Major Events are increasingly reliant on digital systems and technology. Cyber attacks that affect the confidentiality, integrity or availability of these systems can have a disruptive impact, resulting in financial and reputational damage.
This guide outlines how to incorporate Cyber Risk Management processes into Major Event planning. It is aimed at organisations running large scale sporting events, but the steps and processes outlined can be incorporated into general event planning.
This document should be read in conjunction with the detailed guidance signposted throughout.
There are three overarching principles that should define your approach to cyber security:
Add value – your approach to cyber security should contribute to the overall security and success of the event.
Proportionate – the security measures you put in place should be proportionate to the risk.
Aligned – your approach should be agreed and coordinated with key stakeholders.
At the outset you should identify the cyber security decisions that need to be made, the people who will make them, and the information required to make sensible and informed choices.
- Your first action should be to identify who is accountable for overall delivery of the event. You should ask them to outline what a successful event would look like. From this you can determine the systems and technologies that will be necessary and the cyber security measures needed to protect them.
- Next, you should identify those responsible for the technology and services underpinning the event. This will be your Stakeholder Group. For major sporting events, this will include host venues, governing bodies, IT suppliers and broadcasters. Many of these will sit on your Local Organising Committee (LOC). For larger scale events you may need to create a working group to specifically coordinate cyber security activities.
- You should identify and contact those with ultimate responsibility for the security of your event. This will often be the Local Authority Safety Advisory Group (SAG).
- The event will have a Risk Register. If you do not have charge of this document, it is essential to identify and contact those who do. You should ensure that cyber security is included from the outset by populating it with your core risks (e.g. The ticketing system is taken offline).
With the help of your Stakeholder Group you should conduct a Cyber Risk Assessment, this will help to ensure that your approach to cyber security is proportionate to the risk posed to the event.
The Risk Management processes detailed below will help you determine what constitutes a proportionate approach for your event.
The following three step process will help you identify:
- The digital technologies and systems that are critical to your event
- Who might attack them
- How they might be vulnerable
This information will allow you to narrow down what you must protect.
1. Impact: what are you trying to avoid?
Your approach to cyber risk management should be driven by the ‘Impacts’ you are trying to avoid.
Start by identifying the systems, data and technologies on which your event relies. The type of questions you might want to ask are:
- Is there technology that must be available for the event to function? (e.g. turnstiles, ticket machines, Wi-Fi, scoreboards, timing systems)
- What are your contractual commitments? Which systems are central to meeting your obligations? (e.g. event timings for broadcasters)
- Are you processing sensitive data? (personal, financial) If so, what if this data is lost, stolen or unavailable?
If you take a systematic approach, you should be able to produce a prioritised list. You then need to consider the impact of these systems being compromised or unavailable.
This basic understanding of what you care about, and why it's important, will help you identify what you must protect.
See the NCSC's risk management guidance and supply chain security guidance for more information.
A ‘Threat’ is the individual, group or circumstance which could cause a given impact to occur.
It can be challenging to develop an accurate assessment of the threat to a specific event without undertaking in-depth analysis. However, the following will help you develop a baseline threat picture:
- Commodity Attacks: All organisations and events, regardless of profile and size, are at risk from commodity attacks. These exploit basic vulnerabilities using readily available hacking tools.
- Targeted Attacks: Some events will be targeted by cyber criminals who, for example, intend to steal financial or personal information. Major events may also attract the attention of threat actors who intend to disrupt or discredit the event (e.g. by taking services offline). See 'How Cyber Attacks Work'for further information about targeted attacks.
- Methodology: Most attacks are preventable and use well-known techniques. ‘The cyber threat to UK business’ and ‘Weekly Threat Reports’ will help you understand the latest trends.
- Insider Threat: Not all threats are external. Major Events have multiple stakeholders and often rely on temporary contractors. It is essential that internal threats are incorporated into your assessment. See 'Reducing Insider Risk' for further information.
- Learn from Experience: Work with your stakeholders and industry contacts to identify whether similar events have historically experienced cyber attacks. You should also identify whether your stakeholders and suppliers have been independently targeted.
With some research, you should be able to develop a baseline threat assessment. For example, you may decide that your event is unlikely to be deliberately targeted, therefore commodity attacks exploiting basic vulnerabilities are the main threat.
Alternatively, you may discover that previous events of similar profile have been targeted by organised crime groups, therefore the threat is heightened and event-specific defensive measures are required.
It should be noted that most targeted attacks still use basic techniques, such as phishing emails.
3. Vulnerabilities: How secure are the computers, networks and systems you rely upon?
A ‘Vulnerability’ is a weakness that would enable an impact to be realised, either deliberately, or by accident.
The final stage of the process is identifying your vulnerabilities.
You should start by overlaying your critical systems (See Impacts), with the expected capabilities of any attackers (See Threats).
Next, you should focus on establishing whether the security controls for each critical system are appropriate for the threat. Remember, most cyber attacks are preventable if basic controls are in place - see ‘Common Cyber Attacks: Reducing the Impact’.
