undefined cover
undefined cover
[S3E3] Sports, Beyond the Pitch : Cyber Threats in Football cover
[S3E3] Sports, Beyond the Pitch : Cyber Threats in Football cover
Dans l'œil de la cyber

[S3E3] Sports, Beyond the Pitch : Cyber Threats in Football

[S3E3] Sports, Beyond the Pitch : Cyber Threats in Football

43min |21/01/2025
Play
undefined cover
undefined cover
[S3E3] Sports, Beyond the Pitch : Cyber Threats in Football cover
[S3E3] Sports, Beyond the Pitch : Cyber Threats in Football cover
Dans l'œil de la cyber

[S3E3] Sports, Beyond the Pitch : Cyber Threats in Football

[S3E3] Sports, Beyond the Pitch : Cyber Threats in Football

43min |21/01/2025
Play

Description

In this special episode—the very first in English—we dive into the fascinating intersection of sports and cybersecurity. Our guest, Graham Peck, Information Security Manager and DPO at Leeds United Football Club, shares his insights on the unique cybersecurity challenges in the world of football.

 

From protecting sensitive player data to securing club operations against cyber threats, we explore how cybersecurity plays a crucial role in modern sports organisations. Graham also discusses real-world incidents, best practices, and the evolving risks in the industry.

 

Whether you’re a football fan, a cybersecurity enthusiast or just curious, this episode is for you!

 

Tune in to discover how football clubs defend themselves in the digital age.

 

👉Catch ‘In the Eye of Cyber’ on all listening platforms: https://smartlink.ausha.co/dans-l-oeil-de-la-cyber


➖➖➖


🙏A huge thank you to everyone who has already left a review or 5 stars on Apple Podcast, Spotify, Deezer, etc.! Your feedback is invaluable!


💬 If you like the podcast or just want to give me some feedback, don't hesitate to leave me a review, I'll be delighted to read and respond!


➖➖➖

🎙️‘In the eye of cyber’ is a podcast that gives the floor to major players in the digital sector to decode the major topics and trends in this sector and in cyber in particular.


👩I'm Anne-Laure de La Rivière, Director of Communications and Public Affairs at Gatewatcher, a French SME specialising in cyber attack detection.


✍️You would like to suggest themes for future podcasts? Do you have any suggestions for guests? Contact us at contact@gatewatcher.com


Enjoy listening!


Hébergé par Ausha. Visitez ausha.co/politique-de-confidentialite pour plus d'informations.

Transcription

  • Speaker #0

    Welcome to the podcast "In the eye of cyber" that gives a voice to leaders in the digital industry. I am Anne-Laure de La Rivière, Director of Communications and Public Affairs at Gatewatcher, and today I am hosting Graham Peck, Information Security Manager and DPO at Leeds United Football Club. Together, we'll be diving into the intersection of cyber security and sport. At first glance, it may not seem obvious, But there are many links between these two fields. Just like in cybersecurity, team effort is crucial in sports. And now more than ever, sports organizations, infrastructures and personnel require resilient cybersecurity. In the high stakes world of professional sports, the action isn't just on the field. More episodes to come in English at www.gatewatcher.com. If you enjoy our work. Make sure to subscribe to In the Eye of Cyber on all listening platforms so you don't miss our next release. Enjoy the episode! Hello, Graham.

  • Speaker #1

    Hi, Anne-Laure.

  • Speaker #0

    Thank you so much for accepting our invitation and joining us for this episode of In the Eye of Cyber. Could you start by telling us a bit about your career path and the choices that led you to this role and why?

  • Speaker #1

    Yeah, no problem. So I left... After leaving school, I went into the military for a number of years, but when I left the military and went into IT, IT security has always been like an underlying factor. So I worked across many different organizations from finance, data centers, and so forth, where security was an underlying side to it. It's just that early 98, 2000, cybersecurity became more of a thing. of an area of expertise so i decided to start looking at that and i am where i am now because of it so joining a football club is that something that happened by chance or was it a goal from the start oh no this was definitely by chance um as you can hear from my accent i come from more of a rugby and cricket nation than uh than a football or where what i would call soccer and get told off about it. You come from south africa right that's correct that's correct so uh Yeah, I was definitely not expecting to go into sport. But as I said, I've been in many different types of organizations. And sport is just like any other company. I think people just need to realize there's two parts to football. There's what goes on on the pitch with the players and so forth. But behind the scenes, we're an SME, just like any other business. We have a marketing account, all the rest. So it's a normal business on one side of it and just football on the other.

  • Speaker #0

    Exactly, and we'll be digging into specifically what you're doing at Leeds United Football Club. So what has been your biggest surprise since taking on this role? Was there something you didn't expect at all or that has really taken you back since you started?

  • Speaker #1

    Yeah, I think that general perception, I think everybody's got this general perception, especially with football, that they think there's lots of money in football when, truth be told, there may be a lot of money from a player and and the football side of it from but from the sme side of it there isn't so there was a lot of legacy systems there was a lot of uh lack of investment in certain parts of the business and because it's unlike any other business where the owners regularly change for example so one minute you may be um in the premier league or in the championships where there may be more money and then the next season you could be down so uh because it fluctuates a lot it has an impact on investment. And I think that was my biggest shock, was the perception that there was going to be lots of systems in place for security. And then when I started noticing that there wasn't.

  • Speaker #0

    So cybersecurity is new in sports. Is this something that you say?

  • Speaker #1

    Yeah, I'd say in certain sections of sport, it's new. There's always been a certain part of security in sport for things like player contracts and so forth, and fan data. It's now extending to... a wider demographic as such because technology is changing. You can have Wi-Fi in a system, you've got toll systems, Wi-Fi, various other things that you would run on a match day. and those are now easily accessible from people wanting to try malicious attempts on it.

  • Speaker #0

    And since you've also worked in completely different sectors, do you think it is a very different approach compared to other sectors?

  • Speaker #1

    Yes, I'd say in sports initially it's very reactive rather than proactive. So let's take finance for example, you'll have FSA regulations or regulations that state you have to attain a certain level of security and so forth, where the Premier League and EFL and same with UEFA and Bundesliga and all the rest, they're now starting to put things in place that says if you join the league, you need to have a certain level of security already in place, whereas before it wasn't. Every club was able to do their own, but the problem there you've got is... the data that you hold can span across multiple clubs so a player could change clubs on a regular basis that player's data may have data when they were at previous roles as well as the clubs that they're at now so obviously you've got to try and protect it because it has an effect on both what affects

  • Speaker #0

    your club as well as other clubs so are you working on turning sports and cyber security more proactive yes no definite so we uh we

  • Speaker #1

    In the UK, it's nice where we can create a forum for all the IT security within the leagues to be able to talk to each other because we've all got a common issue, which is cybersecurity. And it's a constantly evolving sector where you're constantly playing catch up to prevent the next attack. So by sharing that information and not. being against each other like you are on the pitch but actually working together as one and that that's really exciting and it's helped a lot by creating a forum of like-minded individuals where we're constantly looking at products and and methods of attack or if somebody has had an attack on their site or on their club how we can prevent it on ours before it happens can you drop the security the perimeter of security risks

  • Speaker #0

    and more specifically cyber risks surrounding a regular Leeds United football game?

  • Speaker #1

    Sorry go for it.

  • Speaker #0

    No I was thinking I can imagine a few risks already such as access to the physical and digital sites of spectators and internet users, also means of broadcasting sports footage, video captures for television or referees, video surveillance, alarm systems, online ticketing. Can you tell us more about the risks?

  • Speaker #1

    Yes, from a club perspective, the risks across multiple areas. So one is with regards to fan, informational fan data and the demographics of those fans. That could be via your websites. And if you think of a... Of a typical club, they have a retail website where you can go and buy your latest shirt for that season. So you have data for that. You also have where you're wanting to buy your tickets online, which then holds credit card information and so forth. So you have the external side that you're needing to protect, as well as internally, you have things like access control, how they get access into the stadium through turnstiles and so forth. You have all your tool systems. So you can imagine in our case, we have on average about 37,000 people coming to a match. That's a lot of people needing something to eat, something to drink and so forth. The impact of having no tools greatly has an effect on the margins that you make during a club. And then there's the rest of the things, like you mentioned, CCTV, Wi-Fi, hospitality has... a lot of people that may be sitting in hospitality boxes they're wanting access to internet connectivity and so forth and that so it's then protecting your internal systems from your externals as well as if you're in the premier league they have some regulations that state that you need to provide certain things to certain parts of it like var which is goal line technology or the technology that mentions if a person's offside and so forth If somebody was able to manipulate that or interrupt that feed, it would mean that the game would be stopped and we would have to wait until they've resolved it before we can carry on play. That would obviously have an effect on the club itself as well.

  • Speaker #0

    Of course. And also I can imagine data protection and technological assets like the fans'data information that goes through the networks and so on.

  • Speaker #1

    Yes. So, I mean, nowadays, that's your biggest value as such. The last thing you want to do is have reputational damage by having a breach to a club because your fans expect you to look after their data and secure their data. So as well as the financial costs, because unlike a normal traditional company that has 365 days to make money for their financial year in football, you only have so many home matches and away matches to make as much money as possible. So let's take in the Premier League, you may have about 48 matches, of which 24 at home. You have to make as much money as you can during those to help you through the year, other than some things like... people using the stadium for events and so forth and that which also brings in revenue but not as much as a match day does.

  • Speaker #0

    So now I will be asking you the question everybody wants to know. Have you ever been cyber attacked, Braham?

  • Speaker #1

    At this stage we haven't. I won't say it's if, it's when. I think all clubs will be on the same page with regards to that because technology, especially now with AI and so forth, it's becoming more and more of a cat and mouse game with hackers and so forth. I mean, we've had some recent ones over the last couple of years, which have been quite prolific. Manchester United had in 2021-22, just lucky enough it was in COVID, they had a breach. We've had recently a couple of clubs in the EFL that have had breaches. And then the other area that is becoming more and more prevalent now is social media.

  • Speaker #0

    So how many spectators do you usually have physically in stadiums and on television? Is the risk increased if you host a particular famous game?

  • Speaker #1

    Yes, so we have on average about 37,000 people in a stadium on a match day. We are in the process of increasing that to 55,000. And then from a TV perspective, Obviously, we're on Sky and so forth, so we have quite a wide reaching, as to the exact number, I can't tell you, but there is quite a wide following all the way from Norway across to the States. Obviously, we've just got American owners now, so we've got quite a big following in the States as well as most of Europe and even down South in Africa.

  • Speaker #0

    And is there a difference in security if we are a club in Premier League or Championship? Are there any legal safety points to consider once you are in Premier League? Any upgrades?

  • Speaker #1

    Well, the only thing that, well, we had been not in the Premier League for nearly 16 years before we got promoted. So there is a couple of things that happens when you go into the Premier League. Obviously, your profile changes because you're playing larger clubs that have been in the league for quite a while, like Liverpool, Arsenal, Manchester United or City and those kind of. kind of clubs which then means that there is more demand for tickets there is um a lot more money in the premier league than there is in the efl for example so therefore it becomes um a target for anything to try and disrupt those sales so it could be from a ticketing perspective trying to slow down your websites make it more difficult to uh to buy a ticket online especially for a specific match to using social media to try and sell fake tickets, and then cause a lot of disruption that way as well.

  • Speaker #0

    Yeah, of course. And is there a different cybersecurity protocol for high stakes matches, such as championship finals, for example?

  • Speaker #1

    Yes, so within the clubs themselves, There's a number of systems that we do. So in the Premier League, they have a thing called Section K. It tells you what is the requirement from their side that they need from a club going into the Premier League, which then helps make some decisions around how you segment your data and prevent those attacks. In our case, what we did was we separated our match day. infrastructure and networks away from our internal head office users'networks, because there's more risk of you getting a breach, unfortunately, through people being your users than there is through your match day systems.

  • Speaker #0

    And do you cooperate with the cybersecurity teams of competitors, such as the Football Association, for example? How does it work?

  • Speaker #1

    Yes, so we have, I would say, a formalized... agreement but all of the clubs we get together we share knowledge and that we have a quarterly get together we had one recently at Tottenham and then at Chelsea so where we will all sit together and work out systems but from the Premier League and the EFL themselves or from UEFA and so forth I think it very much relies on like-minded people organising a get together or a forum to discuss these things. It isn't really driven by them. It's driven by the clubs themselves, where it would be nice to have it the other way around and say, well, before, if you're a club that's looking at a high chance of being promoted into the Premier League, they do an assessment, a security assessment, and help you achieve the level of security that you're going to need before you go into the Premier League. I think that would be really helpful.

  • Speaker #0

    Right. So does the UEFA recommend protocols for cyber attacks? Like, do you report to the UEFA on this matter?

  • Speaker #1

    No, so UEFA is more for the European teams that are more like Roma and Barcelona and that side of it. Unless you're playing in the league, UEFA is on the other side. On the other side, it's more the England Football Association. So you've got... EFL or Premier League and so forth, we follow some process that they require, which is around more of cyber security insurance and making sure that all clubs have a certain level of insurance. And as part of that insurance, you've got to have certain measures in place. So yeah, we don't abide by UEFA, for example. We have our own UK-based systems that we have to abide by.

  • Speaker #0

    Right. So you mentioned earlier that sports are not very connected to cyber security. Well, at first it wasn't the case, it's coming now. But also sports fans are sometimes less Ausha online than consumers in sectors like banking or healthcare. Partly, I assume, because there's less media attention on cyber security risks in sports. Do you sense a difference or even a lag in awareness and do you think this lower level of awareness impacts how you design security strategies for a club like Leeds United? Do you need to be extra Ausha?

  • Speaker #1

    Yeah, I mean I would definitely say we've got to be extra Ausha and especially when it comes around the contentious issue of ticket sales. So fans, if you want to cause a headache for a club with regards to fans it's not be able to provide them with sufficient tickets for them to be able to attend a match. And that's the quickest way to make them upset. So the main thing is making sure that you put robust systems in place. But then also raising that awareness to the individuals and say, look, be careful of these kind of things. Don't try and buy your ticket off of somebody on social media, for example. You have the ability to resell your tickets. back to the club if you're unable to make it. Therefore, you know you can buy your ticket from a reputable source rather than somewhere else and then setting yourself up to getting to the club and finding out that the same ticket has been sold to 10 people and you're now out of money and you've spent a lot of money traveling to the club in the first place.

