Top European football clubs find themselves in the relegation zone for cybersecurity
Football and cyber security don’t often get mentioned in the same sentence, but with billions of pounds invested into the richest football leagues in the world, and football clubs possessing vast swathes of data, their valuation can be massively impacted following a data breach. Everything from sponsorship deals, personal player data, youth teams training plans, health and performance statistics, salaries of players and all club staff through to fan members’ personally identifiable information, the impact of a breach could be devastating for the club both financially and reputationally.
What do the standings look like?
SecureScorecard recently conducted research on three of the richest football leagues in Europe*, the English Premier League, German Bundesliga and Spain’s La Liga, assessing their security posture and comparing it to their football standing. To do this we looked closely at ten elements of the league’s security posture. These include: network security; DNS health; patching cadence; endpoint security; IP reputation; web application security; cubit score; hacker chatter; leaked credentials; social engineering.
Through doing so, we revealed an inverse relationship between the success of teams in sport, their digital exposure and resulting cyber risk. By analysing each team’s external digital footprint, we discovered that the top teams across the three leagues all find themselves languishing at the bottom of their respective tables as the larger the digital footprint, the lower their cyber risk score is. At the other end of the table, those teams with a smaller digital footprint find themselves topping the table and are ultimately viewed as being more secure.
Overall, Bundesliga came out on top in terms of security, being awarded with an ‘A’, which is impressive considering it actually has 3x the digital footprint exposure of the Premier League. La Liga’s digital footprint is the smallest. Nevertheless, across all three leagues the most common security issues were weak encryption and web application issues, followed by high severity patching issues and susceptibility to email spoofing.
Surprisingly, we also discovered that only one team in the Premier League would currently meet the requirements of GDPR and be classed as compliant, whilst none of the teams in either the Bundesliga or La Liga meet the legislation
The ongoing challenge
The biggest challenge still facing organisations, whether they are a football club or a financial institution, is the disconnect between the board level executives and the IT teams. With no common language for companies and their partners to communicate, understand, and improve their cyber security and cyber risk posture, we will forever be at this impasse. To develop the enterprise risk framework which all parties can understand when discussing cyber security and risk, there are three basic points that need to be considered:
- Build cyber security into the Enterprise Risk Frameworks and Regulatory Compliance
- Establish metrics to demonstrate program maturity and comparative benchmarking
- Build your business case around people, processes and technology to demonstrate ROI
A final note
Football is not just about the camaraderie of the players and turning up to play on match days. It is very much a business with multi-billion-pound deals and reputations on the line, all of which come under fire if they suffer a data breach. We’ve already seen FIFA and teams like West Ham, Real Madrid and Barcelona falling victim to breaches or their social media profiles being hacked. Overall, the findings show that being in the Champions League in sport does not mean football teams are Champions League level for cybersecurity. But it is also important to note that just like sport standings change every day, so do cyber standings.
Industry: Cyber Security News
- DevSecOpp- Security design / review consultant. SC Clearance. London
CH7838 London £70,000 DevSecOpp- Security design / review consultant. DevSecOpp- Security design / review consultant will ensure that newly created, public facing apps are secure by design and by default by aligning them to current / best practice security policies and standards into the design phases. The individual must have a technical software / application development background with specalist experinece in secure architecture design. (Frameworks, processes, best practice etc) Practical experience translating and ensuring that the OWASP top 10, ISO27001, HMG frameworks requirements are reviewed and embedded into project designs which are implemented is essential. Experience working projects through a full development lifecycle is key. You will work along side the design and project teams to idenitfy and mitigate risks throughout the design phases. This is a permanent role. SC clearance is essential as is the ability to get to the London office. (When appropiate #covid) Security DevSecOps consultant. To arrange a discreet call book via https://calendly.com/chris-holt/devsecopp--security-design-review-consultant
- SPLUNK SOC Analyst level 3, London.
SPLUNK SOC Analyst level 3, Must be able to commute to the City of London. Onsite role. Security clearance needed. The SPLUNK SOC Analyst level 3 must have current experience working within a SOC environment with specific experience using a range of tools and techniques to investigate security incidents. Current experience with Splunk is essential. any additional experience Individuals with Elastic Security SIEM are highly desirable. Any of the following certifications are desirable Splunk Phantom certified admin, Splunk Core Certified Power User / Advanced, Splunk Certified Enterprise Security Admin, etc The role will include, but not be limited to working with sophisticated information security tools, investigating security incidents, incident management, technical escalation, process improvement, research into the latest threats, reporting etc The individual MUST currently be living in the UK and be able to achieve UK security clearance. (SC) This is a permanent role To arrange a call with Chris Holt https://calendly.com/chris-holt/arranged-call-with-chris-holt-elastic-siem-engineer-soc Chris.Holt@dclsearch.com
- ISO 27001 & Business Continuity Security Specialist, End User
- United Kingdom
CH7828 ISO 27001 & Business Continuity Security Specialist, End User, £70,000 United Kingdom ISO 27001 & Business Continuity Security Specialist needed to join a Cyber team within an end user. The ISO 27001 & Business Continuity Security Specialist will have end to end responsibility for the information security and Business Continuity management system. ISMS/BCMS. Both from an information security and technical security perspective working alongside the CISO. Experience must include, but not be limited to; a mix of Information Security standards, frameworks, audit principles, controls / policies and the management and use of the technical tooling to achieve compliance. ISO 22301, ISO 27001, NIST Cybersecurity Framework etc An ideal candidate will be working within an end user environment with a cyber consultancy background. Experience taking a company through accreditation is highly desirable Experience managing internal stakeholders, technical teams and external third parties essential Flexible working, very occasional travel to London office This is an exclusive role to DCL Search & Selection. Looking to interview immediately. https://calendly.com/chris-holt/iso-27001-business-continuity-security-specialis
- PCI- DSS Security Consultant, End User
PCI- DSS Security Consultant needed to join a Cyber team within an end user. The PCI- DSS Security Consultant will have end to end responsibility for PCI - DSS and its continuing certification. Both from an information security and technical security perspective working alongside the CISO. Experience must include, but not be limited to; a mix of Information Security standards, frameworks, audit principles, controls / policies and the management and use of the technical tooling to achieve compliance. PCI objectives / 12 key requirements, OWASP top 10, ISO 27001, NIST Cybersecurity Framework etc An ideal candidate will be working within an end user environment with a cyber consultancy background. PCI Cloud compliance, specifically someone with experience taking PCI-DSS from on premise into the cloud is HIGHLY desired. However, someone with Solid PCI experience with a strong technical background which include Cyber / Secure by design etc would be considered. Experience managing internal stakeholders and external third parties essential. Flexible working, but with the ability to get into London. This is an exclusive role to DCL Search & Selection. 1st stage interviews to happen the week of the 14th September Arrange a call with Chris on https://calendly.com/chris-holt/arrange-a-call-chris-dcl-pci-compliance