No patching, no CISO, saved by the bank
UK sports organisations are at growing risk of cyber attack, according to a report by the National Cyber Security Centre (NCSC) — which revealed that the managing director of a Premier League club had their email hacked during a transfer negotiation, with the club nearly losing £1 million in an incident ultimately blocked by the club’s bank.
Another English Football League (EFL) club suffered a “significant” ransomware attack, which crippled their corporate and security systems, and encrypted almost all the club’s end user devices, resulting in the loss of locally stored data.
“Several servers were also affected, leaving the club unable to use their corporate email. The stadium CCTV and turnstiles were non-operational, which almost resulted in a fixture cancellation. All systems at the stadium were connected to one network (VLAN). This meant that the infection spread across the estate quickly”, the NCSC said.
Intriguingly, the initial vector may have been networked CCTV.
Some 75 percent of those polled meanwhile admitted receiving fraudulent emails, texts and phone calls: despite this, just two percent identified fraud as a threat.
The average cost of an incident is £10,000, some of them costing up to £100,000, the NCSC said. In the Premier League incident, a spear phishing attack lead the MD to a spoof Microsoft 365 login page, where he passed on his credentials to criminals.
Read This! The Big Interview: Peter Yapp, Schillings Partner & former NCSC Deputy Director: “Boards Need a CISO Who Reports Directly to Them”
The criminals assumed the identity of the MD and communicated with the club at which a player was being eyed for a £1 million transfer, while at the same time creating a false email account pretending to be the European club talking to the MD.
At this point both clubs were speaking to cyber criminals instead of each other. Fortunately, as the cyber criminals’ account had a fraud marker against it, the bank ultimately refused the payment. Others may not be so lucky/
Vulnerable to “Basic off-the-Shelf” Cyber Threats
While there have been no reported incidents regarding remote systems like CCTV and turnstiles, the report has revealed that up to one third of those polled do not have a patching strategy in place for their industrial control systems, CCTV,
turnstiles, and payment systems.
“Unpatched systems offer a security weakness that attackers can exploit with basic off-the-shelf capabilities” as the NCSC reminds teams.
“It’s important to understand and manage this risk”.
One reason for this lack of security could be that, while almost three quarters of those approached agree that cyber security is a high priority for their organisation, almost none of those polled have a dedicated cybersecurity role, preferring instead to keep it as one responsibility of their broader IT departments.
Ciaran Martin, the NCSC’s outgoing CEO, said: “Sports organisations are reliant on IT and technology to manage their office functions and, increasingly, their security systems at venues. As detailed in this report, cyber attacks can have a wide-range of impacts; from multi-million pound fraud to the loss of sensitive personal data.
“The NCSC is not just here to look after the IT systems of the UK government.
“We are committed to supporting the sports sector and we encourage you all to implement the guidance outlined in this report”.
(These include network segmentation, multi-factor authentication, and technical security controls to improve password management, “like blacklisting common passwords and allowing the use of password managers.”).
Carl Wearn, Head of e-crime at Mimecast said: “No organisation or sector is safe from cyber threats, and that includes the beautiful game.
“Transfer deals are obviously a high-pressure time for many football clubs, with lots of fan pressure to get the deal over the line. This pressure can potentially be really detrimental to cyber-hygiene and lead to own goals. In this instance, the attack appears to be an impersonation attack and this variation is definitely on the rise. Our recent State of Email Security report found that 60% experienced an increase in impersonation since last year. whilst 51% have been impacted by ransomware in the past 12 months. Football clubs spend millions every summer investing in their team’s defence, but it is time they started investing in their cyber-defence.
“Not investing in their organisation’s cyber awareness will leave cyber-criminals with an absolute tap in, that even a Sunday-league striker couldn’t miss.
“In a related trend, mergers and acquisitions are being utilised as a theme in BEC emails and employees should be wary of any communications related to “sensitive projects” which may well be seeking to deter you from undertaking adequate steps to verify the authenticity of it. Taking just a few seconds longer to fully consider any important requests could well prevent a significant loss, sometimes in the millions.”