It’s not often that football and cybersecurity are mentioned in the same sentence. But with endless streams of data being collected by teams to inform their strategies both on and off the pitch, a cybersecurity incident could be catastrophic. The question is: who is top of the football cybersecurity league?
New York-based IT firm SecurityScorecard, which uses AI to rate the cyber hygiene of any company in the world, turned its rating platform towards the footballing world and ranked the teams in order of their cybersecurity posture.
And it found that Brighton & Hove Albion FC has the best defence in the Premier League – at least when it comes to fending off cyberattacks.
While Chelsea currently sits 4th in the league, it does not fare well for its cybersecurity and sits bottom of the rankings.
SecurityScorecard also analysed the cyber hygiene of Germany’s Bundesliga and Spain’s La Liga. And among all three leagues, a similar pattern emerged: the higher the club sits in the league, the worse their cybersecurity posture tends to be.
Southampton FC, for example, languishes near the bottom of the Premier League table but has the third best cybersecurity (league standings accurate as of 1st December 2018).
In the Bundesliga, Borussia Dortmund sits top of the footballing league but bottom for its cybersecurity. The same is also true of La Liga’s Sevilla FC.
Why does it matter if a football team has strong cybersecurity?
A few decades ago, it wouldn’t have mattered very much. But today, football teams have increasingly large digital footprints.
“We have so much more data about players,” says Matthew McKenna, VP EMEA at SecurityScorecard and the man behind the research. “Every match is being filmed, all training games are being filmed, all match day games are being filmed.
“We have blood test data, we have fitness level data. There’s just so much critical data now about these players that is at risk of exposure.”
Arsenal, for example, collects around 8 terabytes of data a year from training sessions alone.
Then there’s customer data, such as phone numbers, addresses and payment details. For some of the biggest teams, those databases can contain hundreds of thousands of people.
The State of Technology This Week
And with Manchester City’s turnover surpassing half a billion pounds, the 4% fine threatened by GDPR could prove very costly to a team suffering a data breach.
Some of the bigger clubs, such as Manchester United, Arsenal and Juventus are publicly listed companies. A hack like the one on Real Madrid’s Twitter page, which claimed Lionel Messi was headed to Madrid, can send shockwaves through a club’s share price.
Then there’s scouting information and email correspondence, which are both at risk to hacks, that could scupper a multi-million-pound transfer deal.
“There’s a lot of money at stake here for the protection of this data,” says McKenna, who played semi-professional football in both Germany and Finland in the 90s.
To rank the football clubs, SecurityScorecard looked at ten criteria. These include network security, DNS health, application security, patching bands, IT reputation, exposed administrator domains, leaked credentials, social engineering and hacker chatter.
It took all of these factors into account and compared football teams in the English Premier League, German Bundesliga and Spanish La Liga.
Here’s how they stack up:
(All standings accurate as of 01/12/18)
|Position||Premier League Standings||Cyber standings|
|1||Manchester City||Brighton & Hove Albion|
|3||Tottenham Hotspur||Southampton FC|
|4||Chelsea FC||Huddersfield Town|
|6||Everton FC||Crystal Palace|
|7||Manchester United||Newcastle United FC|
|8||Leicester City||Liverpool FC|
|9||AFC Bournemouth||Leicester City|
|10||Watford FC||Manchester City|
|11||Brighton & Hove Albion||West Ham United FC|
|12||Wolverhampton||Cardiff City FC|
|13||West Ham United FC||AFC Bournemouth|
|14||Crystal Palace||Tottenham Hotspur|
|15||Newcastle United FC||Manchester United|
|16||Cardiff City FC||Arsenal|
|17||Huddersfield Town||Everton FC|
|18||Southampton FC||Fulham FC|
|19||Burnley FC||Watford FC|
|20||Fulham FC||Chelsea FC|
|Position||La Liga Standings||Cyber standings|
|1||Sevilla FC||Villarreal CF|
|2||FC Barcelona||RCD Dspanyol|
|3||Athletico Madrid||Girona FC|
|4||Deportivo Alaves||SD Huesca|
|5||Real Madrid||Celta Vigo|
|6||RCD Dyspanyol||SD Eibar|
|7||Getafe CF||Gerafe CF|
|8||Girona FC||Real Valladolid|
|9||Real Sociedad||Deportivo Alaves|
|10||Real Betis||Rayo Vallencano|
|11||Levante UD||CD Leganes|
|12||SD Eibar||Real Madrid|
|13||Celta Vigo||Levante UD|
|14||Valencia CF||FC Barcelona|
|15||Real Valladolid||Valencia CF|
|16||CD Leganes||Real Sociedad|
|17||Villarreal CF||Real Betis|
|18||Athletic Bilbao||Athletico Madrid|
|19||Rayo Vallencano||Athletic Bilbao|
|20||SD Huesca||Sevilla FC|
|Position||Bundesliga Standings||Cyber standings|
|1||Borussia Dortmund||Werder Bremen|
|2||Borussia Monchengladbach||VFL Wolfsburg|
|3||FC Bayern Munich||Schalke 04|
|4||Eintracht Frankfurt||Fortuna Dusseldorf|
|5||RB Leipzig||RB Leipzig|
|7||Hertha BSC Berlin||Hannover96|
|8||Werder Bremen||Borussia Monchengladbach|
|10||VFL Wolfsburg||FC Bayern Munich|
|11||Schalke 04||Hertha BSC Berlin|
|12||Bayern Leverkusen||SC Freiburg|
|13||SC Freiburg||Bayern Leverkusen|
|14||FC Augsburg||VFB Stuttgart|
|15||VFB Stuttgart||Eintracht Frankfurt|
|16||FC Nurenburg||200px9 Hoffenheim|
|18||Fortuna Dusseldorf||Borussia Dortmund|
Why do bigger clubs tend to fair worse in football cybersecurity rankings?
The findings show that overall, the three football leagues are doing “reasonably okay” when compared to all businesses.
“The concern is with those top teams that have the largest digital footprints out there, that are multi-million dollar a year businesses that probably need to take that little bit more focus on the cyber risk posture because they also have more to lose,” says McKenna.
“They’re the ones taking the majority of the television revenues, the commercial revenues, the media revenues. If I have more to lose, maybe I should consider investing more to protect that.”
But why do the larger teams tend to sit towards the bottom of the football cybersecurity rankings, despite their IT budgets being bigger in outright terms?
One explanation is their larger digital footprints.
“They’re internationalising heavily to build out their brand and as a result they’re also expanding their digital footprint at a global level and they’re leveraging more digitalisation tools as well as they go forward.
“So they have a lot more digital assets and ground to cover and more complexity to the coverage. And with that exposure, maybe they don’t have the same level of cyber maturity that traditional businesses have.”
Another reason is that bigger clubs are more likely to be targetted.
“Some companies with excellent cybersecurity ratings still get breached, because they’re being targetted,” says McKenna. “And some companies with extremely poor cybersecurity ratings will not get breached, because they’re not being targetted. So it’s there to give us a general indication of cyber health.”
Worryingly, regulatory compliance was severely lacking across all three leagues, with both the Bundesliga and La Liga scoring 0% for GDPR compliance.
“Cybersecurity is probably not an extremely day-to-day topic inside professional football teams,” says McKenna.
“They’re worried about winning the next game, what players they’re going to recruit, merchandising, these types of things.
“Cybersecurity is probably not up in their top five, but at the same time, when you start thinking of things like GDPR fines and things like that, it’s potentially a significant amount of money that can impact their business if they don’t take care of the issues from a cyber perspective.”