The hacking playbook: Tackling cybersecurity in the sports industry

March 27, 2023
A malware attack that shuts down business units could disrupt logistics on game day

At its core, your favorite sports leagues—NFL, NBA, MLB, La Liga and more—are a business. They’re more than just competitive entertainment, but an industry that must focus on building and supporting revenue. Sure, having seven-time Super Bowl winner Tom Brady as your team’s quarterback is good for your organization, but it isn’t necessarily what is going to be ‘bringing in the dough.’ When you think about it, players and coaching staff are actually cost centers. Your organization has signed massive contracts to pay these individuals millions of dollars. If you do the math, it's likely that they are not bringing in nearly as much money as you are shelling out to them.

So, where do sports leagues get their revenue from? Revenue certainly comes in merchandise and ticket sales, but most of the revenue is derived from large-scale corporate sponsorships and partnerships—Fox, CBS, Nike, PepsiCo, etc. These corporate sponsors and partners are extremely coveted in the sports industry, and leagues and individual teams alike will do almost anything to ensure their position. Consider the scenario with the Washington Commanders back in 2020. The team was in jeopardy of losing millions of dollars from corporate sponsors—including stadium sponsor FedEx—if the team’s name was not changed.

The reliance on partners and sponsors creates a unique security issue—not a physical security issue, but a cyber one. Physical security is highly prioritized in the sports world given the high profile of the personnel, but cybersecurity threats can be just as damaging. There are a few bad actors that conduct attacks to seek notoriety. Those individuals will be going after the player and coaches, compromising their social media accounts, for example. However, the majority of bad actors are financially motivated. This means they will go after the revenue-centered operations—sponsors and partners.

Where Do Risks Fit Into the Play?

When we think of corporate sponsors and partners in the sports industry, it’s easy to think of all of the ‘flashy’ perks they get. By being a sponsor of the NFL along with a variety of other individual NFL clubs, PepsiCo has Gatorade products and logos on many sidelines—we’ve all seen the infamous Gatorade dump on coaches heads after a major win. But that is not all that comes along with it. PepsiCo is given branding rights, and television advertisements and was even previously given sponsorship over the Super Bowl halftime show. These projects are running in tangent with all of the projects spearheaded by other sponsors and partners.

Corporate sponsors will have creative and advertising professionals work on television commercials, social media imagery, billboards, posters and press releases. Legal team members will create and review a variety of different contracts and agreements. Finance teams will create budgetary documents to track and manage spend for each project while caching receipts and sending and receiving invoices. Sounds like a regular enterprise, doesn’t it? That’s because it is. These videos, images and documents are not generated, signed and approved in board rooms. They exist in the form of digital content. It may look like the CMO of Nike, who is based in Portland, emailing a Word document of a press release draft to the COO of the MLB, who is based in New York. Or it could be Nike’s advertising agency uploading social media graphics in to a shared Box folder. Whatever content collaboration platforms, cloud-native portals or email channels these organizations are using, there are thousands of pieces of digital content flowing through them.

This is a cybercriminal’s dream. Creating malicious documents is an extremely easy and cheap attack vector. Essentially, all they have to do is create a piece of malicious code embedded deep within an innocent-looking file that they send via a spoofed email address. Amateur hackers can easily conduct file-borne attacks. They don’t even have to create their own malicious code, as there are typically ways to buy weaponized documents on the dark web for a few hundred dollars. Given the highly publicized nature of sports teams and the individuals that work for them, it is very easy to determine who their corporate sponsors are, who is employed by these corporate sponsors and the types of projects they are working on. This gives bad actors ammo to create sophisticated attacks that can fool even the most security-conscious individuals. They also know how important sponsors are and how likely it is for executives from sports leagues to open an attachment appearing to come from a member of one of their largest sponsors. Hackers will take the path of least resistance, and that path is often via third-party communications.

Keep Your League Off of the Cyber Injury Reserve List

The sports industry has never been one to be vocal about cybersecurity. And, in recent years, it's become more of a prime target for bad actors, take last year’s ransomware attack on the San Francisco 49ers. Physical security—implementing clear bag policies, on-site police staff, bag checks and detectors at entrances, etc.—has always been a higher priority. But within the conversation on ‘security,’ there is a place for cybersecurity at the table. Cyberattacks can have significant impacts on a sports league from a business standpoint, such as financial, reputational and operational consequences.

A ransomware attack could cost an organization millions of dollars if they were to pay the ransom. A malware attack that shuts down business units could disrupt logistics on game day (considering broadcast abilities are impacted). When it comes to a league’s reputation, corporate sponsors may reevaluate their relationship, as they might start seeing your organization as a partner that puts them at risk.

I encourage sports teams and leagues to put an emphasis on cybersecurity and take a close look at all of the channels they have sensitive data and digital content flowing in and out. It’ll surprise them when they realize all of the potential points of entry an attacker can have into their company. Securing those digital channels and mitigating any potential risk posed by third-party communications will allow the leagues to put their attention back on the game.

About the author: Aviv Grafi, who serves as CTO and co-founder of Votiro, served in the Israeli Army’s 8200 intelligence unit and as a pentester where he witnessed firsthand how easy it is to penetrate networks by delivering malicious documents.
About the Author

Aviv Grafi | CTO and Founder, Votiro

Aviv Grafi is the CTO and Founder of Votiro, an award-winning cybersecurity company specializing in neutralizing files of all kinds through Secure File Gateway solutions. Aviv is the principal software architect for Votiro's enterprise solution, based on a unique Positive Selection technology for complete protection against cyber threats within an organization. As of 2020, Votiro has seen considerable growth—forming partnerships, receiving industry recognition, and developing talent—and looks forward to future expansion. Votiro has offices in the U.S. covering North America and locations in Australia, Singapore, and Israel, supporting over 400 enterprises worldwide.

https://www.linkedin.com/in/aviv-grafi-63426b1/?originalSubdomain=il

Twitter: https://twitter.com/avivgrafi