Venue operators and security professionals who devote a lot of time and resources to the physical vulnerabilities of a facility — entryways and exits, concourses and corridors, seating areas — are overlooking a major threat that puts their fans and employees at serious risk. Cyber threats spare no one, and security managers must take appropriate precautionary measures.
Brian E. Finch
But what is cyber security, and how does it fit into a risk management plan? Cyber attacks come in many flavors, any number of which can completely disrupt even the best-run operation. Without getting muddled in the myriad technical details, here are but a few of the threat scenarios an athletic facility could face, illustrating the variety of issues a security manager needs to plan for.
Data/Financial Theft: This type of security breach, aimed at stealing valuable financial data, is common in the general public, and athletic facilities are not immune. Venue managers need to have security plans in place to protect against hackers aiming to steal financial information, as well as information about venue owners or concessioners that could be used to turn an illegal profit.
Operational Disruption: Hackers could knock out in-stadium computer systems, provide false information to fans during an emergency or turn off key systems such as lights or fans. Safeguards to protect key control systems should be a part of every facility's security protocol.
Physical Harm: The most startling cyber-attack possibility is one that results in harm to fans, venue employees or the venue itself. Several incidents have occurred in which hackers were able to cause physical damage by overloading key utility systems or shutting down safety programs.
WHAT CYBER SECURITY MEASURES ARE NEEDED?
Implementation of a good cyber security program can have immediate benefits to a facility. Reducing exposure to cyber attacks can result in insurance benefits, such as lower premiums or better coverage terms. Part of this benefit comes from the ability to earn liability protections under the Support Anti-Terrorism By Fostering Effective Technologies Act of 2002, or the "SAFETY Act." The SAFETY Act is a law administered by the Department of Homeland Security (DHS) that limits or eliminates specific types of third-party tort claims following a terrorist attack, including attacks conducted using cyber weapons.
The most common cyber security question being asked today is, "What steps should I be taking to protect myself?" followed closely by, "How do I know if that is enough?"
Unfortunately, there is no definitive answer to either question. One option is to have a venue's cyber security program reviewed by DHS and receive SAFETY Act protections, allowing the venue operator to legitimately claim that the U.S. government found its cyber security program "useful" and "effective" against cyber attacks. Having that kind of evidence available will be extremely helpful in negotiating with insurance carriers, and may well play a critical part in obtaining more favorable coverage.
Practically speaking, the best way for venue security managers to approach cyber security is through a two-pronged strategy:
Preventing malware from entering a system. A strong technical system is the best defense against cyber attacks. Some experts estimate that more than 80 percent of cyber attacks can be stopped with simple measures such as strong passwords and the use of reasonably strong cyber security programs. Most critically, however, security managers need to understand that they need a strong perimeter defense as part of their overall cyber security program.
Minimize the amount of damage a hacker can inflict. Even as the technology defenses against cyber attacks become more robust, hackers are becoming more clever, and not every attack can be stopped. Every venue needs systems and policies to quickly detect a cyber attack and slow or stop it as fast as possible. Much like any good emergency response program will include mass trauma response plans, venue cyber security plans should include "cyber first aid," aimed at stopping the bleeding as soon as possible. Too many security managers ignore that aspect of cyber security plans, and doing so will only lead to failure.
Like any other security plan, an athletic venue's cyber security plan must contain policies and procedures for stopping attacks before they happen, as well as plans for minimizing the damage caused by a successful attack. Security managers should work closely with their risk managers to maximize the benefits they can achieve from having a good security plan in place.
Cyber attacks and hackers are here to stay. Athletic venue security managers have to accept that reality, which means that they need to consider cyber security to be as important as a physical security threat. Failing to do so will only leave the venue and its occupants vulnerable to a whole new category of threats.
Brian E. Finch (brian.finch@pillsburylaw.com, @BrianEFinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP.
This article originally appeared in the Fall 2015 issue of Gameday Security with the title "Virtual Threats"
