The UK’s National Cyber Security Centre (NCSC) released a new report revealing that sports organizations are more than twice as likely to suffer a cyberattack than organizations in other sectors, according to Sky News. The NCSC’s report, which covers cybersecurity threats to the sports sector, states that 70% of major UK sports organizations sustain a cyberattack each year, compared to 32% for organizations in other industries. Additionally, 30% of British sports entities were hit by more than five cyberattacks in the past twelve months.
The majority of these attacks are conducted by financially motivated cybercriminals. The NCSC says approximately 30% of attacks against the sports sector resulted in financial damages ranging from under £500 to more than £100,000, with an average loss of over £10,000. The largest single loss, which was excluded from the averages, saw an organization lose more than £4 million (US$5 million). The attacks that resulted in the highest losses involved business email compromise, which the NCSC identifies as the primary threat to the sports sector.
“Research indicates that Business Email Compromise (BEC) is the biggest cyber threat to sports organisations,” the report states. “BEC involves attackers seeking to gain access to official business email addresses, which they then use to engineer such things as fraudulent payments or data theft. The primary motivation for BEC is financial gain. According to Action Fraud, BEC is one of the fastest growing cybercrime operations out there. Its ‘low cost-high return’ model is doubtless what attracts criminals.”
The report stresses that these attacks can be wide-reaching and difficult to identify before it’s too late.
“BEC activity can be highly targeted and involve many layers,” the NCSC says. “Techniques such as ‘spear phishing’, combined with phone calls and spoofed emails, are all deployed in order to obtain usernames and passwords from staff. Attacks are often aimed at users who have senior roles or can authorise financial transactions. Business Email Compromise can also come about through industrial-scale technical attacks, such as credential stuffing and password spraying....The outcomes of successful opportunistic attacks frequently involve auto-forward rules being put in place on a compromised email account, to steal sensitive information. Once access has been achieved, attackers operate indiscriminately and may steal thousands of emails, before any tangible impact is identified by the victim.”
The NCSC highlights shortcomings in the sports sector that have facilitated cyber-enabled fraud.
“Only 46% of surveyed organisations have staff training, education, and awareness programmes in place for cyber security,” the report says. “However, a mere 2% of sports organisations identified prevention of fraud as a primary cyber security objective.”
Additionally, the report found that less than 33% of UK sports organizations implement DMARC to mitigate email spoofing.
Many of these attacks can be prevented by proper security protocols and end-user education. New-school security awareness training can equip your employees with the knowledge they need to thwart social engineering tactics.
The NCSC has the story.