Cyber security for major events

There are three main principles that should guide your approach to cybersecurity:

Value Addition – Your cybersecurity strategy should enhance the overall safety and success of the event.

Proportionality – The security measures implemented should correspond to the level of risk involved.

Alignment – Your plan must be coordinated with the agreement of key stakeholders.

At the beginning, it is essential to pinpoint the cybersecurity decisions that need to be made, identify the individuals responsible for these decisions, and gather the information necessary for informed decision-making.

• For major sporting events, this includes identifying key venues, governing bodies, IT service providers, and broadcasters. Many of these stakeholders will be part of your Local Organising Committee (LOC). For larger events, establishing a dedicated working group for cyber security coordination may be necessary.
• It is crucial to identify and contact the party responsible for securing your event, which is often the Local Authority Safety Advisory Group (SAG).
• The event must maintain a Risk Register. If you do not manage this document, ensure you reach out to those who do.

With assistance from your team, you should undertake a comprehensive assessment, ensuring that your cyber security approach is appropriate to the identified risks.

The Risk Management processes detailed below will guide you in determining a suitable approach for your event.

The following three-step process will assist you in identifying:

• The digital technologies and systems critical to your event
• The potential attackers
• The vulnerabilities that may exist

This analysis will help you determine which assets require protection.

1. Impact: What are you trying to prevent?

Your cybersecurity strategy should be guided by the impacts you are trying to avert.

Begin by cataloging the systems, data, and technologies essential to your event. Consider the following questions:

• Are there technologies that must function for the event to proceed? (e.g., ticketing systems, security checks, internet connectivity)
• What are your contractual obligations? Which systems are vital to fulfilling those obligations? (e.g., timelines for broadcasting content)
• Are you handling sensitive data? (personal, financial) If so, what might be the consequences of this data being lost, stolen, or rendered inaccessible?

A systematic approach should yield a prioritized list. Next, you need to evaluate the implications of these systems being compromised or rendered unavailable.

Understanding what you value and why it matters will assist in identifying what needs safeguarding.

Refer to the NCSC’s risk management guidance and supply chain security guidance for further details.

2. Threats

A ‘Threat’ refers to an individual, group, or situation that could potentially lead to an impact.

Understanding the specific threats to a given event often requires in-depth analysis, but the following guidance can provide a baseline:

• Generic Attacks: All organizations and events are susceptible to generic attacks that exploit fundamental vulnerabilities using common hacking techniques.
• Targeted Attacks: Some events may attract attention from cybercriminals aiming to steal financial or personal information or disrupt the event. Consult ‘How Cyber Attacks Work’ for more on targeted attacks.
• Methodology: Most cyber incidents can be prevented through known techniques. References like ‘The Cyber Threat to UK Business’ and ‘Weekly Threat Reports’ will keep you informed on recent trends.
• Internal Threats: Not all threats come from outside. Major events involve many stakeholders and often temporary staff, necessitating the incorporation of internal threats into your evaluation. Consider ‘Reducing Insider Risk’ for further insights.
• Learn from Past Events: Collaborate with stakeholders and industry peers to determine if similar events have encountered cyber attacks in the past. Additionally, ascertain whether your partners and suppliers have previously been targeted.

With appropriate research, you should be able to create a baseline threat assessment. For instance, if your assessment suggests your event is unlikely to be intentionally targeted, you may determine that basic vulnerabilities pose the biggest risk.

Conversely, if similar past events experienced attacks from organized criminal groups, your threat level may be higher, requiring specific countermeasures.

It’s vital to note that even targeted attacks frequently utilize basic strategies, such as phishing attempts.

3. Vulnerabilities: How secure are your essential systems?

A ‘Vulnerability’ denotes a weakness that could allow a threat to materialize, whether intentionally or accidentally.

The final stage of assessment involves identifying vulnerabilities.

Overlay your critical systems (see Impact) against the capabilities of potential attackers (see Threats).

Then evaluate whether the existing security measures for each critical system are suitable relative to the identified threats. Remember, many cyber attacks are preventable with basic protective controls in place – see ‘Common Cyber Attacks: Reducing the Impact’.

For Systems Provided by Third Parties

Determine which third parties supply your key systems, and gain a comprehensive understanding of their cybersecurity status.

A solid first step is to inquire whether your providers hold any recognized security certifications (e.g., Cyber Essentials, Cyber Essentials Plus, ISO 27001). Certification indicates a supplier’s commitment to cybersecurity. Follow up with discussions about their security arrangements for the event, as they may differ from standard operating practices.

If suppliers lack certifications, you’ll need to invest time in understanding their cybersecurity posture. From an IT infrastructure viewpoint, employing the Cyber Essentials framework can help frame your discussions:

• Firewalls
• Secure Configuration
• User Access Control
• Malware Protection
• Patch Management

For online service providers (e.g., ticketing platforms), discussions should center on common web application security challenges. The OWASP Top 10 serves as a valuable resource.

If any suppliers or stakeholders cannot meet your security standards, update the Event Risk Register and consider alternative mitigations. The Supply Chain Security collection provides thorough advice on managing supply chain risks.

For Internally Managed Systems

If your critical systems are internally managed, consult the system owner about security using the processes outlined earlier.

Understand how your organization’s systems will interface with third-party solutions, as additional security measures may be necessary. The NCSC also provides guidance on network security.

Despite thorough preventive efforts, preparing for potential cyber incidents is essential.

Making decisive choices during a crisis can be challenging. Therefore, Cyber Incident Response planning should be a component of your event’s contingency measures.

Prior to the event, all involved staff should be well-informed about the following:

• The assessed cyber threats associated with the specific event (derived from the Risk Assessment)
• The protocols established to address cybersecurity incidents during the event
• Your organization’s incident response plans
• The procedure for reporting a cybersecurity incident

Internal and external reporting mandates should be clearly defined in your incident management strategy.

For further details, see 10 Steps to Incident Management and the NCSC’s Incident Management pages.

Testing and Drills

Regular testing and drills are crucial for ensuring that your stakeholder group is well-prepared to handle cyber incidents.

Consider the appropriateness of cyber-specific exercises. At a minimum, incorporate cybersecurity into readiness training.

For “Mega Events” (e.g., The Commonwealth Games, Olympics, major World Cups), participation in national-level cyber drills may be necessary leading up to the event. All exercises should be designed in light of the anticipated threat landscape, which can be referenced from the Risk Register and Cyber Risk Assessment.

Staffing and Resource Management

Strategic decisions regarding operational staffing for the event must be made. Align your plans with your stakeholder group, particularly those utilizing or providing the digital systems and services integral to the event. Important considerations include:

• During most events, extended working hours will be necessary. At the outset, integrate cybersecurity management and ensure that it is clear who the primary point of contact is across shifts.
• Once internal staffing plans are set, harmonize these arrangements with your stakeholder group. Can they approach the event as ‘business as usual’? If not, identify what additional measures are required.
• Ensure your Service Level Agreements (SLAs) with suppliers can accommodate cyber incident responses during the event. SLAs may require adjustments to align with different operational needs. Additional advice can be found in NCSC’s Supply Chain Security guidance.
• During the event build phase, external contractors and volunteers may supplement your workforce. Educate temporary staff on the cyber security protocols for the event.
• In the event of a cyber incident, consider alternate plans for operational continuity. Determine if staff can be redeployed, and what skills and equipment would be necessary.
• Will you need to report information to central agencies during the event? Prepare plans accordingly.