UK’s National Cyber Security Centre (NCSC) has issued a warning about the growing risks of sports organizations becoming valuable targets for ransomware attacks, phishing campaigns and Business Email Compromise (BEC).
“We are urging sports teams and organizations to strengthen their cyber security defenses after a new survey revealed that 70% have been attacked by cyber criminals in the last 12 months,” The NCSC said in a recent tweet.
According to a survey commissioned by the agency, cyber threats and attacks have increased significantly in the past year. The report shows that at least 70% of sports organizations have fallen victim to at least one cyber incident, which is “more than double the average for UK businesses.”
The report highlights that around 30% of incidents resulted in direct financial damage to the victims, with costs per incident varying from £500 to £100,000.
Sports organizations are mainly targeted by financially motivated cyber-criminals, and data collected during the survey suggests that most cyber-attacks use common techniques such as phishing, password spraying and credential stuffing. When security measures are poorly implemented, bad actors can easily exploit unpatched or unsecure systems, and deploy social engineering schemes to gain access to employee accounts or business systems.
“While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, Director of Operations at the NCSC. “I would urge sporting bodies to use this time to look at where they can improve their cyber security – doing so now will help protect them and millions of fans from the consequences of cyber crime.”
However, according to research, criminals take their time before undergoing an attack, gathering intel and information on sports organizations to assure 100% success.
BEC schemes were named the biggest cyber threats for sports organizations. Around 75% of respondents said that fraudulent emails, text messages and phone calls were the main attack vectors.
Most recently, a managing director of the Premier Football League fell victim to a spearphishing attack that allowed cyber-criminals to use his credentials to redirect £1 million to their account. In this case, the attackers set up Office 365 auto-forwarding rules to external email accounts and managed to re-route nearly 10,000 emails. Luckily, the transfer failed, as the fraudulent payment was stopped by the financial institutions’ fraud control systems.
The NCSC advises “one of the best technical controls to reduce the risk of BEC is multi-factor authentication (MFA).”
“MFA provides an extra layer of security for online services, preventing attackers from accessing them with passwords alone,” the report said. “Survey results indicate that 51% of sports organisations already use MFA on some services, this is a key action area.”
Malware attacks were also a popular trend cited by the agency, with 40% of all attacks on sports organizations involving some form of malicious software, a quarter of which was ransomware.
“Basic security controls such as antivirus, firewalls and user access controls are typically implemented by sports organisations,” the NCSC said. “However, 21% of surveyed companies do not have a patching strategy and 25% do not back up their data.”
The agency recommends patching and ensuring that all operating systems are running on the latest updates. Organizations should also focus on backing up their data, to decrease the financial impact and recovery time in case of an attack.