The beautiful game's digital defence: why football needs to up its cyber security game

It is projected that the sports industry will be worth 700 billion in 2026, ticket prices are on the up, the latest merchandise costs an arm and a leg, players are on ludicrous salaries, and the ability to watch sport 24/7 from the comfort of your home or wherever you are in the world makes the sector an attractive target for cyber attack.

One of the most significant contributors to this is ‘the beautiful game’ – football.

According to an article published in The Guardian in 1999, "you would have to go as far as a farmer in Chad to not know who David Beckham was at the height of his superstardom", demonstrating the reach that football had even then. Fast forward 25 years and football clubs have struggled to keep pace with the evolving dependency on technology, from digital turnstiles, cashless stadiums, and player performance analysis, the threat landscape has significantly grown. Whilst not uncommon in any sector, football has added headache of a run of good form propelling a team, previously languishing mid-table, to promotion, making them a more attractive target to cyber criminals and forcing IT and security teams to undergo rapid change to accommodate the heightened risk their newfound prominence brings.

As a fan and cyber professional, I have found myself watching the beautiful game evolve. New tournament formats, new rules, new measures for fans, and a significant reliance on technological advancements including goal line technology and the dreaded three letters 'VAR' that require vast amounts of data (much of which is personal and sensitive) generated and processed in real-time. Couple this with the huge amount of money processed, this makes the sports industry an ‘attractive’ target for disruption, fraud, and extortion, resulting in financial and or reputational damage.

At the 60^th minute of yet another dire performance from my team, it got me thinking, as a frequent attendee at sporting events, what happens with my information, player data, on-field data, ground maintenance data, etc? I am required to carry a digital ticket with unique QR codes generated for each individual match and downloaded to my smartphone. I understand the reasoning for this to tackle the ongoing issue of ticket touting and extortion, but due to the evolution of football, football clubs must face a myriad of cyber security challenges.

Researching this, I found there is a lack of evidence and awareness of Information Security, Information Management Systems (ISMS) and cyber essentials schemes to govern an approach to information security of networks, infrastructure, connected systems, and data within sport.

A robust ISMS serves multiple critical functions: it supports effective policies and procedures, protects sensitive data (from fan information to player performance metrics) against unauthorised access, and ensures compliance with data privacy regulations like GDPR. This comprehensive approach helps avoid legal repercussions and maintains stakeholder trust. Additionally, it fosters a positive security culture by educating all personnel about cyber security measures, potential threats, and best practices.

There are many cyber security opponents which football clubs must face, Ransomware continues to be a real concern, and Phishing attacks are on the rise, with reports suggesting that generic email addresses of premier league football clubs have appeared in public breaches at some point in time. If a targeted club had limited to no incident response capability, an incident of this nature would have a significant detrimental impact on the club, player, and/or fans.

Methods provides comprehensive security services that include implementing robust security measures, combating emerging cyber threats, ensuring compliance with industry standards like Cyber Essentials, and developing effective incident response and recovery plans. Our goal is to ensure that the famous line "They think it's all over, it is now" remains solely in football commentary, rather than describing an organisation in the midst of a cyber attack.