  • Speaker #0

    Right, yeah. And I wanted to give you this example like in another sport like American football, Thomas Maldonado, the CISO of the National Football League in the USA, shared insights into the scale of security operations during the 2024 Super Bowl. And there were around 39,000 security intelligence events and 254,000 connections were blocked to and from. blacklisted regions. So keeping proportions in mind, it's clear certain sports are especially targeted, particularly football. What are the specific challenges you see as critical in this area today?

  • Speaker #1

    Yes, so one of the critical areas is visibility. So by having a single pane of glass of being able to see where your attack surface is, you can see where your opponent is. these attacks are coming from, being able to whitelist or blacklist, in other words, saying which areas are safe areas for getting connectivity from and where are areas that you would not. Because the actors are changing. You have two types. You have the general hacker, so-called, what we call a script kiddie or whatever the case is. He doesn't really know what he's doing as such. He's following a script and trying to see what he can do. And then you've got the other actor, which is whether it's a governmental one from a foreign country or whatever the case is, that's just trying to cause disruption and the reputational damage to the sport via a company. So if we were playing a different country, for example, so if we were playing France, for example, in the World Cup, then... And they were able to disrupt that match. It then is an embarrassment for both the UK and France that we didn't have systems in place to be able to do it. So our reputational damage, as well as the cost implication and so forth. Ability to be able to protect those is becoming more and more difficult without being able to see where they're coming from. And then once you've got some visibility of where they're coming from, it's then putting the additional things in place. So, for example, what we've done is we started by looking at our end point. So. the user themselves, what we could put in place to try and secure them, and then look at it from a network behavior side, which is why we started looking at products that look at network behavior and moved across to Gatewatcher, which looks at network security side of things. So it's not just the traditional looking at the PC and the user's behavior. It's also looking at your network behavior because typically, you know, You may not see something that's happening on the networking side, but you would see it if somebody's machine was running slow and they had pop-ups and various other things on their laptop, for example. You would kind of expect that there's something going on from the user side, whereas on the network, it's a little bit the dark art. It's sitting in the background. Nobody really knows about it. So it's putting systems in place to be able to monitor both what's going on in the background as well as what's happening in real time in the front. and then giving that visibility so that you can react on it really quickly.

  • Speaker #0

    Yeah, that's a lot of forecasting and proactivity.

  • Speaker #1

    Yes.

  • Speaker #0

    So, as you mentioned, there are a wide, diverse set of cyber criminals. One statistic I find quite striking is, according to a 2020 report that's called the Cyber Threat to Sports Organizations from the NCSC, 70% of the 57 sports organizations surveyed by the NCSC has experienced a cyber incident or breach, compared to an average of 32% across British businesses. So of the cyber incidents that caused financial damage, the average loss was over $10,000 per incident. The biggest single loss was over £4 million. And So it means that the sports sector is a lot more attacked than businesses. Do you find these figures consistent?

  • Speaker #1

    Yes, I think it's becoming even more so now recently. So I'll give you an example. In a normal business, your average transaction, unless you're acquiring a business, another business or whatever the case is, may be in a couple of million pounds. We look at player transfers, for example. A player transfer can cost in the region of tens of millions of pounds. So if somebody is able to intercept and fool a club into thinking that they are paying another club for a player, and they're able to intercept that transaction, they could then have a one hit that is in the millions of pounds. And then it makes it a lot difficult to try and detect who actually did it and so forth. because of the amount of money the occurrence of that happening has been quite prolific um over time where now hackers, they don't make themselves known that they're watching your network or they are sitting on your network. They can be sitting there dormant for quite a while monitoring your mails and then when they see something that is interesting like a payment that needs to be made, they will then utilize methods. I mean, let's be honest, these are people that study social engineering. They know people's habits, they know people's behaviours and so forth and that. They create things like an urgency to say, oh, you need to pay this bill by a certain time, otherwise we're going to pull this player back out or they're going to make them a free agent or whatever. So it puts that additional pressure on a club. They then don't phone the club to confirm that the invoice is real. They then send the funds and so forth. And then afterwards, the club phones them and says, oh. I've sent you an invoice for this and said, but I've already paid it. And it's like, but it wasn't us. By then, a certain amount of time's gone, at which point that money is transferred through 10 or 15 different banking organizations. So it makes it very difficult to recover. It's because of the amount of money that goes backwards and forwards in sports that makes it a targeted area compared to other types of businesses.

  • Speaker #0

    Yeah, they're... cyber criminals can get inside the network and wait a long time before the right moment to attack.

  • Speaker #1

    Correct. It's not in their best interest to make themselves known. Typically they will harvest as much information as possible. We've had two this year already, so two clubs in the EFL, they were breached. What happened was somebody managed to get in, they would sit and monitor the chief financial officer's email address, for example, And then what they would do is they would set up an internal mail system to bypass any external and email out messages on behalf of that CFO, for example. Thereby spreading that virus to a wider audience as well as gathering all the information that was in that person's mailbox so that they can utilize it later.

  • Speaker #0

    So are the motivations behind these attacks solely financial or do you see other trends possibly like political?

  • Speaker #1

    Yeah, I haven't really seen in our level of game, political, that would be more where it would be different countries playing against each other. But I think one area which is, I'll redo that in the form of there is certain political side of it. So an example recently is we signed an Israeli player. Obviously, there's a lot of turmoil going on in Israel and so forth at the time. So they used social media to try and cause some consternation with the club and with the fans because of the fact of signing. So, yes, parts of football can be used as a political weapon, especially using things like deep fakes, hacking people's social media accounts of players, for example. and then making statements that isn't really true. So they can have political aspect to their attacks.

  • Speaker #0

    Yeah, and there are some pretty scary examples of cyber attacks that have been taking place at sporting events in the past. I can recall Pyeongchang in South Korea for the Winter Olympics in 2018. There was a massive cyber attack just moments before the opening ceremony. And... I remember also Manchester United Football Club, whose stadium access gates were blocked during a Premier League match in 2020. And so in 2022, the FBI advised athletes and visitors also attending the Beijing Winter Games to use temporary phones to reduce the risks of malicious apps. tracking tools or malware potentially installed on devices with access to sensitive data. Is espionage also a risk that you consider?

  • Speaker #1

    Yes, definitely. I mean, one of the things that you can imagine with having 37,000 people in a stadium all at one go is people pretending that a certain network is the club's network when it's not. It is a private hotspot that people think, oh, well, this is where I need to pre-order my drink from and so forth. We monitor all the pop-up networks that happen during a match day, so we know which are the networks that are our networks and which are not, so we can try and... block those additional networks. And you see loads of people attempt. Most people have hotspots on their mobile phone for when they're working in the train. They just never turn it off. It's permanently available. Unfortunately, some people use it for malicious means. So they can use that to try and trick people into signing and giving their details, their social media or banking details or so forth. Or they will use things like Bluetooth to try and push apps or pop-up apps. to people and the advantage is it's not just football it'll be anywhere where there is a large amount of people all in one place because if you think about it it means you can have the most effect

  • Speaker #0

    with a little amount of input. So you could have a mobile phone with a Trojan on it or a virus on it that you could use to push out to more people in a football match than what you could if you were just walking down the street or sitting in a McDonald's or something like that in takeaways or whatever the case is. So yes, there is certain people that will utilise clubs, infrastructure in the form of seated people in an area to try and propagate. some form of virus. So it's trying to protect your fans as much as possible and tell them what is valid and what is not valid, what to look out for. But as I say, it's a cat and mouse game. We can only try our best at the end of the day.

  • Speaker #1

    Yeah, so there is a very diverse set of cyber criminals like political, geopolitical, they have political and geopolitical motivations, some of them are hacktivists, some of them are even from the mafia. Could you list the operating modes, cyber attacks and methods that you monitor in particular?

  • Speaker #0

    Yes, so what we will do on an average, so let's say for a sports event, so what we will do is we will monitor all of the infrastructure that's available, that's both our physical infrastructure, as well as our digital infrastructure for any untowards attacks or anything that's out of the ordinary. So patterns, looking at patterns of information. We will also look at what is the, is there a contention between the two clubs that are going to be playing, so that we can put certain things in place beforehand. We will also make sure that as a club itself, we've pre-planned as much as possible. or an event so for example if somebody wanted to disrupt the event by stopping people from being having access what is the plan b so in other words if the term styles didn't allow the people in because there was a problem with the with their the term style system or the access control system how would we then get people into the stadium without that system in place so you're constantly creating what we call a a breach playbook or a matchday safety officer will create a set of scenarios and we look at how we can we can facilitate those because if you think about it from a club perspective let's let's say Leeds for example we have if we were in the Premier League and we were unable to have a match for whatever reason we've had one where we were delayed by 38 minutes for example but if that match had been suspended in total you're looking at an average cost in of a couple of million pounds if you take ticket sales um access um hospitality your advertising your uh tv rights and everything else into account it is a big chunk of cash excluding whatever you find you would get from the premier league or whatever for not being able to provide that match so it takes quite a hit on the uh on the club itself so every club's trying to make sure that we have enough systems in place to be able, or fail-safes, to be able to work that, should there be a breach of some attempt, we can still continue to have the match, and fans data and player data and all the rest is still secure.

  • Speaker #1

    Right. What about AI in sports? Is it a threat or a challenge? Do you see new approaches emerging to anticipate or even thwart attacks? In what ways? will it impact your work?

  • Speaker #0

    Yeah, I think it's both a threat as well as a challenge because it is advancing at such a rate that's making it quite difficult in the form of people can now use AI to create malicious software without them having a lot of programming experience and so forth. So it means that the sophistication of the attacks and attempts are getting more and more clever. intelligence, which then means that you need to use AI within your discovery tools to try and prevent those kind of attacks. But also it means that the demographic is changing in the form of, in some cases, the use of deepfakes is becoming quite prevalent now, which a couple of years ago was unheard of, where now you can have a deepfake of an owner of a club or a player, and say something derogatory or something that could harm the club's reputation and upset the fans, cause consternation within the club on whatever the case is, which is totally fake and there's no way of identifying that it was a fake or not when it's sitting on social media. Only the person knows that it was a fake because it wasn't them that said it and then you've got to try and prove it to all of the audience that what you've what you said was not you, it was you. It was a fake in the first place. So that is becoming more and more difficult to try and manage. It's getting to a point now where even the clubs have regular conversations with the local police forces and so forth. Because another trend that we're seeing is what's called virtual hijacking. What will happen is, let's take a player, for example. They have a young child, a daughter, a son, whatever that's at school. Somebody will... take the voice and mimic the voice of that child, phone the player and tell them that with the voice of the child that the child is saying that they've been hijacked or they've been held for ransom. Meanwhile, nothing has happened to the child at all. They're still in school. They're perfectly fine. But people are using more and more sophisticated methods now than was ever possible before.

  • Speaker #1

    Right. Oh, that's terrible. And also, How do you manage data sovereignty issues in the context of the use of AI? Are there specific measures in place to ensure that sensitive participant and spectator data remains under local control?

  • Speaker #0

    Yes, so all clubs and ours in particular, what we do is we do almost like compliance. So we validate what information, so I'll give an example. Everybody went out when Copilot came out and said, right, we're going to use AI to share all our information and so forth. The problem with that is unless you know what is in your data, you run the risk of sharing something that you didn't want to share or sharing personal information or player salaries or whatever the case is. So the first thing you need to do is go and identify your data, see what type of data it is that's in there, associate a risk. to that data so that you can then say right this data is of a higher risk we are not going to have it anywhere near any form of ai or it's got additional security measures in place that only allows certain people to view it and there's auditing so you can see who had access to the files and who didn't and then you have those with less risk that you can say this data is fine to share because it's already out in the public domain it is not classified as personal data or sensitive information that may be medical data or so forth so you first have to classify all your data once you've done that classification then you look at retention how long have you kept the data for do you really need to still have that data there because the longer you keep it and it doesn't have a use the risk is that that data could end up being leaked so rather If you no longer need that data and the expiry time for legally keeping that data has expired, remove it, delete it, get rid of it, because then that means that there's left data for you to worry about.

  • Speaker #1

    Thank you for the advice. Do you think cybersecurity in sports could serve as a model for protecting critical infrastructures more generally? What lessons could the sector share with other industries?

  • Speaker #0

    Yeah. I think for definite. I mean, if you look at the Paris Olympics that you had recently and so forth, the security systems that were used in the background to that, a lot of the time businesses don't understand the complexity behind an Olympics or a big sporting event and so forth. They just look at it with regards to their business. But from a sport, because it's a multitude of different environments that you're having to protect, I think business would benefit from learning about how sport has to react due to the speed at which they change from a business perspective, whether that's being promoted into another league or coming down in another league, the rate at which clubs get sold and players or people move around from club to club. In a business, it's a little bit different. They very rarely change ownership as often as a club may change ownership. They also don't necessarily go up into having shareholders and then go down to not having shareholders. So from a learning perspective, there's a lot that businesses can actually learn from football and vice versa in the form of, yeah, it would be nice for business, for football. to be able to understand that security also needs a certain amount of investments, like what businesses put in, especially financial and so forth, businesses put in for regulation of their data. Football needs to do the same.

  • Speaker #1

    Right. Also, football inspires millions of young people with values like resilience, discipline and perseverance, which are so different from those found in cybersecurity. Do you think a club like Leeds United could play a role in raising public awareness on these issues? And how could clubs promote these values in a digital context?

  • Speaker #0

    Yeah, so there's quite a few different ways. So most clubs, they are involved in the communities. And as part of those communities, it's telling people what is it that they actually do, because some of it goes underneath the radar. If you think about it like academies and so forth, you have players or young people that work for the club going out into schools, going out into communities that may be from deprived communities or somewhere where kids don't have the ability to do sport, for example. And while they're working with them, so they can then pass some of those values across and identify. areas of concern that may be needed in those. So from a grassroots perspective, the club is only as good as the grassroots of the community that they support, because these young people are effectively the fans of the future. They will look at footballers and so forth and that and say, look, I want to be like Ronaldo and so forth and that. The reality is the amount of youngsters that actually make it to become a professional footballer. is very low so therefore let's still impart all of the values that a person like ronaldo would have and so forth and that on these youngsters that if they could then use those values to achieve whatever they wanted to achieve but use the grassroots side of football to be able to do it and also that way i think it'll also mean that as they get older we won't see the amount of football discipline or lack of discipline in certain areas of football fans that you used to see in the past because the youngsters have different values to what the olds they like to fight when they were older in football and so forth and that where the youngsters are saying i've come to enjoy the match we see that in the form of the way that the women's game has progressed and so forth whereas before you didn't have the amount of people that actually watched where now we have a lot of young girls that are seeing players being able to achieve the same as the men they're getting the recognition slowly but surely the same as men and so forth and those are increasing the values and that's how you build them up they then more beneficial for your local communities as well as future fans for the club i agree well

  • Speaker #1

    thank you very much graham for joining us today And for sharing your insights into the fascinating and complex world of cybersecurity in sports. It's been enlightening to understand the unique challenges and responsibilities a club like Leeds United faces, and to hear your thoughts on how football can contribute to a broader awareness on digital security. To our listeners, thank you for tuning in to this episode of In the Eye of Cyber. If you enjoyed today's conversation. don't forget to subscribe and share. We look forward to having you with us for our next episode as we continue to explore the evolving landscape of cybersecurity. Take care and see you soon.

