Football and cyber security don’t often get mentioned in the same sentence, but with billions of pounds invested into the richest football leagues in the world, and football clubs possessing vast swathes of data, their valuation can be massively impacted following a data breach. Everything from sponsorship deals, personal player data, youth teams training plans, health and performance statistics, salaries of players and all club staff through to fan members’ personally identifiable information, the impact of a breach could be devastating for the club both financially and reputationally.
What do the standings look like?
We recently conducted research on three of the richest football leagues in Europe*, the English Premier League, German Bundesliga and Spain’s La Liga, assessing their security posture and comparing it to their football standing. To do this we looked closely at ten elements of the league’s security posture. These include: network security; DNS health; patching cadence; endpoint security; IP reputation; web application security; cubit score; hacker chatter; leaked credentials; social engineering.
Through doing so, we revealed an inverse relationship between the success of teams in sport, their digital exposure and resulting cyber risk. By analysing each team’s external digital footprint, we discovered that the top teams across the three leagues all find themselves languishing at the bottom of their respective tables as the larger the digital footprint, the lower their cyber risk score is. At the other end of the table, those teams with a smaller digital footprint find themselves topping the table and are ultimately viewed as being more secure.
Overall, Bundesliga came out on top in terms of security, being awarded with an ‘A’, which is impressive considering it actually has 3x the digital footprint exposure of the Premier League. La Liga’s digital footprint is the smallest. Nevertheless, across all three leagues the most common security issues were weak encryption and web application issues, followed by high severity patching issues and susceptibility to email spoofing.
Surprisingly, we also discovered that only one team in the Premier League would currently meet the requirements of GDPR and be classed as compliant, whilst none of the teams in either the Bundesliga or La Liga meet the legislation.
The ongoing challenge
The biggest challenge still facing organisations, whether they are a football club or a financial institution, is the disconnect between the board level executives and the IT teams. With no common language for companies and their partners to communicate, understand, and improve their cyber security and cyber risk posture, we will forever be at this impasse. To develop the enterprise risk framework which all parties can understand when discussing cyber security and risk, there are three basic points that need to be considered:
- Build cyber security into the Enterprise Risk Frameworks and Regulatory Compliance
- Establish metrics to demonstrate program maturity and comparative benchmarking
- Build your business case around people, processes and technology to demonstrate ROI
A final note…
Football is not just about the camaraderie of the players and turning up to play on match days. It is very much a business with multi-billion-pound deals and reputations on the line, all of which come under fire if they suffer a data breach. We’ve already seen FIFA and teams like West Ham, Real Madrid and Barcelona falling victim to breaches or their social media profiles being hacked. Overall, the findings show that being in the Champions League in sport does not mean football teams are Champions League level for cybersecurity. But it is also important to note that just like sport standings change every day, so do cyber standings.
*Data accurate as of 1st December 2018
Matthew McKenna, VP EMEA at SecurityScorecard