A recently released report unveils a concerning reality within UK football clubs, highlighting a substantial vulnerability to cyber threats stemming from outdated approaches to cybersecurity. The comprehensive study conducted by NCC Group, in collaboration with the University of Oxford’s Oxford Researchers Strategy Consultancy and Phoenix Sport and Media Group (PSMG), underlines a critical need for heightened cyber resilience across the industry.
Matt Lewis, NCC’s global head of threat research, emphasized the sports industry’s escalating attractiveness to cyberattacks, spotlighting a disconnection between perceived risks and actual vulnerabilities. He stressed the imperative for practical solutions outlined in the report to fortify the industry’s defenses against potential cyber assaults.
The report, titled “The hidden opponent: Cyber threats in sport,” draws insights from IT and security managers within the football sector, exposing multiple concerns. It outlines deficiencies in cyber maturity, outdated methodologies, and a striking scarcity of dedicated IT and cybersecurity roles, notably lacking Chief Information Security Officers (CISOs).
Alarmingly, despite the industry’s significant financial prowess, clubs appear reluctant to allocate adequate resources toward cybersecurity. While massive investments in players are routine, financial commitment to hiring competent CISOs remains conspicuously absent, with the average UK CISO salary standing at around £127,000.
Interviews with IT managers from clubs underscored the staggering mismatch between the scale of the enterprise and the limited resources allocated to cybersecurity. One manager, granted anonymity, likened managing a football club to handling two distinct entities: a substantial business on the playing side and a small to medium-sized enterprise (SME) on the IT front, burdened with restricted staffing and budgetary constraints.
The report further highlights prevalent issues such as an over-reliance on cyber insurance, inadequate incident response preparedness, insufficient cyber training, inconsistent identity and access management, absence of data governance, and lagging technological adaptations to evolving threat landscapes.
NCC proposes several recommendations, including the establishment of an industry-wide standard for cyber security budgets tailored to club size, turnover, and desired cybersecurity maturity level. Additionally, a cyber security maturity model specifically designed for the football sector aims to assist IT leaders in benchmarking their current cyber posture and identifying existing gaps.
Furthermore, the report advocates for intensified training and awareness initiatives across all facets of football club operations, emphasizing the urgent need for dedicated cybersecurity professionals to counter the evolving threat landscape effectively.