Description

In this special episode—the very first in English—we dive into the fascinating intersection of sports and cybersecurity. Our guest, Graham Peck, Information Security Manager and DPO at Leeds United Football Club, shares his insights on the unique cybersecurity challenges in the world of football.

 

From protecting sensitive player data to securing club operations against cyber threats, we explore how cybersecurity plays a crucial role in modern sports organisations. Graham also discusses real-world incidents, best practices, and the evolving risks in the industry.

 

Whether you’re a football fan, a cybersecurity enthusiast or just curious, this episode is for you!

 

Tune in to discover how football clubs defend themselves in the digital age.

 

👉Catch ‘In the Eye of Cyber’ on all listening platforms: https://smartlink.ausha.co/dans-l-oeil-de-la-cyber


➖➖➖


🙏A huge thank you to everyone who has already left a review or 5 stars on Apple Podcast, Spotify, Deezer, etc.! Your feedback is invaluable!


💬 If you like the podcast or just want to give me some feedback, don't hesitate to leave me a review, I'll be delighted to read and respond!


➖➖➖

🎙️‘In the eye of cyber’ is a podcast that gives the floor to major players in the digital sector to decode the major topics and trends in this sector and in cyber in particular.


👩I'm Anne-Laure de La Rivière, Director of Communications and Public Affairs at Gatewatcher, a French SME specialising in cyber attack detection.


✍️You would like to suggest themes for future podcasts? Do you have any suggestions for guests? Contact us at contact@gatewatcher.com


Enjoy listening!


Hébergé par Ausha. Visitez ausha.co/politique-de-confidentialite pour plus d'informations.

Transcription

  • Speaker #0

    Welcome to the podcast "In the eye of cyber" that gives a voice to leaders in the digital industry. I am Anne-Laure de La Rivière, Director of Communications and Public Affairs at Gatewatcher, and today I am hosting Graham Peck, Information Security Manager and DPO at Leeds United Football Club. Together, we'll be diving into the intersection of cyber security and sport. At first glance, it may not seem obvious, But there are many links between these two fields. Just like in cybersecurity, team effort is crucial in sports. And now more than ever, sports organizations, infrastructures and personnel require resilient cybersecurity. In the high stakes world of professional sports, the action isn't just on the field. More episodes to come in English at www.gatewatcher.com. If you enjoy our work. Make sure to subscribe to In the Eye of Cyber on all listening platforms so you don't miss our next release. Enjoy the episode! Hello, Graham.

  • Speaker #1

    Hi, Anne-Laure.

  • Speaker #0

    Thank you so much for accepting our invitation and joining us for this episode of In the Eye of Cyber. Could you start by telling us a bit about your career path and the choices that led you to this role and why?

  • Speaker #1

    Yeah, no problem. So I left... After leaving school, I went into the military for a number of years, but when I left the military and went into IT, IT security has always been like an underlying factor. So I worked across many different organizations from finance, data centers, and so forth, where security was an underlying side to it. It's just that early 98, 2000, cybersecurity became more of a thing. of an area of expertise so i decided to start looking at that and i am where i am now because of it so joining a football club is that something that happened by chance or was it a goal from the start oh no this was definitely by chance um as you can hear from my accent i come from more of a rugby and cricket nation than uh than a football or where what i would call soccer and get told off about it. You come from south africa right that's correct that's correct so uh Yeah, I was definitely not expecting to go into sport. But as I said, I've been in many different types of organizations. And sport is just like any other company. I think people just need to realize there's two parts to football. There's what goes on on the pitch with the players and so forth. But behind the scenes, we're an SME, just like any other business. We have a marketing account, all the rest. So it's a normal business on one side of it and just football on the other.

  • Speaker #0

    Exactly, and we'll be digging into specifically what you're doing at Leeds United Football Club. So what has been your biggest surprise since taking on this role? Was there something you didn't expect at all or that has really taken you back since you started?

  • Speaker #1

    Yeah, I think that general perception, I think everybody's got this general perception, especially with football, that they think there's lots of money in football when, truth be told, there may be a lot of money from a player and and the football side of it from but from the sme side of it there isn't so there was a lot of legacy systems there was a lot of uh lack of investment in certain parts of the business and because it's unlike any other business where the owners regularly change for example so one minute you may be um in the premier league or in the championships where there may be more money and then the next season you could be down so uh because it fluctuates a lot it has an impact on investment. And I think that was my biggest shock, was the perception that there was going to be lots of systems in place for security. And then when I started noticing that there wasn't.

  • Speaker #0

    So cybersecurity is new in sports. Is this something that you say?

  • Speaker #1

    Yeah, I'd say in certain sections of sport, it's new. There's always been a certain part of security in sport for things like player contracts and so forth, and fan data. It's now extending to... a wider demographic as such because technology is changing. You can have Wi-Fi in a system, you've got toll systems, Wi-Fi, various other things that you would run on a match day. and those are now easily accessible from people wanting to try malicious attempts on it.

  • Speaker #0

    And since you've also worked in completely different sectors, do you think it is a very different approach compared to other sectors?

  • Speaker #1

    Yes, I'd say in sports initially it's very reactive rather than proactive. So let's take finance for example, you'll have FSA regulations or regulations that state you have to attain a certain level of security and so forth, where the Premier League and EFL and same with UEFA and Bundesliga and all the rest, they're now starting to put things in place that says if you join the league, you need to have a certain level of security already in place, whereas before it wasn't. Every club was able to do their own, but the problem there you've got is... the data that you hold can span across multiple clubs so a player could change clubs on a regular basis that player's data may have data when they were at previous roles as well as the clubs that they're at now so obviously you've got to try and protect it because it has an effect on both what affects

  • Speaker #0

    your club as well as other clubs so are you working on turning sports and cyber security more proactive yes no definite so we uh we

  • Speaker #1

    In the UK, it's nice where we can create a forum for all the IT security within the leagues to be able to talk to each other because we've all got a common issue, which is cybersecurity. And it's a constantly evolving sector where you're constantly playing catch up to prevent the next attack. So by sharing that information and not. being against each other like you are on the pitch but actually working together as one and that that's really exciting and it's helped a lot by creating a forum of like-minded individuals where we're constantly looking at products and and methods of attack or if somebody has had an attack on their site or on their club how we can prevent it on ours before it happens can you drop the security the perimeter of security risks

  • Speaker #0

    and more specifically cyber risks surrounding a regular Leeds United football game?

  • Speaker #1

    Sorry go for it.

  • Speaker #0

    No I was thinking I can imagine a few risks already such as access to the physical and digital sites of spectators and internet users, also means of broadcasting sports footage, video captures for television or referees, video surveillance, alarm systems, online ticketing. Can you tell us more about the risks?

  • Speaker #1

    Yes, from a club perspective, the risks across multiple areas. So one is with regards to fan, informational fan data and the demographics of those fans. That could be via your websites. And if you think of a... Of a typical club, they have a retail website where you can go and buy your latest shirt for that season. So you have data for that. You also have where you're wanting to buy your tickets online, which then holds credit card information and so forth. So you have the external side that you're needing to protect, as well as internally, you have things like access control, how they get access into the stadium through turnstiles and so forth. You have all your tool systems. So you can imagine in our case, we have on average about 37,000 people coming to a match. That's a lot of people needing something to eat, something to drink and so forth. The impact of having no tools greatly has an effect on the margins that you make during a club. And then there's the rest of the things, like you mentioned, CCTV, Wi-Fi, hospitality has... a lot of people that may be sitting in hospitality boxes they're wanting access to internet connectivity and so forth and that so it's then protecting your internal systems from your externals as well as if you're in the premier league they have some regulations that state that you need to provide certain things to certain parts of it like var which is goal line technology or the technology that mentions if a person's offside and so forth If somebody was able to manipulate that or interrupt that feed, it would mean that the game would be stopped and we would have to wait until they've resolved it before we can carry on play. That would obviously have an effect on the club itself as well.

  • Speaker #0

    Of course. And also I can imagine data protection and technological assets like the fans'data information that goes through the networks and so on.

  • Speaker #1

    Yes. So, I mean, nowadays, that's your biggest value as such. The last thing you want to do is have reputational damage by having a breach to a club because your fans expect you to look after their data and secure their data. So as well as the financial costs, because unlike a normal traditional company that has 365 days to make money for their financial year in football, you only have so many home matches and away matches to make as much money as possible. So let's take in the Premier League, you may have about 48 matches, of which 24 at home. You have to make as much money as you can during those to help you through the year, other than some things like... people using the stadium for events and so forth and that which also brings in revenue but not as much as a match day does.

  • Speaker #0

    So now I will be asking you the question everybody wants to know. Have you ever been cyber attacked, Braham?

  • Speaker #1

    At this stage we haven't. I won't say it's if, it's when. I think all clubs will be on the same page with regards to that because technology, especially now with AI and so forth, it's becoming more and more of a cat and mouse game with hackers and so forth. I mean, we've had some recent ones over the last couple of years, which have been quite prolific. Manchester United had in 2021-22, just lucky enough it was in COVID, they had a breach. We've had recently a couple of clubs in the EFL that have had breaches. And then the other area that is becoming more and more prevalent now is social media.

  • Speaker #0

    So how many spectators do you usually have physically in stadiums and on television? Is the risk increased if you host a particular famous game?

  • Speaker #1

    Yes, so we have on average about 37,000 people in a stadium on a match day. We are in the process of increasing that to 55,000. And then from a TV perspective, Obviously, we're on Sky and so forth, so we have quite a wide reaching, as to the exact number, I can't tell you, but there is quite a wide following all the way from Norway across to the States. Obviously, we've just got American owners now, so we've got quite a big following in the States as well as most of Europe and even down South in Africa.

  • Speaker #0

    And is there a difference in security if we are a club in Premier League or Championship? Are there any legal safety points to consider once you are in Premier League? Any upgrades?

  • Speaker #1

    Well, the only thing that, well, we had been not in the Premier League for nearly 16 years before we got promoted. So there is a couple of things that happens when you go into the Premier League. Obviously, your profile changes because you're playing larger clubs that have been in the league for quite a while, like Liverpool, Arsenal, Manchester United or City and those kind of. kind of clubs which then means that there is more demand for tickets there is um a lot more money in the premier league than there is in the efl for example so therefore it becomes um a target for anything to try and disrupt those sales so it could be from a ticketing perspective trying to slow down your websites make it more difficult to uh to buy a ticket online especially for a specific match to using social media to try and sell fake tickets, and then cause a lot of disruption that way as well.

  • Speaker #0

    Yeah, of course. And is there a different cybersecurity protocol for high stakes matches, such as championship finals, for example?

  • Speaker #1

    Yes, so within the clubs themselves, There's a number of systems that we do. So in the Premier League, they have a thing called Section K. It tells you what is the requirement from their side that they need from a club going into the Premier League, which then helps make some decisions around how you segment your data and prevent those attacks. In our case, what we did was we separated our match day. infrastructure and networks away from our internal head office users'networks, because there's more risk of you getting a breach, unfortunately, through people being your users than there is through your match day systems.

  • Speaker #0

    And do you cooperate with the cybersecurity teams of competitors, such as the Football Association, for example? How does it work?

  • Speaker #1

    Yes, so we have, I would say, a formalized... agreement but all of the clubs we get together we share knowledge and that we have a quarterly get together we had one recently at Tottenham and then at Chelsea so where we will all sit together and work out systems but from the Premier League and the EFL themselves or from UEFA and so forth I think it very much relies on like-minded people organising a get together or a forum to discuss these things. It isn't really driven by them. It's driven by the clubs themselves, where it would be nice to have it the other way around and say, well, before, if you're a club that's looking at a high chance of being promoted into the Premier League, they do an assessment, a security assessment, and help you achieve the level of security that you're going to need before you go into the Premier League. I think that would be really helpful.

  • Speaker #0

    Right. So does the UEFA recommend protocols for cyber attacks? Like, do you report to the UEFA on this matter?

  • Speaker #1

    No, so UEFA is more for the European teams that are more like Roma and Barcelona and that side of it. Unless you're playing in the league, UEFA is on the other side. On the other side, it's more the England Football Association. So you've got... EFL or Premier League and so forth, we follow some process that they require, which is around more of cyber security insurance and making sure that all clubs have a certain level of insurance. And as part of that insurance, you've got to have certain measures in place. So yeah, we don't abide by UEFA, for example. We have our own UK-based systems that we have to abide by.

  • Speaker #0

    Right. So you mentioned earlier that sports are not very connected to cyber security. Well, at first it wasn't the case, it's coming now. But also sports fans are sometimes less Ausha online than consumers in sectors like banking or healthcare. Partly, I assume, because there's less media attention on cyber security risks in sports. Do you sense a difference or even a lag in awareness and do you think this lower level of awareness impacts how you design security strategies for a club like Leeds United? Do you need to be extra Ausha?

  • Speaker #1

    Yeah, I mean I would definitely say we've got to be extra Ausha and especially when it comes around the contentious issue of ticket sales. So fans, if you want to cause a headache for a club with regards to fans it's not be able to provide them with sufficient tickets for them to be able to attend a match. And that's the quickest way to make them upset. So the main thing is making sure that you put robust systems in place. But then also raising that awareness to the individuals and say, look, be careful of these kind of things. Don't try and buy your ticket off of somebody on social media, for example. You have the ability to resell your tickets. back to the club if you're unable to make it. Therefore, you know you can buy your ticket from a reputable source rather than somewhere else and then setting yourself up to getting to the club and finding out that the same ticket has been sold to 10 people and you're now out of money and you've spent a lot of money traveling to the club in the first place.

  • Speaker #0

    Right, yeah. And I wanted to give you this example like in another sport like American football, Thomas Maldonado, the CISO of the National Football League in the USA, shared insights into the scale of security operations during the 2024 Super Bowl. And there were around 39,000 security intelligence events and 254,000 connections were blocked to and from. blacklisted regions. So keeping proportions in mind, it's clear certain sports are especially targeted, particularly football. What are the specific challenges you see as critical in this area today?

