Follow Basic Cyber Hygiene to Protect Sport Stadia Operations

Cybercrime has increased significantly over the past several years, more so in 2020 during the COVID-19 pandemic. The FBI’s Internet Crime Complaint Center received a record number of complaints (791,790) from the American public in 2020, with reported losses exceeding $4.1 billion — a 69 percent increase in total complaints from 2019.

Sports organizations are not immune to cyber risks. In 2020, Manchester United, one of the most popular soccer clubs in the world, admitted to being a victim of a cyberattack that team officials described as “disruptive.” In 2021, hackers claimed to have stolen 500 gigabytes of data from the Houston Rockets, including contracts, nondisclosure agreements and financial data. In 2022, the San Francisco 49ers experienced a network security incident that exposed the personal identifiable information of nearly 21,000 individuals, with a ransomware gang claiming responsibility. Thus, it is imperative for sport venue managers and event organizers to have a basic understanding of potential cyber threats, risk-mitigation options, training and resources available on information security principles and techniques.

The convergence of cyber and physical security in venues is apparent with the increased interconnectivity of operations — mobile ticketing, turnstiles, electronic credentials, point-of-sale transactions, HVAC controls, lighting and security command center operations.

The 2020 FBI Internet Crime Report presented the following potential cyber threats: 1) business email compromise or email account compromise, 2) identity theft, 3) nonpayment or nondelivery, 4) phishing, vishing, smishing or pharming, 5) ransomware, and 6) technical support fraud. Additionally, stadia management and senior leadership should be aware of the practice of doxing. The Cybersecurity and Infrastructure Security Agency (CISA) defines doxing as “the internet practice of gathering an individual’s personally identifiable information, or an organization’s sensitive information, from open source or compromised materials and publishing it online for malicious purposes.”

The FBI Cyber Division highlighted best practices to minimize these cyber risks. This included backing up data, images and configurations; utilizing multifactor authentication; and updating operating systems, software and firmware as soon as manufacturer updates are available. Network system and account passwords should be regularly changed, and reusing passwords for multiple accounts should be avoided.

Organizations should automatically update antivirus and antimalware solutions and conduct regular virus scans. Furthermore, management and staff need to take an active role in controlling information shared and stored online. According to CISA, this includes auditing personal and organizational social media accounts, protecting against spear phishing (unsolicited phone calls, emails or site visits), and reviewing mobile apps and browser extensions frequently to remove those that are unnecessary, as these tools tend to collect personal data.

The National Center for Spectator Sports Safety and Security (NCS4) 2022 Industry Research Report surveyed venue security directors from all major North American professional sports franchises. Of the 40 who responded, 87.5 percent had cybersecurity defense programs, 85 percent provided basic cybersecurity awareness training for full-time staff, and 92.5 percent informed patrons of their secure in-house Wi-Fi networks. Further, 97.5 percent used antivirus software, 92.5 percent used encryption software and multifactor authentication systems, and 87.5 percent had active security measures to protect hardware and other critical equipment and systems.

Cyber risks can threaten an organization's ability to operate and access information, interrupt game-day activities, damage reputations and ultimately affect the bottom line. Managers and leaders can help reduce their organization’s cyber risks by taking a holistic approach and investing time and money to build a culture of proactive cybersecurity. Staff must know the different types of cyber threats and understand basic cybersecurity hygiene principles. The organization must develop a cyber incident response plan, train staff on information security and reporting protocols, and conduct a cyber-attack exercise to test contingency plans for recovery.

What follow are basic cyber hygiene action items for leaders recommended by CISA, as well as a list of industry resources for organizations interested in training and education opportunities.

Cyber hygiene checklist

• Are you investing in basic cybersecurity and leading the development of cybersecurity policies?
• Do you know how much of your organization’s operations are dependent on IT?
• Have you built trusted relationships with government agencies to gain access to timely cyber threat information?
• Is your staff leveraging basic cybersecurity training opportunities to understand and implement best practices?
• Has your staff learned about risks such as phishing and business email compromise?
• Do you know what’s on your network? (Have you made an inventory of hardware/software assets?)
• Do you automatically update operations and third-party software?
• Do you utilize multifactor authentication for all users?
• Do you grant access and admin permission on a need-to-know basis?
• Do you leverage unique passwords for all user accounts?
• Have you developed IT policies and procedures addressing changes in user status?
• Have you created and maintained an inventory of critical or sensitive information?
• Do you leverage malware protection capabilities?
• Have you established regular automated backups and redundancies of key systems?
• Do you have an incident response and disaster recovery plan outlining roles, and do you test your plans?
• Have you developed an internal reporting structure to detect, communicate and detain attacks and know who to call for help ( i.e., vendors, government responders, technical advisors)?

Industry resources

• CISA Incident Reporting System: us-cert.cisa.gov/forms/report
• Commercial Facilities Resources: cisa.gov/cisa/commercial-facilities-resources
• Critical Infrastructure Vulnerability Assessments: cisa.gov/critical-infrastructure-vulnerability-assessments
• Cybersecurity Advisors: cisa.gov/stakeholder-risk-assessment-and-mitigation
• Cyber Essentials Starter Kit: cisa.gov/cyber-essentials
• Cyber Resource Hub: cisa.gov/cyber-resource-hub
• Cybersecurity and Physical Security Convergence: cisa.gov/publication/cybersecurity-and-physical-security-convergence
• Cybersecurity Training and Exercises: cisa.gov/cybersecurity-training-exercises
• FBI Internet Crime Complaint Center (IC3): ic3.gov
• Stop Ransomware: cisa.gov/stopransomware
• NCS4 Training & Education – DHS/FEMA Courses: ncs4.usm.edu/training/dhs-fema-courses
• Protective Security Advisors: cisa.gov/protective-security-advisors
• TEEX Training and Education: teex.org