If you’ve attended a sporting event in recent years you’ll be familiar with the airport-like security that has become commonplace at even mid-sized venues, but have you ever thought about its protections against a cyber attack?

It’s something Ben Morris says he’s aware of at every event he goes to – as the chairman of the National Cyber Security Centre’s sports trust group, perhaps that's not unexpected.

However, “in the UK, I'd say a large portion of the venues still do not consider cybersecurity a major focus area for themselves,” he tells The Stack, citing expenses and misunderstandings over what it should entail.

Also, he says, “it’s just often forgotten about because [when] you think about a sporting event, you think about the game, and you never really think about the cyber element.”

A wake up call

As the former head of cyber security for governing body World Rugby Morris says he worked with a lot of venues to encourage cyber measures to form part of their wider security strategy.

Still though, he fears “it’s probably going to take a major disruption of an event from a cyber attack for people to start waking up. In all the sectors I’ve worked in… it takes something catastrophic to happen for people to wake up [to the issue].”

Despite this, Morris says many international bodies are starting to take cyber threats more seriously at least, “speaking just for myself [at World Rugby] cyber was the biggest risk.”

Instead, it’s the small and medium venues “that concern me most” he says, “if you’re talking about a motivated actor who wants to cause maximum disruption with minimal effort, I’d be going after small to medium enterprises.”

Implementation issues

When speaking to technology teams, they often aren’t considering cyber elements in their event planning, he says, meaning potential attacks on access controls or communication networks are not prepared for.

Outside threats should also be considered as Morris warns he could see an employee at one of the many contractors working on an event manage to “get through the background checks and then plug in a USB” to a venue’s systems and facilitate an attack.

See also: Manchester United's CEO of Digital Products & Experiences, Phil Lynch, on fans, data, partners

This threat in particular is exacerbated by a rise in hacktivism he says, “if you're a hacktivist and you really want to get a message out there, and there's, say, the [Rugby] World Cup this year … you could broadcast [your] campaign onto the screens at the venue.”

Keeping events at the cutting edge of security has also proved more difficult as international competitions such as the Olympics move away from building new infrastructure in the name of sustainability.

Now, governing bodies “can't invest billions and billions into a country to build their venues, so we have to integrate with the country's infrastructure,” he says.

Regulatory measures

On the other side of the coin, physical event security has clearly been stepped up over the last two decades as increased screenings and training were put in place,following high-profile terrorist incidents including the attack at Paris’ Bataclan theatre in 2015 and the 2017 Manchester Arena bombings.

Just this month, a bill known as Martyn’s Law, named after a victim of the Manchester attack, was brought into law in the UK, requiring venues with a capacity greater than 200 to have terrorist attack response plans.

Similar regulations could address the issues with venue cybersecurity, says Morris, with existing health and safety rules an easy entry point as “instead of trying to reinvent the wheel … they’ve already got a proven method that works.”

He describes a potential “bronze, silver, gold” system to The Stack to determine different levels of security requirements for different venues.

For example, a small rugby club with “just a stand, a dressing room, and a bit of digital connectivity” could simply be required to ensure the basics, “they have MFA, update their systems regularly, do some degree of network security.”

A top down push

At World Rugby, Morris says a security assessment revealed many venues are “just trying to stay afloat”, making them a potential “gold mine” for attackers during a major event.

As a result, his team worked with Netskope to “rebuild their whole network, implement proper standards and configurations, proper VLAN and segmentation of their networks” ahead of the Rugby World Cup in 2023.

This investment then leaves venues better prepared for the next event, something Morris hopes will cause a butterfly effect as “hopefully, because everybody talks in sport, another venue might go ‘oh we saw that venue just implemented these really good security controls, and it didn't cost too much, we should do the same.”

The top down push is key as “that's how you implement grassroots. It's through the international bodies and further investment into venues that you're going to get that change.”

The link has been copied!