  • Speaker #1

    Yes, so one of the critical areas is visibility. So by having a single pane of glass of being able to see where your attack surface is, you can see where your opponent is. these attacks are coming from, being able to whitelist or blacklist, in other words, saying which areas are safe areas for getting connectivity from and where are areas that you would not. Because the actors are changing. You have two types. You have the general hacker, so-called, what we call a script kiddie or whatever the case is. He doesn't really know what he's doing as such. He's following a script and trying to see what he can do. And then you've got the other actor, which is whether it's a governmental one from a foreign country or whatever the case is, that's just trying to cause disruption and the reputational damage to the sport via a company. So if we were playing a different country, for example, so if we were playing France, for example, in the World Cup, then... And they were able to disrupt that match. It then is an embarrassment for both the UK and France that we didn't have systems in place to be able to do it. So our reputational damage, as well as the cost implication and so forth. Ability to be able to protect those is becoming more and more difficult without being able to see where they're coming from. And then once you've got some visibility of where they're coming from, it's then putting the additional things in place. So, for example, what we've done is we started by looking at our end point. So. the user themselves, what we could put in place to try and secure them, and then look at it from a network behavior side, which is why we started looking at products that look at network behavior and moved across to Gatewatcher, which looks at network security side of things. So it's not just the traditional looking at the PC and the user's behavior. It's also looking at your network behavior because typically, you know, You may not see something that's happening on the networking side, but you would see it if somebody's machine was running slow and they had pop-ups and various other things on their laptop, for example. You would kind of expect that there's something going on from the user side, whereas on the network, it's a little bit the dark art. It's sitting in the background. Nobody really knows about it. So it's putting systems in place to be able to monitor both what's going on in the background as well as what's happening in real time in the front. and then giving that visibility so that you can react on it really quickly.

  • Speaker #0

    Yeah, that's a lot of forecasting and proactivity.

  • Speaker #1

    Yes.

  • Speaker #0

    So, as you mentioned, there are a wide, diverse set of cyber criminals. One statistic I find quite striking is, according to a 2020 report that's called the Cyber Threat to Sports Organizations from the NCSC, 70% of the 57 sports organizations surveyed by the NCSC has experienced a cyber incident or breach, compared to an average of 32% across British businesses. So of the cyber incidents that caused financial damage, the average loss was over $10,000 per incident. The biggest single loss was over £4 million. And So it means that the sports sector is a lot more attacked than businesses. Do you find these figures consistent?

  • Speaker #1

    Yes, I think it's becoming even more so now recently. So I'll give you an example. In a normal business, your average transaction, unless you're acquiring a business, another business or whatever the case is, may be in a couple of million pounds. We look at player transfers, for example. A player transfer can cost in the region of tens of millions of pounds. So if somebody is able to intercept and fool a club into thinking that they are paying another club for a player, and they're able to intercept that transaction, they could then have a one hit that is in the millions of pounds. And then it makes it a lot difficult to try and detect who actually did it and so forth. because of the amount of money the occurrence of that happening has been quite prolific um over time where now hackers, they don't make themselves known that they're watching your network or they are sitting on your network. They can be sitting there dormant for quite a while monitoring your mails and then when they see something that is interesting like a payment that needs to be made, they will then utilize methods. I mean, let's be honest, these are people that study social engineering. They know people's habits, they know people's behaviours and so forth and that. They create things like an urgency to say, oh, you need to pay this bill by a certain time, otherwise we're going to pull this player back out or they're going to make them a free agent or whatever. So it puts that additional pressure on a club. They then don't phone the club to confirm that the invoice is real. They then send the funds and so forth. And then afterwards, the club phones them and says, oh. I've sent you an invoice for this and said, but I've already paid it. And it's like, but it wasn't us. By then, a certain amount of time's gone, at which point that money is transferred through 10 or 15 different banking organizations. So it makes it very difficult to recover. It's because of the amount of money that goes backwards and forwards in sports that makes it a targeted area compared to other types of businesses.

  • Speaker #0

    Yeah, they're... cyber criminals can get inside the network and wait a long time before the right moment to attack.

  • Speaker #1

    Correct. It's not in their best interest to make themselves known. Typically they will harvest as much information as possible. We've had two this year already, so two clubs in the EFL, they were breached. What happened was somebody managed to get in, they would sit and monitor the chief financial officer's email address, for example, And then what they would do is they would set up an internal mail system to bypass any external and email out messages on behalf of that CFO, for example. Thereby spreading that virus to a wider audience as well as gathering all the information that was in that person's mailbox so that they can utilize it later.

  • Speaker #0

    So are the motivations behind these attacks solely financial or do you see other trends possibly like political?

  • Speaker #1

    Yeah, I haven't really seen in our level of game, political, that would be more where it would be different countries playing against each other. But I think one area which is, I'll redo that in the form of there is certain political side of it. So an example recently is we signed an Israeli player. Obviously, there's a lot of turmoil going on in Israel and so forth at the time. So they used social media to try and cause some consternation with the club and with the fans because of the fact of signing. So, yes, parts of football can be used as a political weapon, especially using things like deep fakes, hacking people's social media accounts of players, for example. and then making statements that isn't really true. So they can have political aspect to their attacks.

  • Speaker #0

    Yeah, and there are some pretty scary examples of cyber attacks that have been taking place at sporting events in the past. I can recall Pyeongchang in South Korea for the Winter Olympics in 2018. There was a massive cyber attack just moments before the opening ceremony. And... I remember also Manchester United Football Club, whose stadium access gates were blocked during a Premier League match in 2020. And so in 2022, the FBI advised athletes and visitors also attending the Beijing Winter Games to use temporary phones to reduce the risks of malicious apps. tracking tools or malware potentially installed on devices with access to sensitive data. Is espionage also a risk that you consider?

  • Speaker #1

    Yes, definitely. I mean, one of the things that you can imagine with having 37,000 people in a stadium all at one go is people pretending that a certain network is the club's network when it's not. It is a private hotspot that people think, oh, well, this is where I need to pre-order my drink from and so forth. We monitor all the pop-up networks that happen during a match day, so we know which are the networks that are our networks and which are not, so we can try and... block those additional networks. And you see loads of people attempt. Most people have hotspots on their mobile phone for when they're working in the train. They just never turn it off. It's permanently available. Unfortunately, some people use it for malicious means. So they can use that to try and trick people into signing and giving their details, their social media or banking details or so forth. Or they will use things like Bluetooth to try and push apps or pop-up apps. to people and the advantage is it's not just football it'll be anywhere where there is a large amount of people all in one place because if you think about it it means you can have the most effect

  • Speaker #0

    with a little amount of input. So you could have a mobile phone with a Trojan on it or a virus on it that you could use to push out to more people in a football match than what you could if you were just walking down the street or sitting in a McDonald's or something like that in takeaways or whatever the case is. So yes, there is certain people that will utilise clubs, infrastructure in the form of seated people in an area to try and propagate. some form of virus. So it's trying to protect your fans as much as possible and tell them what is valid and what is not valid, what to look out for. But as I say, it's a cat and mouse game. We can only try our best at the end of the day.

  • Speaker #1

    Yeah, so there is a very diverse set of cyber criminals like political, geopolitical, they have political and geopolitical motivations, some of them are hacktivists, some of them are even from the mafia. Could you list the operating modes, cyber attacks and methods that you monitor in particular?

  • Speaker #0

    Yes, so what we will do on an average, so let's say for a sports event, so what we will do is we will monitor all of the infrastructure that's available, that's both our physical infrastructure, as well as our digital infrastructure for any untowards attacks or anything that's out of the ordinary. So patterns, looking at patterns of information. We will also look at what is the, is there a contention between the two clubs that are going to be playing, so that we can put certain things in place beforehand. We will also make sure that as a club itself, we've pre-planned as much as possible. or an event so for example if somebody wanted to disrupt the event by stopping people from being having access what is the plan b so in other words if the term styles didn't allow the people in because there was a problem with the with their the term style system or the access control system how would we then get people into the stadium without that system in place so you're constantly creating what we call a a breach playbook or a matchday safety officer will create a set of scenarios and we look at how we can we can facilitate those because if you think about it from a club perspective let's let's say Leeds for example we have if we were in the Premier League and we were unable to have a match for whatever reason we've had one where we were delayed by 38 minutes for example but if that match had been suspended in total you're looking at an average cost in of a couple of million pounds if you take ticket sales um access um hospitality your advertising your uh tv rights and everything else into account it is a big chunk of cash excluding whatever you find you would get from the premier league or whatever for not being able to provide that match so it takes quite a hit on the uh on the club itself so every club's trying to make sure that we have enough systems in place to be able, or fail-safes, to be able to work that, should there be a breach of some attempt, we can still continue to have the match, and fans data and player data and all the rest is still secure.

  • Speaker #1

    Right. What about AI in sports? Is it a threat or a challenge? Do you see new approaches emerging to anticipate or even thwart attacks? In what ways? will it impact your work?

  • Speaker #0

    Yeah, I think it's both a threat as well as a challenge because it is advancing at such a rate that's making it quite difficult in the form of people can now use AI to create malicious software without them having a lot of programming experience and so forth. So it means that the sophistication of the attacks and attempts are getting more and more clever. intelligence, which then means that you need to use AI within your discovery tools to try and prevent those kind of attacks. But also it means that the demographic is changing in the form of, in some cases, the use of deepfakes is becoming quite prevalent now, which a couple of years ago was unheard of, where now you can have a deepfake of an owner of a club or a player, and say something derogatory or something that could harm the club's reputation and upset the fans, cause consternation within the club on whatever the case is, which is totally fake and there's no way of identifying that it was a fake or not when it's sitting on social media. Only the person knows that it was a fake because it wasn't them that said it and then you've got to try and prove it to all of the audience that what you've what you said was not you, it was you. It was a fake in the first place. So that is becoming more and more difficult to try and manage. It's getting to a point now where even the clubs have regular conversations with the local police forces and so forth. Because another trend that we're seeing is what's called virtual hijacking. What will happen is, let's take a player, for example. They have a young child, a daughter, a son, whatever that's at school. Somebody will... take the voice and mimic the voice of that child, phone the player and tell them that with the voice of the child that the child is saying that they've been hijacked or they've been held for ransom. Meanwhile, nothing has happened to the child at all. They're still in school. They're perfectly fine. But people are using more and more sophisticated methods now than was ever possible before.

  • Speaker #1

    Right. Oh, that's terrible. And also, How do you manage data sovereignty issues in the context of the use of AI? Are there specific measures in place to ensure that sensitive participant and spectator data remains under local control?

  • Speaker #0

    Yes, so all clubs and ours in particular, what we do is we do almost like compliance. So we validate what information, so I'll give an example. Everybody went out when Copilot came out and said, right, we're going to use AI to share all our information and so forth. The problem with that is unless you know what is in your data, you run the risk of sharing something that you didn't want to share or sharing personal information or player salaries or whatever the case is. So the first thing you need to do is go and identify your data, see what type of data it is that's in there, associate a risk. to that data so that you can then say right this data is of a higher risk we are not going to have it anywhere near any form of ai or it's got additional security measures in place that only allows certain people to view it and there's auditing so you can see who had access to the files and who didn't and then you have those with less risk that you can say this data is fine to share because it's already out in the public domain it is not classified as personal data or sensitive information that may be medical data or so forth so you first have to classify all your data once you've done that classification then you look at retention how long have you kept the data for do you really need to still have that data there because the longer you keep it and it doesn't have a use the risk is that that data could end up being leaked so rather If you no longer need that data and the expiry time for legally keeping that data has expired, remove it, delete it, get rid of it, because then that means that there's left data for you to worry about.

  • Speaker #1

    Thank you for the advice. Do you think cybersecurity in sports could serve as a model for protecting critical infrastructures more generally? What lessons could the sector share with other industries?

  • Speaker #0

    Yeah. I think for definite. I mean, if you look at the Paris Olympics that you had recently and so forth, the security systems that were used in the background to that, a lot of the time businesses don't understand the complexity behind an Olympics or a big sporting event and so forth. They just look at it with regards to their business. But from a sport, because it's a multitude of different environments that you're having to protect, I think business would benefit from learning about how sport has to react due to the speed at which they change from a business perspective, whether that's being promoted into another league or coming down in another league, the rate at which clubs get sold and players or people move around from club to club. In a business, it's a little bit different. They very rarely change ownership as often as a club may change ownership. They also don't necessarily go up into having shareholders and then go down to not having shareholders. So from a learning perspective, there's a lot that businesses can actually learn from football and vice versa in the form of, yeah, it would be nice for business, for football. to be able to understand that security also needs a certain amount of investments, like what businesses put in, especially financial and so forth, businesses put in for regulation of their data. Football needs to do the same.

  • Speaker #1

    Right. Also, football inspires millions of young people with values like resilience, discipline and perseverance, which are so different from those found in cybersecurity. Do you think a club like Leeds United could play a role in raising public awareness on these issues? And how could clubs promote these values in a digital context?

  • Speaker #0

    Yeah, so there's quite a few different ways. So most clubs, they are involved in the communities. And as part of those communities, it's telling people what is it that they actually do, because some of it goes underneath the radar. If you think about it like academies and so forth, you have players or young people that work for the club going out into schools, going out into communities that may be from deprived communities or somewhere where kids don't have the ability to do sport, for example. And while they're working with them, so they can then pass some of those values across and identify. areas of concern that may be needed in those. So from a grassroots perspective, the club is only as good as the grassroots of the community that they support, because these young people are effectively the fans of the future. They will look at footballers and so forth and that and say, look, I want to be like Ronaldo and so forth and that. The reality is the amount of youngsters that actually make it to become a professional footballer. is very low so therefore let's still impart all of the values that a person like ronaldo would have and so forth and that on these youngsters that if they could then use those values to achieve whatever they wanted to achieve but use the grassroots side of football to be able to do it and also that way i think it'll also mean that as they get older we won't see the amount of football discipline or lack of discipline in certain areas of football fans that you used to see in the past because the youngsters have different values to what the olds they like to fight when they were older in football and so forth and that where the youngsters are saying i've come to enjoy the match we see that in the form of the way that the women's game has progressed and so forth whereas before you didn't have the amount of people that actually watched where now we have a lot of young girls that are seeing players being able to achieve the same as the men they're getting the recognition slowly but surely the same as men and so forth and those are increasing the values and that's how you build them up they then more beneficial for your local communities as well as future fans for the club i agree well

  • Speaker #1

    thank you very much graham for joining us today And for sharing your insights into the fascinating and complex world of cybersecurity in sports. It's been enlightening to understand the unique challenges and responsibilities a club like Leeds United faces, and to hear your thoughts on how football can contribute to a broader awareness on digital security. To our listeners, thank you for tuning in to this episode of In the Eye of Cyber. If you enjoyed today's conversation. don't forget to subscribe and share. We look forward to having you with us for our next episode as we continue to explore the evolving landscape of cybersecurity. Take care and see you soon.

