Information Security Gaps in Professional Sports

By September 8, 2015 Insider Threat

In the past year, scandals such as “Deflategate” have attracted significant media attention to the world of professional sports. While accusations of cheating may grab headlines, there is another story developing below the surface in this highly lucrative industry: the necessity of good information security practices.

Secure Messaging

The NFL-commissioned Ted Wells investigation into the New England Patriots’ alleged tampering with game balls was unprecedented in that it summoned and published the text message history of two Patriots employees along with the team’s star quarterback. Had the team adopted a secure mobile communications platform, investigators and subsequent media outlets would not have unearthed a string of text conversations that have since become the object of public speculation. A secure mobile communications platform that is fully encrypted, self-destructing, and forensically irretrievable is both highly effective and simple to employ. Utilizing open source tools to improve an organization’s information security is not nefarious or evasive, it’s just good business—and it should be standard practice.

Eavesdropping and Surveillance Prevention

The threat of technical surveillance is another commonly overlooked information security risk in professional sports. Eavesdropping entered the national discourse recently when former Indianapolis Colts head coach Tony Dungy admitted that quarterback Peyton Manning would escape to the hallway to discuss strategy during away games based on suspicions that the visiting locker rooms were “bugged.” While Manning’s suspicions were not the product of a confirmed threat, any organization can determine whether or not they are under surveillance by implementing technical surveillance countermeasures (TSCM). A preventive strategy is key to maintaining security in the workplace. Much like purchasing insurance, organizations can afford their personnel peace of mind by investing in TSCM. For an organization with billions of dollars in annual revenue, this should be the standard of information security.

Cybersecurity

Earlier this summer, a controversy between the St. Louis Cardinals and the Houston Astros brought cybersecurity into the public eye through the medium of professional sports. Cyber espionage at the professional level enables significant swings in competitive advantage through the acquisition of game strategies, injury reports, trade deals, sponsorships, and other proprietary information. Teams are not the only actors in this space—league offices, player unions, athletes, and agents stand to benefit from valuable competitive intelligence. For example, agents could garner higher contracts for their clients if they had access to internal deliberations conducted over email, while teams could do the same in return. Sponsorships are also at stake: recently, agents have succeeded in leveraging sponsors into more favorable deals at the negotiating table by viewing player contracts from rival agency servers. As the threat of cyber espionage grows and the number of incidents   increases, any party acting in this space should protect themselves by adopting a strong information security strategy.

Athletes: Targets and Liabilities

Studies have shown that even a firm’s most junior employees are prime targets for attackers. Athletes, however, face a dual threat: they not only find themselves at the heart of a multi-billion-dollar industry where different actors are constantly seeking a competitive advantage, but many are ultra high-net-worth individuals whose personal lives are susceptible to the same probing that any other celebrity would experience. Embarrassments range from Pablo Sandoval being benched after liking photos on Instagram during a game to compromising photos of Hope Solo circulating the Internet after last year’s iCloud data breach. Employee education is a critical element of any corporate information security strategy, but so far professional sports organizations have failed their athletes.

In turn, any athlete may constitute a bigger threat to the organization. An unsecured tablet containing the team’s playbook may easily be hacked or stolen from an ill-instructed player. More maliciously, a player who is traded or waived may decide to hang on to his departing team’s digital information and bring it to his new clubhouse. Athletes themselves can be viewed as liabilities and may require risk mitigation. Organizations need robust policies and procedures that take into account the human element of information security.

Integrated Solutions

Billion-dollar sports franchises and their high-profile athletes will continually be targeted by industry insiders and outsiders alike. Unless organizations and athletes take genuine steps to educate themselves and protect their information, individual gaffes and public blunders will continue to make headlines. As with any industry, there is no such thing as a turn-key, all-in-one security product. Solutions for professional sports organizations and athletes must be customized to address specific needs and vulnerabilities. By integrating and standardizing secure mobile communications, TSCM, cybersecurity solutions, and educational initiatives, players and organizations can spend less time worrying about their information security and more time winning games and earning the loyalty of their fanbases.