For systems supplied by third parties
You should identify who is supplying your critical systems and establish a clear picture of each supplier's cyber security posture.
A good starting point is to ask whether your suppliers hold any existing security certifications (e.g. Cyber Essentials, Cyber Essentials Plus, ISO 27001). Holding a certification indicates that the supplier has a proactive approach to cyber security. You should follow this up with a discussion about their security arrangements for the event, as this may differ from normal business.
If suppliers do not hold any certifications you will need to invest time to understand more about their security posture. From an IT infrastructure perspective, you may wish to use the Cyber Essentials themes as discussion points:
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
For providers of online services (e.g. ticketing website) you may want to focus your discussion on common web application security issues. The OWASP Top 10 is a good starting point.
If any of your suppliers/stakeholders are unable to meet your security expectations you should update the event Risk Register and consider mitigations. The Supply Chain Security collection offers detailed advice on how to manage supply chain risk.
For internally supplied or managed systems
If any of your critical systems are internally managed, you should discuss security with the system owner using the process outlined above.
It's important to find out how your organisation's systems will be integrated with third-party systems. Additional security controls may be required. The NCSC has guidance on network security.
Cyber incident management
No matter how much effort you have put into preventing cyber attacks, you should prepare for the worst.
Making good decisions is particularly difficult in a crisis, therefore Cyber Incident Response planning should feature in your contingency plans for the event.
By the time the event takes place all relevant staff should have sufficient understanding of the following:
- The assessed cyber threat to the specific event (based on the Risk Assessment)
- The mechanisms in place to deal with cyber security incidents at the event
- Your organisation’s incident response plans
- How to report a cyber security incident
You should also ensure that internal and external reporting requirements are clearly identified in the incident management plan.
See 10 Steps to Incident Management and the NCSC's Incident Management pages for further information.
Testing and exercising
Testing and Exercising is a key tool for ensuring your stakeholder group are comfortable dealing with cyber incidents.
You should consider whether cyber-focused exercising is appropriate and, if so, how many exercises will be needed. At the very least, you should incorporate cyber security into your readiness training.
For ‘Mega Events’ (e.g. The Commonwealth Games, Olympics, major World Cups) you may need to take part in national-level exercises prior to the event. All exercises need to be designed with due consideration of the likely threat picture. The baseline for this can be drawn from the Risk Register and the Cyber Risk Assessment.
Staffing and resourcing
You will need to make some decisions about your operational staffing plans for the event. You will also need to align your planning with your stakeholder group, especially those who are using or providing the digital systems and services your event will be relying on. Some of the key considerations are as follows:
- For most events, you and your staff will work extended hours. At the outset you should integrate cyber security management and ensure it is clear who is the key POC at all times (e.g. across shifts).
- Once internal staffing is agreed, you need to align these arrangements with your stakeholder group. Can your stakeholder group treat the event as 'business as usual'? If not, what enhancements will be required?
- Are your Service Level Agreements (SLAs) with suppliers flexible enough to cover cyber incident response during the event? SLAs may have to be amended to adapt to different working patterns. Detailed advice can be found here.
- In the event-build stage, your workforce will be supplemented by external contractors and volunteers. You must ensure that relevant temporary staff are aware of the cyber security arrangements for the event.
- In the event of a cyber incident you should consider fall-back options. Do you need the capability to deploy staff to work elsewhere? If so, what skills and equipment will those staff need?
- Are you required to submit information to central reporting points during the event? Have you planned for this?
Event preparation action list
Engagement & Governance Structure
- Map your stakeholder group for the event (host venues, governing bodies etc.)
- Contact stakeholders and decide if a cyber-focused working group is required
- Identify the security lead for the event and the Risk Register owner
- Ensure that a Cyber Security placeholder is included in the Risk Register
Identify which digital systems, technologies and data your event relies upon and consider the impact of these being compromised or unavailable
Develop a baseline threat assessment with your stakeholder group
Work with your stakeholder group and suppliers to identify vulnerabilities
Update the event Risk Register to reflect the key cyber security risks. It is essential that these are integrated into the overall risk management regime for the event
Incorporate potential impacts of cyber-attacks from your Risk Register into the event’s Contingency Plan
Incident Management planning
- Ensure relevant parties are aware of the cyber threat, both in general terms and anything specific to the event
- Ensure Incident Response plans for both the event and your own organisation are in place
- Ensure key personnel know how to report incidents
- Communications plan in place
Testing & exercising
- Consider your readiness and testing requirements (e.g. tabletop through to full-scale exercise). Make simulations relevant to the Risk Register
- For ‘Mega Events’ contact the NCSC
- At minimum, include cyber security in your tabletop readiness exercise
- Integrate cyber security management into your staffing arrangements
- Coordinate plans with your stakeholder group
- Consider SLAs: Are they suitable for the event? Will suppliers react quickly enough in the event of an attack?
- Ensure relevant temporary staff (contractors, volunteers) are aware of the cyber security arrangements for the event
- Consider fall-back options in the event of an incident. If you need to deploy staff elsewhere what equipment will be required?