Share

Embed

You may also like

Description

In this special episode—the very first in English—we dive into the fascinating intersection of sports and cybersecurity. Our guest, Graham Peck, Information Security Manager and DPO at Leeds United Football Club, shares his insights on the unique cybersecurity challenges in the world of football.

 

From protecting sensitive player data to securing club operations against cyber threats, we explore how cybersecurity plays a crucial role in modern sports organisations. Graham also discusses real-world incidents, best practices, and the evolving risks in the industry.

 

Whether you’re a football fan, a cybersecurity enthusiast or just curious, this episode is for you!

 

Tune in to discover how football clubs defend themselves in the digital age.

 

👉Catch ‘In the Eye of Cyber’ on all listening platforms: https://smartlink.ausha.co/dans-l-oeil-de-la-cyber


➖➖➖


🙏A huge thank you to everyone who has already left a review or 5 stars on Apple Podcast, Spotify, Deezer, etc.! Your feedback is invaluable!


💬 If you like the podcast or just want to give me some feedback, don't hesitate to leave me a review, I'll be delighted to read and respond!


➖➖➖

🎙️‘In the eye of cyber’ is a podcast that gives the floor to major players in the digital sector to decode the major topics and trends in this sector and in cyber in particular.


👩I'm Anne-Laure de La Rivière, Director of Communications and Public Affairs at Gatewatcher, a French SME specialising in cyber attack detection.


✍️You would like to suggest themes for future podcasts? Do you have any suggestions for guests? Contact us at contact@gatewatcher.com


Enjoy listening!


Hébergé par Ausha. Visitez ausha.co/politique-de-confidentialite pour plus d'informations.

Transcription

  • Speaker #0

    Welcome to the podcast "In the eye of cyber" that gives a voice to leaders in the digital industry. I am Anne-Laure de La Rivière, Director of Communications and Public Affairs at Gatewatcher, and today I am hosting Graham Peck, Information Security Manager and DPO at Leeds United Football Club. Together, we'll be diving into the intersection of cyber security and sport. At first glance, it may not seem obvious, But there are many links between these two fields. Just like in cybersecurity, team effort is crucial in sports. And now more than ever, sports organizations, infrastructures and personnel require resilient cybersecurity. In the high stakes world of professional sports, the action isn't just on the field. More episodes to come in English at www.gatewatcher.com. If you enjoy our work. Make sure to subscribe to In the Eye of Cyber on all listening platforms so you don't miss our next release. Enjoy the episode! Hello, Graham.

  • Speaker #1

    Hi, Anne-Laure.

  • Speaker #0

    Thank you so much for accepting our invitation and joining us for this episode of In the Eye of Cyber. Could you start by telling us a bit about your career path and the choices that led you to this role and why?

  • Speaker #1

    Yeah, no problem. So I left... After leaving school, I went into the military for a number of years, but when I left the military and went into IT, IT security has always been like an underlying factor. So I worked across many different organizations from finance, data centers, and so forth, where security was an underlying side to it. It's just that early 98, 2000, cybersecurity became more of a thing. of an area of expertise so i decided to start looking at that and i am where i am now because of it so joining a football club is that something that happened by chance or was it a goal from the start oh no this was definitely by chance um as you can hear from my accent i come from more of a rugby and cricket nation than uh than a football or where what i would call soccer and get told off about it. You come from south africa right that's correct that's correct so uh Yeah, I was definitely not expecting to go into sport. But as I said, I've been in many different types of organizations. And sport is just like any other company. I think people just need to realize there's two parts to football. There's what goes on on the pitch with the players and so forth. But behind the scenes, we're an SME, just like any other business. We have a marketing account, all the rest. So it's a normal business on one side of it and just football on the other.

  • Speaker #0

    Exactly, and we'll be digging into specifically what you're doing at Leeds United Football Club. So what has been your biggest surprise since taking on this role? Was there something you didn't expect at all or that has really taken you back since you started?

  • Speaker #1

    Yeah, I think that general perception, I think everybody's got this general perception, especially with football, that they think there's lots of money in football when, truth be told, there may be a lot of money from a player and and the football side of it from but from the sme side of it there isn't so there was a lot of legacy systems there was a lot of uh lack of investment in certain parts of the business and because it's unlike any other business where the owners regularly change for example so one minute you may be um in the premier league or in the championships where there may be more money and then the next season you could be down so uh because it fluctuates a lot it has an impact on investment. And I think that was my biggest shock, was the perception that there was going to be lots of systems in place for security. And then when I started noticing that there wasn't.

  • Speaker #0

    So cybersecurity is new in sports. Is this something that you say?

  • Speaker #1

    Yeah, I'd say in certain sections of sport, it's new. There's always been a certain part of security in sport for things like player contracts and so forth, and fan data. It's now extending to... a wider demographic as such because technology is changing. You can have Wi-Fi in a system, you've got toll systems, Wi-Fi, various other things that you would run on a match day. and those are now easily accessible from people wanting to try malicious attempts on it.

  • Speaker #0

    And since you've also worked in completely different sectors, do you think it is a very different approach compared to other sectors?

  • Speaker #1

    Yes, I'd say in sports initially it's very reactive rather than proactive. So let's take finance for example, you'll have FSA regulations or regulations that state you have to attain a certain level of security and so forth, where the Premier League and EFL and same with UEFA and Bundesliga and all the rest, they're now starting to put things in place that says if you join the league, you need to have a certain level of security already in place, whereas before it wasn't. Every club was able to do their own, but the problem there you've got is... the data that you hold can span across multiple clubs so a player could change clubs on a regular basis that player's data may have data when they were at previous roles as well as the clubs that they're at now so obviously you've got to try and protect it because it has an effect on both what affects

  • Speaker #0

    your club as well as other clubs so are you working on turning sports and cyber security more proactive yes no definite so we uh we

  • Speaker #1

    In the UK, it's nice where we can create a forum for all the IT security within the leagues to be able to talk to each other because we've all got a common issue, which is cybersecurity. And it's a constantly evolving sector where you're constantly playing catch up to prevent the next attack. So by sharing that information and not. being against each other like you are on the pitch but actually working together as one and that that's really exciting and it's helped a lot by creating a forum of like-minded individuals where we're constantly looking at products and and methods of attack or if somebody has had an attack on their site or on their club how we can prevent it on ours before it happens can you drop the security the perimeter of security risks

  • Speaker #0

    and more specifically cyber risks surrounding a regular Leeds United football game?

  • Speaker #1

    Sorry go for it.

  • Speaker #0

    No I was thinking I can imagine a few risks already such as access to the physical and digital sites of spectators and internet users, also means of broadcasting sports footage, video captures for television or referees, video surveillance, alarm systems, online ticketing. Can you tell us more about the risks?

  • Speaker #1

    Yes, from a club perspective, the risks across multiple areas. So one is with regards to fan, informational fan data and the demographics of those fans. That could be via your websites. And if you think of a... Of a typical club, they have a retail website where you can go and buy your latest shirt for that season. So you have data for that. You also have where you're wanting to buy your tickets online, which then holds credit card information and so forth. So you have the external side that you're needing to protect, as well as internally, you have things like access control, how they get access into the stadium through turnstiles and so forth. You have all your tool systems. So you can imagine in our case, we have on average about 37,000 people coming to a match. That's a lot of people needing something to eat, something to drink and so forth. The impact of having no tools greatly has an effect on the margins that you make during a club. And then there's the rest of the things, like you mentioned, CCTV, Wi-Fi, hospitality has... a lot of people that may be sitting in hospitality boxes they're wanting access to internet connectivity and so forth and that so it's then protecting your internal systems from your externals as well as if you're in the premier league they have some regulations that state that you need to provide certain things to certain parts of it like var which is goal line technology or the technology that mentions if a person's offside and so forth If somebody was able to manipulate that or interrupt that feed, it would mean that the game would be stopped and we would have to wait until they've resolved it before we can carry on play. That would obviously have an effect on the club itself as well.

  • Speaker #0

    Of course. And also I can imagine data protection and technological assets like the fans'data information that goes through the networks and so on.

  • Speaker #1

    Yes. So, I mean, nowadays, that's your biggest value as such. The last thing you want to do is have reputational damage by having a breach to a club because your fans expect you to look after their data and secure their data. So as well as the financial costs, because unlike a normal traditional company that has 365 days to make money for their financial year in football, you only have so many home matches and away matches to make as much money as possible. So let's take in the Premier League, you may have about 48 matches, of which 24 at home. You have to make as much money as you can during those to help you through the year, other than some things like... people using the stadium for events and so forth and that which also brings in revenue but not as much as a match day does.

  • Speaker #0

    So now I will be asking you the question everybody wants to know. Have you ever been cyber attacked, Braham?

  • Speaker #1

    At this stage we haven't. I won't say it's if, it's when. I think all clubs will be on the same page with regards to that because technology, especially now with AI and so forth, it's becoming more and more of a cat and mouse game with hackers and so forth. I mean, we've had some recent ones over the last couple of years, which have been quite prolific. Manchester United had in 2021-22, just lucky enough it was in COVID, they had a breach. We've had recently a couple of clubs in the EFL that have had breaches. And then the other area that is becoming more and more prevalent now is social media.

  • Speaker #0

    So how many spectators do you usually have physically in stadiums and on television? Is the risk increased if you host a particular famous game?

  • Speaker #1

    Yes, so we have on average about 37,000 people in a stadium on a match day. We are in the process of increasing that to 55,000. And then from a TV perspective, Obviously, we're on Sky and so forth, so we have quite a wide reaching, as to the exact number, I can't tell you, but there is quite a wide following all the way from Norway across to the States. Obviously, we've just got American owners now, so we've got quite a big following in the States as well as most of Europe and even down South in Africa.

  • Speaker #0

    And is there a difference in security if we are a club in Premier League or Championship? Are there any legal safety points to consider once you are in Premier League? Any upgrades?

  • Speaker #1

    Well, the only thing that, well, we had been not in the Premier League for nearly 16 years before we got promoted. So there is a couple of things that happens when you go into the Premier League. Obviously, your profile changes because you're playing larger clubs that have been in the league for quite a while, like Liverpool, Arsenal, Manchester United or City and those kind of. kind of clubs which then means that there is more demand for tickets there is um a lot more money in the premier league than there is in the efl for example so therefore it becomes um a target for anything to try and disrupt those sales so it could be from a ticketing perspective trying to slow down your websites make it more difficult to uh to buy a ticket online especially for a specific match to using social media to try and sell fake tickets, and then cause a lot of disruption that way as well.

  • Speaker #0

    Yeah, of course. And is there a different cybersecurity protocol for high stakes matches, such as championship finals, for example?

  • Speaker #1

    Yes, so within the clubs themselves, There's a number of systems that we do. So in the Premier League, they have a thing called Section K. It tells you what is the requirement from their side that they need from a club going into the Premier League, which then helps make some decisions around how you segment your data and prevent those attacks. In our case, what we did was we separated our match day. infrastructure and networks away from our internal head office users'networks, because there's more risk of you getting a breach, unfortunately, through people being your users than there is through your match day systems.

  • Speaker #0

    And do you cooperate with the cybersecurity teams of competitors, such as the Football Association, for example? How does it work?

  • Speaker #1

    Yes, so we have, I would say, a formalized... agreement but all of the clubs we get together we share knowledge and that we have a quarterly get together we had one recently at Tottenham and then at Chelsea so where we will all sit together and work out systems but from the Premier League and the EFL themselves or from UEFA and so forth I think it very much relies on like-minded people organising a get together or a forum to discuss these things. It isn't really driven by them. It's driven by the clubs themselves, where it would be nice to have it the other way around and say, well, before, if you're a club that's looking at a high chance of being promoted into the Premier League, they do an assessment, a security assessment, and help you achieve the level of security that you're going to need before you go into the Premier League. I think that would be really helpful.

  • Speaker #0

    Right. So does the UEFA recommend protocols for cyber attacks? Like, do you report to the UEFA on this matter?

  • Speaker #1

    No, so UEFA is more for the European teams that are more like Roma and Barcelona and that side of it. Unless you're playing in the league, UEFA is on the other side. On the other side, it's more the England Football Association. So you've got... EFL or Premier League and so forth, we follow some process that they require, which is around more of cyber security insurance and making sure that all clubs have a certain level of insurance. And as part of that insurance, you've got to have certain measures in place. So yeah, we don't abide by UEFA, for example. We have our own UK-based systems that we have to abide by.

  • Speaker #0

    Right. So you mentioned earlier that sports are not very connected to cyber security. Well, at first it wasn't the case, it's coming now. But also sports fans are sometimes less Ausha online than consumers in sectors like banking or healthcare. Partly, I assume, because there's less media attention on cyber security risks in sports. Do you sense a difference or even a lag in awareness and do you think this lower level of awareness impacts how you design security strategies for a club like Leeds United? Do you need to be extra Ausha?

  • Speaker #1

    Yeah, I mean I would definitely say we've got to be extra Ausha and especially when it comes around the contentious issue of ticket sales. So fans, if you want to cause a headache for a club with regards to fans it's not be able to provide them with sufficient tickets for them to be able to attend a match. And that's the quickest way to make them upset. So the main thing is making sure that you put robust systems in place. But then also raising that awareness to the individuals and say, look, be careful of these kind of things. Don't try and buy your ticket off of somebody on social media, for example. You have the ability to resell your tickets. back to the club if you're unable to make it. Therefore, you know you can buy your ticket from a reputable source rather than somewhere else and then setting yourself up to getting to the club and finding out that the same ticket has been sold to 10 people and you're now out of money and you've spent a lot of money traveling to the club in the first place.

  • Speaker #0

    Right, yeah. And I wanted to give you this example like in another sport like American football, Thomas Maldonado, the CISO of the National Football League in the USA, shared insights into the scale of security operations during the 2024 Super Bowl. And there were around 39,000 security intelligence events and 254,000 connections were blocked to and from. blacklisted regions. So keeping proportions in mind, it's clear certain sports are especially targeted, particularly football. What are the specific challenges you see as critical in this area today?

