand value that attracts malicious behavior. Just two of Interbrand's Best Global Brands are in the sports sector, and both of these are clothing brands.
Motivations of those that intend harm to the sports industry differ to other sectors. Where sportspeople have been banned over doping concerns, like in athletics, hackers may have politically-oriented motivations. In some cases, it may not be the target organization that is actually of interest – it could be its supply chain, or an organization, concept or person that it represents. Theft of competitive information can sometimes be another driver, as was the case in the Houston Astros Major League Baseball data theft incident.
From a technical perspective, sport has been much less connected - which has limited the volume of malicious activity - but this will not be the case for much longer.
Sport is a radically different industry. Athletes are typically millennials, who demand flexibility and the latest technology. The information architecture of sport is more distributed due to the number of (and changing nature of) locations that sportspeople train and compete in. Tennis coaches collect data on a player’s performance in training on a mobile device, which may be backed up to the public cloud, and/or face a delay in being safely backed up to the server of the tennis academy. Medical data must be processed in sports stadia that, in many cases, are only temporary facilities for the organization in question.
Big data use in sport is accelerating, analyzing performance like never before. Spending on sports analytics is currently growing by a massive 68% compound annual growth rate. Storage and processing requires more servers in more locations, and with the immediacy of access from mobile devices. Developers are writing a proliferation of apps for the sport and fitness industries yet in the race to market, security is unfortunately often overlooked. Analysis by WhiteHat Security (part of NTT) published in its Application Security Statistics Report found there are more serious vulnerabilities than sites in the closest related sector (arts, entertainment and recreation).
To make sense of this big data (and for many other opportunities such as chatbots), sports organizations are employing Artificial Intelligence (AI). But this creates further questions of how to secure AI, and ethical questions of how to eliminate machine learning bias.
Add to this the growing number of internet of things sensors, location-based services, the need for total segregation of spectator and operational networks, and securing payment systems, and the needs of the sport industry become complex.
In common with all other organizations, the accurate assessment of risk, and assets to protect, and the development and testing of an incident response plan are vital. Application security and threat intelligence to head off targeted threats are vital.
Security must become everyone’s concern in sport. Education and culture are key. Adding the right processes and technology will help sport organizations protect their brand, athletes and leverage competitive advantage.
NTT is Official Technology partner of the Amaury Sport Organisation, organizer of the Tour de France.
But do not think for one moment that the threat landscape has quietened, simplified, or that threat actors have no interest in sport: nothing can be further from the truth