Remember casuals and football hooligans? Or what about films like The Firm? Football casuals causing chaos to opposing fans (and others) for various reasons. I’m not saying it’s a problem that the game has eliminated, but where’s the 21st century cybersecurity equivalent?
Cybersecurity – not your usual kind of football hacker
Think about it, there’s tons of reasons for fans to want to hack into opposition clubs, including:
- membership databases for some clubs will run into the hundreds of thousands (many complete with credit card details)
- there’s the chance to discover info on what’s really going on at the club
- learn what players are on or what the club is worth (very valuable intel)
- bank details of the players
- or to just cause embarrassment (imagine if the Rangers FC logo appeared on the Celtic website or similar with Liverpool/Everton)
- and that’s before you consider someone trying to do a massive pen test or USB stick drop on the day of a game. Any random person could hand out tons of USB sticks and you’d get at least 50% of people plugging them into their own computers – probably more if it was branded with the club’s details, making it look official.
But does it happen? I contacted 30 clubs up and down the UK and asked one simple question around their cybersecurity. None of them would give me any sort of answer – and that’s fair enough because it is a huge potential issue.
What can clubs do to minimise cybersecurity breaches?
There’s a lot clubs – like any business – can do around cybersecurity:
- train staff not to hold doors open or give out any information on the phone
- compartmentalise data – don’t have the confidential material accessible on the same network as the stadium guest wifi for example
- compartmentalise access – certain people can only access certain relevant data. You could even make it that only certain IP addresses could access certain data
- two factor authentication – don’t just rely on passwords
- good software and alerting tools – software can help so much, including scanning for suspicious activity
- ensure staff are happy – disgruntled staff are often the biggest cause of cyber leaks
- train for it happening – practice what would happen
- look out for fake websites or man in the middle attacks on match days via stadium wifi
- have a worst-case scenario full plan – including communications (internal and external) for when it does happen.
- bring in cybersecurity experts like Chelsea Sievewright, John Whitehill or Colin Slater (slight plug for the day job: PwC in Scotland has one of the Scotland’s largest cybersecurity teams)
- accept that it will probably happen, so plan for when it happens, not that it will never happen.
Now if you’ll excuse me, my head is full of pun-related football-related songs…