  • Speaker #1

    Yes, so one of the critical areas is visibility. So by having a single pane of glass of being able to see where your attack surface is, you can see where your opponent is. these attacks are coming from, being able to whitelist or blacklist, in other words, saying which areas are safe areas for getting connectivity from and where are areas that you would not. Because the actors are changing. You have two types. You have the general hacker, so-called, what we call a script kiddie or whatever the case is. He doesn't really know what he's doing as such. He's following a script and trying to see what he can do. And then you've got the other actor, which is whether it's a governmental one from a foreign country or whatever the case is, that's just trying to cause disruption and the reputational damage to the sport via a company. So if we were playing a different country, for example, so if we were playing France, for example, in the World Cup, then... And they were able to disrupt that match. It then is an embarrassment for both the UK and France that we didn't have systems in place to be able to do it. So our reputational damage, as well as the cost implication and so forth. Ability to be able to protect those is becoming more and more difficult without being able to see where they're coming from. And then once you've got some visibility of where they're coming from, it's then putting the additional things in place. So, for example, what we've done is we started by looking at our end point. So. the user themselves, what we could put in place to try and secure them, and then look at it from a network behavior side, which is why we started looking at products that look at network behavior and moved across to Gatewatcher, which looks at network security side of things. So it's not just the traditional looking at the PC and the user's behavior. It's also looking at your network behavior because typically, you know, You may not see something that's happening on the networking side, but you would see it if somebody's machine was running slow and they had pop-ups and various other things on their laptop, for example. You would kind of expect that there's something going on from the user side, whereas on the network, it's a little bit the dark art. It's sitting in the background. Nobody really knows about it. So it's putting systems in place to be able to monitor both what's going on in the background as well as what's happening in real time in the front. and then giving that visibility so that you can react on it really quickly.

  • Speaker #0

    Yeah, that's a lot of forecasting and proactivity.

  • Speaker #1

    Yes.

  • Speaker #0

    So, as you mentioned, there are a wide, diverse set of cyber criminals. One statistic I find quite striking is, according to a 2020 report that's called the Cyber Threat to Sports Organizations from the NCSC, 70% of the 57 sports organizations surveyed by the NCSC has experienced a cyber incident or breach, compared to an average of 32% across British businesses. So of the cyber incidents that caused financial damage, the average loss was over $10,000 per incident. The biggest single loss was over £4 million. And So it means that the sports sector is a lot more attacked than businesses. Do you find these figures consistent?

  • Speaker #1

    Yes, I think it's becoming even more so now recently. So I'll give you an example. In a normal business, your average transaction, unless you're acquiring a business, another business or whatever the case is, may be in a couple of million pounds. We look at player transfers, for example. A player transfer can cost in the region of tens of millions of pounds. So if somebody is able to intercept and fool a club into thinking that they are paying another club for a player, and they're able to intercept that transaction, they could then have a one hit that is in the millions of pounds. And then it makes it a lot difficult to try and detect who actually did it and so forth. because of the amount of money the occurrence of that happening has been quite prolific um over time where now hackers, they don't make themselves known that they're watching your network or they are sitting on your network. They can be sitting there dormant for quite a while monitoring your mails and then when they see something that is interesting like a payment that needs to be made, they will then utilize methods. I mean, let's be honest, these are people that study social engineering. They know people's habits, they know people's behaviours and so forth and that. They create things like an urgency to say, oh, you need to pay this bill by a certain time, otherwise we're going to pull this player back out or they're going to make them a free agent or whatever. So it puts that additional pressure on a club. They then don't phone the club to confirm that the invoice is real. They then send the funds and so forth. And then afterwards, the club phones them and says, oh. I've sent you an invoice for this and said, but I've already paid it. And it's like, but it wasn't us. By then, a certain amount of time's gone, at which point that money is transferred through 10 or 15 different banking organizations. So it makes it very difficult to recover. It's because of the amount of money that goes backwards and forwards in sports that makes it a targeted area compared to other types of businesses.

  • Speaker #0

    Yeah, they're... cyber criminals can get inside the network and wait a long time before the right moment to attack.

  • Speaker #1

    Correct. It's not in their best interest to make themselves known. Typically they will harvest as much information as possible. We've had two this year already, so two clubs in the EFL, they were breached. What happened was somebody managed to get in, they would sit and monitor the chief financial officer's email address, for example, And then what they would do is they would set up an internal mail system to bypass any external and email out messages on behalf of that CFO, for example. Thereby spreading that virus to a wider audience as well as gathering all the information that was in that person's mailbox so that they can utilize it later.

  • Speaker #0

    So are the motivations behind these attacks solely financial or do you see other trends possibly like political?

  • Speaker #1

    Yeah, I haven't really seen in our level of game, political, that would be more where it would be different countries playing against each other. But I think one area which is, I'll redo that in the form of there is certain political side of it. So an example recently is we signed an Israeli player. Obviously, there's a lot of turmoil going on in Israel and so forth at the time. So they used social media to try and cause some consternation with the club and with the fans because of the fact of signing. So, yes, parts of football can be used as a political weapon, especially using things like deep fakes, hacking people's social media accounts of players, for example. and then making statements that isn't really true. So they can have political aspect to their attacks.

  • Speaker #0

    Yeah, and there are some pretty scary examples of cyber attacks that have been taking place at sporting events in the past. I can recall Pyeongchang in South Korea for the Winter Olympics in 2018. There was a massive cyber attack just moments before the opening ceremony. And... I remember also Manchester United Football Club, whose stadium access gates were blocked during a Premier League match in 2020. And so in 2022, the FBI advised athletes and visitors also attending the Beijing Winter Games to use temporary phones to reduce the risks of malicious apps. tracking tools or malware potentially installed on devices with access to sensitive data. Is espionage also a risk that you consider?

  • Speaker #1

    Yes, definitely. I mean, one of the things that you can imagine with having 37,000 people in a stadium all at one go is people pretending that a certain network is the club's network when it's not. It is a private hotspot that people think, oh, well, this is where I need to pre-order my drink from and so forth. We monitor all the pop-up networks that happen during a match day, so we know which are the networks that are our networks and which are not, so we can try and... block those additional networks. And you see loads of people attempt. Most people have hotspots on their mobile phone for when they're working in the train. They just never turn it off. It's permanently available. Unfortunately, some people use it for malicious means. So they can use that to try and trick people into signing and giving their details, their social media or banking details or so forth. Or they will use things like Bluetooth to try and push apps or pop-up apps. to people and the advantage is it's not just football it'll be anywhere where there is a large amount of people all in one place because if you think about it it means you can have the most effect

  • Speaker #0

    with a little amount of input. So you could have a mobile phone with a Trojan on it or a virus on it that you could use to push out to more people in a football match than what you could if you were just walking down the street or sitting in a McDonald's or something like that in takeaways or whatever the case is. So yes, there is certain people that will utilise clubs, infrastructure in the form of seated people in an area to try and propagate. some form of virus. So it's trying to protect your fans as much as possible and tell them what is valid and what is not valid, what to look out for. But as I say, it's a cat and mouse game. We can only try our best at the end of the day.

  • Speaker #1

    Yeah, so there is a very diverse set of cyber criminals like political, geopolitical, they have political and geopolitical motivations, some of them are hacktivists, some of them are even from the mafia. Could you list the operating modes, cyber attacks and methods that you monitor in particular?

  • Speaker #0

    Yes, so what we will do on an average, so let's say for a sports event, so what we will do is we will monitor all of the infrastructure that's available, that's both our physical infrastructure, as well as our digital infrastructure for any untowards attacks or anything that's out of the ordinary. So patterns, looking at patterns of information. We will also look at what is the, is there a contention between the two clubs that are going to be playing, so that we can put certain things in place beforehand. We will also make sure that as a club itself, we've pre-planned as much as possible. or an event so for example if somebody wanted to disrupt the event by stopping people from being having access what is the plan b so in other words if the term styles didn't allow the people in because there was a problem with the with their the term style system or the access control system how would we then get people into the stadium without that system in place so you're constantly creating what we call a a breach playbook or a matchday safety officer will create a set of scenarios and we look at how we can we can facilitate those because if you think about it from a club perspective let's let's say Leeds for example we have if we were in the Premier League and we were unable to have a match for whatever reason we've had one where we were delayed by 38 minutes for example but if that match had been suspended in total you're looking at an average cost in of a couple of million pounds if you take ticket sales um access um hospitality your advertising your uh tv rights and everything else into account it is a big chunk of cash excluding whatever you find you would get from the premier league or whatever for not being able to provide that match so it takes quite a hit on the uh on the club itself so every club's trying to make sure that we have enough systems in place to be able, or fail-safes, to be able to work that, should there be a breach of some attempt, we can still continue to have the match, and fans data and player data and all the rest is still secure.

  • Speaker #1

    Right. What about AI in sports? Is it a threat or a challenge? Do you see new approaches emerging to anticipate or even thwart attacks? In what ways? will it impact your work?

  • Speaker #0

    Yeah, I think it's both a threat as well as a challenge because it is advancing at such a rate that's making it quite difficult in the form of people can now use AI to create malicious software without them having a lot of programming experience and so forth. So it means that the sophistication of the attacks and attempts are getting more and more clever. intelligence, which then means that you need to use AI within your discovery tools to try and prevent those kind of attacks. But also it means that the demographic is changing in the form of, in some cases, the use of deepfakes is becoming quite prevalent now, which a couple of years ago was unheard of, where now you can have a deepfake of an owner of a club or a player, and say something derogatory or something that could harm the club's reputation and upset the fans, cause consternation within the club on whatever the case is, which is totally fake and there's no way of identifying that it was a fake or not when it's sitting on social media. Only the person knows that it was a fake because it wasn't them that said it and then you've got to try and prove it to all of the audience that what you've what you said was not you, it was you. It was a fake in the first place. So that is becoming more and more difficult to try and manage. It's getting to a point now where even the clubs have regular conversations with the local police forces and so forth. Because another trend that we're seeing is what's called virtual hijacking. What will happen is, let's take a player, for example. They have a young child, a daughter, a son, whatever that's at school. Somebody will... take the voice and mimic the voice of that child, phone the player and tell them that with the voice of the child that the child is saying that they've been hijacked or they've been held for ransom. Meanwhile, nothing has happened to the child at all. They're still in school. They're perfectly fine. But people are using more and more sophisticated methods now than was ever possible before.

  • Speaker #1

    Right. Oh, that's terrible. And also, How do you manage data sovereignty issues in the context of the use of AI? Are there specific measures in place to ensure that sensitive participant and spectator data remains under local control?

  • Speaker #0

    Yes, so all clubs and ours in particular, what we do is we do almost like compliance. So we validate what information, so I'll give an example. Everybody went out when Copilot came out and said, right, we're going to use AI to share all our information and so forth. The problem with that is unless you know what is in your data, you run the risk of sharing something that you didn't want to share or sharing personal information or player salaries or whatever the case is. So the first thing you need to do is go and identify your data, see what type of data it is that's in there, associate a risk. to that data so that you can then say right this data is of a higher risk we are not going to have it anywhere near any form of ai or it's got additional security measures in place that only allows certain people to view it and there's auditing so you can see who had access to the files and who didn't and then you have those with less risk that you can say this data is fine to share because it's already out in the public domain it is not classified as personal data or sensitive information that may be medical data or so forth so you first have to classify all your data once you've done that classification then you look at retention how long have you kept the data for do you really need to still have that data there because the longer you keep it and it doesn't have a use the risk is that that data could end up being leaked so rather If you no longer need that data and the expiry time for legally keeping that data has expired, remove it, delete it, get rid of it, because then that means that there's left data for you to worry about.

  • Speaker #1

    Thank you for the advice. Do you think cybersecurity in sports could serve as a model for protecting critical infrastructures more generally? What lessons could the sector share with other industries?

  • Speaker #0

    Yeah. I think for definite. I mean, if you look at the Paris Olympics that you had recently and so forth, the security systems that were used in the background to that, a lot of the time businesses don't understand the complexity behind an Olympics or a big sporting event and so forth. They just look at it with regards to their business. But from a sport, because it's a multitude of different environments that you're having to protect, I think business would benefit from learning about how sport has to react due to the speed at which they change from a business perspective, whether that's being promoted into another league or coming down in another league, the rate at which clubs get sold and players or people move around from club to club. In a business, it's a little bit different. They very rarely change ownership as often as a club may change ownership. They also don't necessarily go up into having shareholders and then go down to not having shareholders. So from a learning perspective, there's a lot that businesses can actually learn from football and vice versa in the form of, yeah, it would be nice for business, for football. to be able to understand that security also needs a certain amount of investments, like what businesses put in, especially financial and so forth, businesses put in for regulation of their data. Football needs to do the same.

  • Speaker #1

    Right. Also, football inspires millions of young people with values like resilience, discipline and perseverance, which are so different from those found in cybersecurity. Do you think a club like Leeds United could play a role in raising public awareness on these issues? And how could clubs promote these values in a digital context?

  • Speaker #0

    Yeah, so there's quite a few different ways. So most clubs, they are involved in the communities. And as part of those communities, it's telling people what is it that they actually do, because some of it goes underneath the radar. If you think about it like academies and so forth, you have players or young people that work for the club going out into schools, going out into communities that may be from deprived communities or somewhere where kids don't have the ability to do sport, for example. And while they're working with them, so they can then pass some of those values across and identify. areas of concern that may be needed in those. So from a grassroots perspective, the club is only as good as the grassroots of the community that they support, because these young people are effectively the fans of the future. They will look at footballers and so forth and that and say, look, I want to be like Ronaldo and so forth and that. The reality is the amount of youngsters that actually make it to become a professional footballer. is very low so therefore let's still impart all of the values that a person like ronaldo would have and so forth and that on these youngsters that if they could then use those values to achieve whatever they wanted to achieve but use the grassroots side of football to be able to do it and also that way i think it'll also mean that as they get older we won't see the amount of football discipline or lack of discipline in certain areas of football fans that you used to see in the past because the youngsters have different values to what the olds they like to fight when they were older in football and so forth and that where the youngsters are saying i've come to enjoy the match we see that in the form of the way that the women's game has progressed and so forth whereas before you didn't have the amount of people that actually watched where now we have a lot of young girls that are seeing players being able to achieve the same as the men they're getting the recognition slowly but surely the same as men and so forth and those are increasing the values and that's how you build them up they then more beneficial for your local communities as well as future fans for the club i agree well

  • Speaker #1

    thank you very much graham for joining us today And for sharing your insights into the fascinating and complex world of cybersecurity in sports. It's been enlightening to understand the unique challenges and responsibilities a club like Leeds United faces, and to hear your thoughts on how football can contribute to a broader awareness on digital security. To our listeners, thank you for tuning in to this episode of In the Eye of Cyber. If you enjoyed today's conversation. don't forget to subscribe and share. We look forward to having you with us for our next episode as we continue to explore the evolving landscape of cybersecurity. Take care and see you soon.

