Major events like the Super Bowl and the Olympics come with major cyber-risk. For TechRepublic and ZDNet, I'm Dan Patterson with Emy Donavan. She is the head of cybersecurity for Allianz Global and Corporate Specialty.
Emy, it's one thing to say that major events like the Olympics and Super Bowl have cyberrisk, but can you help us understand the particulars, the specific types of threats and security measures taken during these events?
Donavan: Sure. I think that it's really interesting. You've got physical security issues potentially associated with ticketing. You could have malicious actors try to mimic the ticket information so that they could gain access to events in areas where they're not necessarily supposed to go, so that's definitely a particular concern that we're starting to see, especially with more electronic ticket usage for these events and things like that. That carries with it a risk.
Don't get me wrong, you still have that risk with paper tickets, but it becomes more easy to mimic the sort of passes that you might need rather than having a giant VIP thing around your neck. In some instances you're using your phone to access certain areas within these large events, so that can be particularly a concern around security.
Additionally, we have a ton of issues where you'll see clients concerned, and this is clients who are giving large events, large-scale events, whether that be the Olympics, the Super Bowl, it could be at the Grammys, or even just large music events and things like that, you see very similar sorts of concerns where you could have someone wanting to just take down the event to cause general malicious mischief, right? To make it so that no one can watch at home. That can create income loss around the advertisers that are using the Olympics or the Super Bowl as venue, which can create real costs for the promoters and the committees that put on these giant events.
Those are some primary concerns that are top of mind when we look at this. We can see potential broadcast disruption among other things. When you look specifically to—not so much the Super Bowl, because they've got referees and they can reexamine tape and things like that, it's less concerning than with the Olympics where you could find yourself in a situation where someone wanted to rig the game for a particular contestant or otherwise.
It's interesting since Russia won't be officially sending delegates in the state capacity. I'm very intrigued to see kind of what ends up happening there since they are typically considered to be very active in these sorts of cybercampaigns on a state level.
I think that there's definitely the potential there for things like with the winter Olympics, timing on the finish line, when they cross downhill skiing or otherwise. If those sorts of things got tampered with it wouldn't do anything other than give the gold medal to the wrong person, but it could potentially be something that people would want to kind of focus on and see if they can make change to. Even if they didn't have a reason, just to see if they could in some instances.
Patterson: Emy, take us behind the scenes. What are some security protocols and infrastructure that major events like the Olympics and Super Bowl use to fend off the types of attacks you just described?
SEE: Infographic: Almost half of companies say cybersecurity readiness has improved in the past year (Tech Pro Research)
Donavan: I should say that I'm not specifically involved with either the Super Bowl or the Olympics in terms of the Olympic Committee individual security controls that they have in place. I can definitely make assumptions.
One of the things that we really see would be the security of the internal network. Let's start with the Olympics, right? The security of the internal network and what sort of IoT devices they have to capture these finish line-type times and things like that to make sure that there's not necessarily a significant amount of external vulnerability.
Keeping that behind firewalls, making sure that it's not accessible through outside servers in any sort of way, and really managing that on-site. That creates some additional perils potentially, because then you lose some of the redundancies of having additional network kind of support, but those are the general controls I would expect around the sportsman-like activities associated with these.
When you talk about then physical security and things like that, having things like the physical equivalent of dual-factor authentication, and requiring additional visual signaling that this is the right person to be in the right place, and those sorts of things, validation.
I will say this, the Super Bowl and the Olympics have a very good history of maintaining quite high security with very, very few expectations, right? I think that there was a bit of a bomb scare at the Olympics in Atlanta in '96, which was still quite well-handled, and there have been a couple of other incidents on one-off basises.
Considering the size of these events, the fact that we don't see more is actually indicative of how strong the security posture and the consideration of these things are at the level of the event organizers on down to the people who are punching tickets.
SEE: System update policy template (Tech Pro Research)
Patterson: Often companies put on large events or their employees attend large events, so even if it's not something major like the Super Bowl or Olympics what are some best practices that companies, whether they're SMBs or large enterprise companies, can take away from watching how security's handled at major events and protect themselves?
Donavan: It's a good question. Most companies don't have the same sort of visibility that the Olympics or the Super Bowl would draw, but the important thing for them to remember is just because they are not broadcasting to 100 million people or whatever the case is it doesn't mean that they cannot be targets for similar sorts of threats in terms of ransomware events that could just lock up all of the systems and make it so that they can't function in their daily activities, which would be similar to if they put a ransomware sort of event on all of the timers and different functions that are necessary for conducting the races and different competitions.
One of the things that I think people need to remember often, and one of the basic things that I remind SMBs a lot, is always exercise patches. If things like WannaCry, Spectre, Meltdown, all of these things that are in the news recently remind us of anything it's the importance of maintaining patches in a timely manner, right?
Don't keep hitting later, later, later tonight. Having some sort of control around that I think SMBs especially can have a real benefit from just electing a forced restart after two delays, right? On all of their endpoint devices. Those sorts of things can make real differences.
I'll tell you, on a very honest personal level, I have been very tempted in the past to just keep hitting delay, delay, delay because I'm on the phone, I'm doing an interview with you, I'm doing whatever. Then suddenly you realize it's been three days and actually now I could have a potential very significant vulnerability on my device or network.
That's kind of the low-hanging fruit. Something that I think a lot of SMBs don't realize is malicious actors can just troll the web and find which companies and networks have these sort of vulnerabilities, so they don't ever have to have heard your name before. You don't have to be the Olympic Committee, you don't have to be the NFL, for people to want to target you. They'll just know that they can take advantage of your network, and so they do it.
- Winter Olympics 2018: When they start, how to stream and more (CNET)
- Cyberattacks are third largest threat to global society over next 5 years (TechRepublic)
- Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- IT leader's guide to the threat of cyberwarfare (Tech Pro Research)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.