Description

In this special episode—the very first in English—we dive into the fascinating intersection of sports and cybersecurity. Our guest, Graham Peck, Information Security Manager and DPO at Leeds United Football Club, shares his insights on the unique cybersecurity challenges in the world of football.

 

From protecting sensitive player data to securing club operations against cyber threats, we explore how cybersecurity plays a crucial role in modern sports organisations. Graham also discusses real-world incidents, best practices, and the evolving risks in the industry.

 

Whether you’re a football fan, a cybersecurity enthusiast or just curious, this episode is for you!

 

Tune in to discover how football clubs defend themselves in the digital age.

 

👉Catch ‘In the Eye of Cyber’ on all listening platforms: https://smartlink.ausha.co/dans-l-oeil-de-la-cyber


➖➖➖


🙏A huge thank you to everyone who has already left a review or 5 stars on Apple Podcast, Spotify, Deezer, etc.! Your feedback is invaluable!


💬 If you like the podcast or just want to give me some feedback, don't hesitate to leave me a review, I'll be delighted to read and respond!


➖➖➖

🎙️‘In the eye of cyber’ is a podcast that gives the floor to major players in the digital sector to decode the major topics and trends in this sector and in cyber in particular.


👩I'm Anne-Laure de La Rivière, Director of Communications and Public Affairs at Gatewatcher, a French SME specialising in cyber attack detection.


✍️You would like to suggest themes for future podcasts? Do you have any suggestions for guests? Contact us at contact@gatewatcher.com


Enjoy listening!


Hébergé par Ausha. Visitez ausha.co/politique-de-confidentialite pour plus d'informations.

Transcription

  • Speaker #0

    Welcome to the podcast "In the eye of cyber" that gives a voice to leaders in the digital industry. I am Anne-Laure de La Rivière, Director of Communications and Public Affairs at Gatewatcher, and today I am hosting Graham Peck, Information Security Manager and DPO at Leeds United Football Club. Together, we'll be diving into the intersection of cyber security and sport. At first glance, it may not seem obvious, But there are many links between these two fields. Just like in cybersecurity, team effort is crucial in sports. And now more than ever, sports organizations, infrastructures and personnel require resilient cybersecurity. In the high stakes world of professional sports, the action isn't just on the field. More episodes to come in English at www.gatewatcher.com. If you enjoy our work. Make sure to subscribe to In the Eye of Cyber on all listening platforms so you don't miss our next release. Enjoy the episode! Hello, Graham.

  • Speaker #1

    Hi, Anne-Laure.

  • Speaker #0

    Thank you so much for accepting our invitation and joining us for this episode of In the Eye of Cyber. Could you start by telling us a bit about your career path and the choices that led you to this role and why?

  • Speaker #1

    Yeah, no problem. So I left... After leaving school, I went into the military for a number of years, but when I left the military and went into IT, IT security has always been like an underlying factor. So I worked across many different organizations from finance, data centers, and so forth, where security was an underlying side to it. It's just that early 98, 2000, cybersecurity became more of a thing. of an area of expertise so i decided to start looking at that and i am where i am now because of it so joining a football club is that something that happened by chance or was it a goal from the start oh no this was definitely by chance um as you can hear from my accent i come from more of a rugby and cricket nation than uh than a football or where what i would call soccer and get told off about it. You come from south africa right that's correct that's correct so uh Yeah, I was definitely not expecting to go into sport. But as I said, I've been in many different types of organizations. And sport is just like any other company. I think people just need to realize there's two parts to football. There's what goes on on the pitch with the players and so forth. But behind the scenes, we're an SME, just like any other business. We have a marketing account, all the rest. So it's a normal business on one side of it and just football on the other.

  • Speaker #0

    Exactly, and we'll be digging into specifically what you're doing at Leeds United Football Club. So what has been your biggest surprise since taking on this role? Was there something you didn't expect at all or that has really taken you back since you started?

  • Speaker #1

    Yeah, I think that general perception, I think everybody's got this general perception, especially with football, that they think there's lots of money in football when, truth be told, there may be a lot of money from a player and and the football side of it from but from the sme side of it there isn't so there was a lot of legacy systems there was a lot of uh lack of investment in certain parts of the business and because it's unlike any other business where the owners regularly change for example so one minute you may be um in the premier league or in the championships where there may be more money and then the next season you could be down so uh because it fluctuates a lot it has an impact on investment. And I think that was my biggest shock, was the perception that there was going to be lots of systems in place for security. And then when I started noticing that there wasn't.

  • Speaker #0

    So cybersecurity is new in sports. Is this something that you say?

  • Speaker #1

    Yeah, I'd say in certain sections of sport, it's new. There's always been a certain part of security in sport for things like player contracts and so forth, and fan data. It's now extending to... a wider demographic as such because technology is changing. You can have Wi-Fi in a system, you've got toll systems, Wi-Fi, various other things that you would run on a match day. and those are now easily accessible from people wanting to try malicious attempts on it.

  • Speaker #0

    And since you've also worked in completely different sectors, do you think it is a very different approach compared to other sectors?

  • Speaker #1

    Yes, I'd say in sports initially it's very reactive rather than proactive. So let's take finance for example, you'll have FSA regulations or regulations that state you have to attain a certain level of security and so forth, where the Premier League and EFL and same with UEFA and Bundesliga and all the rest, they're now starting to put things in place that says if you join the league, you need to have a certain level of security already in place, whereas before it wasn't. Every club was able to do their own, but the problem there you've got is... the data that you hold can span across multiple clubs so a player could change clubs on a regular basis that player's data may have data when they were at previous roles as well as the clubs that they're at now so obviously you've got to try and protect it because it has an effect on both what affects

  • Speaker #0

    your club as well as other clubs so are you working on turning sports and cyber security more proactive yes no definite so we uh we

  • Speaker #1

    In the UK, it's nice where we can create a forum for all the IT security within the leagues to be able to talk to each other because we've all got a common issue, which is cybersecurity. And it's a constantly evolving sector where you're constantly playing catch up to prevent the next attack. So by sharing that information and not. being against each other like you are on the pitch but actually working together as one and that that's really exciting and it's helped a lot by creating a forum of like-minded individuals where we're constantly looking at products and and methods of attack or if somebody has had an attack on their site or on their club how we can prevent it on ours before it happens can you drop the security the perimeter of security risks

  • Speaker #0

    and more specifically cyber risks surrounding a regular Leeds United football game?

  • Speaker #1

    Sorry go for it.

  • Speaker #0

    No I was thinking I can imagine a few risks already such as access to the physical and digital sites of spectators and internet users, also means of broadcasting sports footage, video captures for television or referees, video surveillance, alarm systems, online ticketing. Can you tell us more about the risks?

  • Speaker #1

    Yes, from a club perspective, the risks across multiple areas. So one is with regards to fan, informational fan data and the demographics of those fans. That could be via your websites. And if you think of a... Of a typical club, they have a retail website where you can go and buy your latest shirt for that season. So you have data for that. You also have where you're wanting to buy your tickets online, which then holds credit card information and so forth. So you have the external side that you're needing to protect, as well as internally, you have things like access control, how they get access into the stadium through turnstiles and so forth. You have all your tool systems. So you can imagine in our case, we have on average about 37,000 people coming to a match. That's a lot of people needing something to eat, something to drink and so forth. The impact of having no tools greatly has an effect on the margins that you make during a club. And then there's the rest of the things, like you mentioned, CCTV, Wi-Fi, hospitality has... a lot of people that may be sitting in hospitality boxes they're wanting access to internet connectivity and so forth and that so it's then protecting your internal systems from your externals as well as if you're in the premier league they have some regulations that state that you need to provide certain things to certain parts of it like var which is goal line technology or the technology that mentions if a person's offside and so forth If somebody was able to manipulate that or interrupt that feed, it would mean that the game would be stopped and we would have to wait until they've resolved it before we can carry on play. That would obviously have an effect on the club itself as well.

  • Speaker #0

    Of course. And also I can imagine data protection and technological assets like the fans'data information that goes through the networks and so on.

  • Speaker #1

    Yes. So, I mean, nowadays, that's your biggest value as such. The last thing you want to do is have reputational damage by having a breach to a club because your fans expect you to look after their data and secure their data. So as well as the financial costs, because unlike a normal traditional company that has 365 days to make money for their financial year in football, you only have so many home matches and away matches to make as much money as possible. So let's take in the Premier League, you may have about 48 matches, of which 24 at home. You have to make as much money as you can during those to help you through the year, other than some things like... people using the stadium for events and so forth and that which also brings in revenue but not as much as a match day does.

  • Speaker #0

    So now I will be asking you the question everybody wants to know. Have you ever been cyber attacked, Braham?

  • Speaker #1

    At this stage we haven't. I won't say it's if, it's when. I think all clubs will be on the same page with regards to that because technology, especially now with AI and so forth, it's becoming more and more of a cat and mouse game with hackers and so forth. I mean, we've had some recent ones over the last couple of years, which have been quite prolific. Manchester United had in 2021-22, just lucky enough it was in COVID, they had a breach. We've had recently a couple of clubs in the EFL that have had breaches. And then the other area that is becoming more and more prevalent now is social media.

  • Speaker #0

    So how many spectators do you usually have physically in stadiums and on television? Is the risk increased if you host a particular famous game?

  • Speaker #1

    Yes, so we have on average about 37,000 people in a stadium on a match day. We are in the process of increasing that to 55,000. And then from a TV perspective, Obviously, we're on Sky and so forth, so we have quite a wide reaching, as to the exact number, I can't tell you, but there is quite a wide following all the way from Norway across to the States. Obviously, we've just got American owners now, so we've got quite a big following in the States as well as most of Europe and even down South in Africa.

  • Speaker #0

    And is there a difference in security if we are a club in Premier League or Championship? Are there any legal safety points to consider once you are in Premier League? Any upgrades?

  • Speaker #1

    Well, the only thing that, well, we had been not in the Premier League for nearly 16 years before we got promoted. So there is a couple of things that happens when you go into the Premier League. Obviously, your profile changes because you're playing larger clubs that have been in the league for quite a while, like Liverpool, Arsenal, Manchester United or City and those kind of. kind of clubs which then means that there is more demand for tickets there is um a lot more money in the premier league than there is in the efl for example so therefore it becomes um a target for anything to try and disrupt those sales so it could be from a ticketing perspective trying to slow down your websites make it more difficult to uh to buy a ticket online especially for a specific match to using social media to try and sell fake tickets, and then cause a lot of disruption that way as well.

  • Speaker #0

    Yeah, of course. And is there a different cybersecurity protocol for high stakes matches, such as championship finals, for example?

  • Speaker #1

    Yes, so within the clubs themselves, There's a number of systems that we do. So in the Premier League, they have a thing called Section K. It tells you what is the requirement from their side that they need from a club going into the Premier League, which then helps make some decisions around how you segment your data and prevent those attacks. In our case, what we did was we separated our match day. infrastructure and networks away from our internal head office users'networks, because there's more risk of you getting a breach, unfortunately, through people being your users than there is through your match day systems.

  • Speaker #0

    And do you cooperate with the cybersecurity teams of competitors, such as the Football Association, for example? How does it work?

  • Speaker #1

    Yes, so we have, I would say, a formalized... agreement but all of the clubs we get together we share knowledge and that we have a quarterly get together we had one recently at Tottenham and then at Chelsea so where we will all sit together and work out systems but from the Premier League and the EFL themselves or from UEFA and so forth I think it very much relies on like-minded people organising a get together or a forum to discuss these things. It isn't really driven by them. It's driven by the clubs themselves, where it would be nice to have it the other way around and say, well, before, if you're a club that's looking at a high chance of being promoted into the Premier League, they do an assessment, a security assessment, and help you achieve the level of security that you're going to need before you go into the Premier League. I think that would be really helpful.

  • Speaker #0

    Right. So does the UEFA recommend protocols for cyber attacks? Like, do you report to the UEFA on this matter?

  • Speaker #1

    No, so UEFA is more for the European teams that are more like Roma and Barcelona and that side of it. Unless you're playing in the league, UEFA is on the other side. On the other side, it's more the England Football Association. So you've got... EFL or Premier League and so forth, we follow some process that they require, which is around more of cyber security insurance and making sure that all clubs have a certain level of insurance. And as part of that insurance, you've got to have certain measures in place. So yeah, we don't abide by UEFA, for example. We have our own UK-based systems that we have to abide by.

  • Speaker #0

    Right. So you mentioned earlier that sports are not very connected to cyber security. Well, at first it wasn't the case, it's coming now. But also sports fans are sometimes less Ausha online than consumers in sectors like banking or healthcare. Partly, I assume, because there's less media attention on cyber security risks in sports. Do you sense a difference or even a lag in awareness and do you think this lower level of awareness impacts how you design security strategies for a club like Leeds United? Do you need to be extra Ausha?

  • Speaker #1

    Yeah, I mean I would definitely say we've got to be extra Ausha and especially when it comes around the contentious issue of ticket sales. So fans, if you want to cause a headache for a club with regards to fans it's not be able to provide them with sufficient tickets for them to be able to attend a match. And that's the quickest way to make them upset. So the main thing is making sure that you put robust systems in place. But then also raising that awareness to the individuals and say, look, be careful of these kind of things. Don't try and buy your ticket off of somebody on social media, for example. You have the ability to resell your tickets. back to the club if you're unable to make it. Therefore, you know you can buy your ticket from a reputable source rather than somewhere else and then setting yourself up to getting to the club and finding out that the same ticket has been sold to 10 people and you're now out of money and you've spent a lot of money traveling to the club in the first place.

  • Speaker #0

    Right, yeah. And I wanted to give you this example like in another sport like American football, Thomas Maldonado, the CISO of the National Football League in the USA, shared insights into the scale of security operations during the 2024 Super Bowl. And there were around 39,000 security intelligence events and 254,000 connections were blocked to and from. blacklisted regions. So keeping proportions in mind, it's clear certain sports are especially targeted, particularly football. What are the specific challenges you see as critical in this area today?

  • Speaker #1

    Yes, so one of the critical areas is visibility. So by having a single pane of glass of being able to see where your attack surface is, you can see where your opponent is. these attacks are coming from, being able to whitelist or blacklist, in other words, saying which areas are safe areas for getting connectivity from and where are areas that you would not. Because the actors are changing. You have two types. You have the general hacker, so-called, what we call a script kiddie or whatever the case is. He doesn't really know what he's doing as such. He's following a script and trying to see what he can do. And then you've got the other actor, which is whether it's a governmental one from a foreign country or whatever the case is, that's just trying to cause disruption and the reputational damage to the sport via a company. So if we were playing a different country, for example, so if we were playing France, for example, in the World Cup, then... And they were able to disrupt that match. It then is an embarrassment for both the UK and France that we didn't have systems in place to be able to do it. So our reputational damage, as well as the cost implication and so forth. Ability to be able to protect those is becoming more and more difficult without being able to see where they're coming from. And then once you've got some visibility of where they're coming from, it's then putting the additional things in place. So, for example, what we've done is we started by looking at our end point. So. the user themselves, what we could put in place to try and secure them, and then look at it from a network behavior side, which is why we started looking at products that look at network behavior and moved across to Gatewatcher, which looks at network security side of things. So it's not just the traditional looking at the PC and the user's behavior. It's also looking at your network behavior because typically, you know, You may not see something that's happening on the networking side, but you would see it if somebody's machine was running slow and they had pop-ups and various other things on their laptop, for example. You would kind of expect that there's something going on from the user side, whereas on the network, it's a little bit the dark art. It's sitting in the background. Nobody really knows about it. So it's putting systems in place to be able to monitor both what's going on in the background as well as what's happening in real time in the front. and then giving that visibility so that you can react on it really quickly.

  • Speaker #0

    Yeah, that's a lot of forecasting and proactivity.

  • Speaker #1

    Yes.

  • Speaker #0

    So, as you mentioned, there are a wide, diverse set of cyber criminals. One statistic I find quite striking is, according to a 2020 report that's called the Cyber Threat to Sports Organizations from the NCSC, 70% of the 57 sports organizations surveyed by the NCSC has experienced a cyber incident or breach, compared to an average of 32% across British businesses. So of the cyber incidents that caused financial damage, the average loss was over $10,000 per incident. The biggest single loss was over £4 million. And So it means that the sports sector is a lot more attacked than businesses. Do you find these figures consistent?

  • Speaker #1

    Yes, I think it's becoming even more so now recently. So I'll give you an example. In a normal business, your average transaction, unless you're acquiring a business, another business or whatever the case is, may be in a couple of million pounds. We look at player transfers, for example. A player transfer can cost in the region of tens of millions of pounds. So if somebody is able to intercept and fool a club into thinking that they are paying another club for a player, and they're able to intercept that transaction, they could then have a one hit that is in the millions of pounds. And then it makes it a lot difficult to try and detect who actually did it and so forth. because of the amount of money the occurrence of that happening has been quite prolific um over time where now hackers, they don't make themselves known that they're watching your network or they are sitting on your network. They can be sitting there dormant for quite a while monitoring your mails and then when they see something that is interesting like a payment that needs to be made, they will then utilize methods. I mean, let's be honest, these are people that study social engineering. They know people's habits, they know people's behaviours and so forth and that. They create things like an urgency to say, oh, you need to pay this bill by a certain time, otherwise we're going to pull this player back out or they're going to make them a free agent or whatever. So it puts that additional pressure on a club. They then don't phone the club to confirm that the invoice is real. They then send the funds and so forth. And then afterwards, the club phones them and says, oh. I've sent you an invoice for this and said, but I've already paid it. And it's like, but it wasn't us. By then, a certain amount of time's gone, at which point that money is transferred through 10 or 15 different banking organizations. So it makes it very difficult to recover. It's because of the amount of money that goes backwards and forwards in sports that makes it a targeted area compared to other types of businesses.

  • Speaker #0

    Yeah, they're... cyber criminals can get inside the network and wait a long time before the right moment to attack.

  • Speaker #1

    Correct. It's not in their best interest to make themselves known. Typically they will harvest as much information as possible. We've had two this year already, so two clubs in the EFL, they were breached. What happened was somebody managed to get in, they would sit and monitor the chief financial officer's email address, for example, And then what they would do is they would set up an internal mail system to bypass any external and email out messages on behalf of that CFO, for example. Thereby spreading that virus to a wider audience as well as gathering all the information that was in that person's mailbox so that they can utilize it later.

  • Speaker #0

    So are the motivations behind these attacks solely financial or do you see other trends possibly like political?

  • Speaker #1

    Yeah, I haven't really seen in our level of game, political, that would be more where it would be different countries playing against each other. But I think one area which is, I'll redo that in the form of there is certain political side of it. So an example recently is we signed an Israeli player. Obviously, there's a lot of turmoil going on in Israel and so forth at the time. So they used social media to try and cause some consternation with the club and with the fans because of the fact of signing. So, yes, parts of football can be used as a political weapon, especially using things like deep fakes, hacking people's social media accounts of players, for example. and then making statements that isn't really true. So they can have political aspect to their attacks.

  • Speaker #0

    Yeah, and there are some pretty scary examples of cyber attacks that have been taking place at sporting events in the past. I can recall Pyeongchang in South Korea for the Winter Olympics in 2018. There was a massive cyber attack just moments before the opening ceremony. And... I remember also Manchester United Football Club, whose stadium access gates were blocked during a Premier League match in 2020. And so in 2022, the FBI advised athletes and visitors also attending the Beijing Winter Games to use temporary phones to reduce the risks of malicious apps. tracking tools or malware potentially installed on devices with access to sensitive data. Is espionage also a risk that you consider?

  • Speaker #1

    Yes, definitely. I mean, one of the things that you can imagine with having 37,000 people in a stadium all at one go is people pretending that a certain network is the club's network when it's not. It is a private hotspot that people think, oh, well, this is where I need to pre-order my drink from and so forth. We monitor all the pop-up networks that happen during a match day, so we know which are the networks that are our networks and which are not, so we can try and... block those additional networks. And you see loads of people attempt. Most people have hotspots on their mobile phone for when they're working in the train. They just never turn it off. It's permanently available. Unfortunately, some people use it for malicious means. So they can use that to try and trick people into signing and giving their details, their social media or banking details or so forth. Or they will use things like Bluetooth to try and push apps or pop-up apps. to people and the advantage is it's not just football it'll be anywhere where there is a large amount of people all in one place because if you think about it it means you can have the most effect

  • Speaker #0

    with a little amount of input. So you could have a mobile phone with a Trojan on it or a virus on it that you could use to push out to more people in a football match than what you could if you were just walking down the street or sitting in a McDonald's or something like that in takeaways or whatever the case is. So yes, there is certain people that will utilise clubs, infrastructure in the form of seated people in an area to try and propagate. some form of virus. So it's trying to protect your fans as much as possible and tell them what is valid and what is not valid, what to look out for. But as I say, it's a cat and mouse game. We can only try our best at the end of the day.

  • Speaker #1

    Yeah, so there is a very diverse set of cyber criminals like political, geopolitical, they have political and geopolitical motivations, some of them are hacktivists, some of them are even from the mafia. Could you list the operating modes, cyber attacks and methods that you monitor in particular?

  • Speaker #0

    Yes, so what we will do on an average, so let's say for a sports event, so what we will do is we will monitor all of the infrastructure that's available, that's both our physical infrastructure, as well as our digital infrastructure for any untowards attacks or anything that's out of the ordinary. So patterns, looking at patterns of information. We will also look at what is the, is there a contention between the two clubs that are going to be playing, so that we can put certain things in place beforehand. We will also make sure that as a club itself, we've pre-planned as much as possible. or an event so for example if somebody wanted to disrupt the event by stopping people from being having access what is the plan b so in other words if the term styles didn't allow the people in because there was a problem with the with their the term style system or the access control system how would we then get people into the stadium without that system in place so you're constantly creating what we call a a breach playbook or a matchday safety officer will create a set of scenarios and we look at how we can we can facilitate those because if you think about it from a club perspective let's let's say Leeds for example we have if we were in the Premier League and we were unable to have a match for whatever reason we've had one where we were delayed by 38 minutes for example but if that match had been suspended in total you're looking at an average cost in of a couple of million pounds if you take ticket sales um access um hospitality your advertising your uh tv rights and everything else into account it is a big chunk of cash excluding whatever you find you would get from the premier league or whatever for not being able to provide that match so it takes quite a hit on the uh on the club itself so every club's trying to make sure that we have enough systems in place to be able, or fail-safes, to be able to work that, should there be a breach of some attempt, we can still continue to have the match, and fans data and player data and all the rest is still secure.

  • Speaker #1

    Right. What about AI in sports? Is it a threat or a challenge? Do you see new approaches emerging to anticipate or even thwart attacks? In what ways? will it impact your work?

  • Speaker #0

    Yeah, I think it's both a threat as well as a challenge because it is advancing at such a rate that's making it quite difficult in the form of people can now use AI to create malicious software without them having a lot of programming experience and so forth. So it means that the sophistication of the attacks and attempts are getting more and more clever. intelligence, which then means that you need to use AI within your discovery tools to try and prevent those kind of attacks. But also it means that the demographic is changing in the form of, in some cases, the use of deepfakes is becoming quite prevalent now, which a couple of years ago was unheard of, where now you can have a deepfake of an owner of a club or a player, and say something derogatory or something that could harm the club's reputation and upset the fans, cause consternation within the club on whatever the case is, which is totally fake and there's no way of identifying that it was a fake or not when it's sitting on social media. Only the person knows that it was a fake because it wasn't them that said it and then you've got to try and prove it to all of the audience that what you've what you said was not you, it was you. It was a fake in the first place. So that is becoming more and more difficult to try and manage. It's getting to a point now where even the clubs have regular conversations with the local police forces and so forth. Because another trend that we're seeing is what's called virtual hijacking. What will happen is, let's take a player, for example. They have a young child, a daughter, a son, whatever that's at school. Somebody will... take the voice and mimic the voice of that child, phone the player and tell them that with the voice of the child that the child is saying that they've been hijacked or they've been held for ransom. Meanwhile, nothing has happened to the child at all. They're still in school. They're perfectly fine. But people are using more and more sophisticated methods now than was ever possible before.

  • Speaker #1

    Right. Oh, that's terrible. And also, How do you manage data sovereignty issues in the context of the use of AI? Are there specific measures in place to ensure that sensitive participant and spectator data remains under local control?

  • Speaker #0

    Yes, so all clubs and ours in particular, what we do is we do almost like compliance. So we validate what information, so I'll give an example. Everybody went out when Copilot came out and said, right, we're going to use AI to share all our information and so forth. The problem with that is unless you know what is in your data, you run the risk of sharing something that you didn't want to share or sharing personal information or player salaries or whatever the case is. So the first thing you need to do is go and identify your data, see what type of data it is that's in there, associate a risk. to that data so that you can then say right this data is of a higher risk we are not going to have it anywhere near any form of ai or it's got additional security measures in place that only allows certain people to view it and there's auditing so you can see who had access to the files and who didn't and then you have those with less risk that you can say this data is fine to share because it's already out in the public domain it is not classified as personal data or sensitive information that may be medical data or so forth so you first have to classify all your data once you've done that classification then you look at retention how long have you kept the data for do you really need to still have that data there because the longer you keep it and it doesn't have a use the risk is that that data could end up being leaked so rather If you no longer need that data and the expiry time for legally keeping that data has expired, remove it, delete it, get rid of it, because then that means that there's left data for you to worry about.

  • Speaker #1

    Thank you for the advice. Do you think cybersecurity in sports could serve as a model for protecting critical infrastructures more generally? What lessons could the sector share with other industries?

  • Speaker #0

    Yeah. I think for definite. I mean, if you look at the Paris Olympics that you had recently and so forth, the security systems that were used in the background to that, a lot of the time businesses don't understand the complexity behind an Olympics or a big sporting event and so forth. They just look at it with regards to their business. But from a sport, because it's a multitude of different environments that you're having to protect, I think business would benefit from learning about how sport has to react due to the speed at which they change from a business perspective, whether that's being promoted into another league or coming down in another league, the rate at which clubs get sold and players or people move around from club to club. In a business, it's a little bit different. They very rarely change ownership as often as a club may change ownership. They also don't necessarily go up into having shareholders and then go down to not having shareholders. So from a learning perspective, there's a lot that businesses can actually learn from football and vice versa in the form of, yeah, it would be nice for business, for football. to be able to understand that security also needs a certain amount of investments, like what businesses put in, especially financial and so forth, businesses put in for regulation of their data. Football needs to do the same.

  • Speaker #1

    Right. Also, football inspires millions of young people with values like resilience, discipline and perseverance, which are so different from those found in cybersecurity. Do you think a club like Leeds United could play a role in raising public awareness on these issues? And how could clubs promote these values in a digital context?

  • Speaker #0

    Yeah, so there's quite a few different ways. So most clubs, they are involved in the communities. And as part of those communities, it's telling people what is it that they actually do, because some of it goes underneath the radar. If you think about it like academies and so forth, you have players or young people that work for the club going out into schools, going out into communities that may be from deprived communities or somewhere where kids don't have the ability to do sport, for example. And while they're working with them, so they can then pass some of those values across and identify. areas of concern that may be needed in those. So from a grassroots perspective, the club is only as good as the grassroots of the community that they support, because these young people are effectively the fans of the future. They will look at footballers and so forth and that and say, look, I want to be like Ronaldo and so forth and that. The reality is the amount of youngsters that actually make it to become a professional footballer. is very low so therefore let's still impart all of the values that a person like ronaldo would have and so forth and that on these youngsters that if they could then use those values to achieve whatever they wanted to achieve but use the grassroots side of football to be able to do it and also that way i think it'll also mean that as they get older we won't see the amount of football discipline or lack of discipline in certain areas of football fans that you used to see in the past because the youngsters have different values to what the olds they like to fight when they were older in football and so forth and that where the youngsters are saying i've come to enjoy the match we see that in the form of the way that the women's game has progressed and so forth whereas before you didn't have the amount of people that actually watched where now we have a lot of young girls that are seeing players being able to achieve the same as the men they're getting the recognition slowly but surely the same as men and so forth and those are increasing the values and that's how you build them up they then more beneficial for your local communities as well as future fans for the club i agree well

  • Speaker #1

    thank you very much graham for joining us today And for sharing your insights into the fascinating and complex world of cybersecurity in sports. It's been enlightening to understand the unique challenges and responsibilities a club like Leeds United faces, and to hear your thoughts on how football can contribute to a broader awareness on digital security. To our listeners, thank you for tuning in to this episode of In the Eye of Cyber. If you enjoyed today's conversation. don't forget to subscribe and share. We look forward to having you with us for our next episode as we continue to explore the evolving landscape of cybersecurity. Take care and see you soon.

Share

Embed

You may also like