European football (soccer) is often called the "beautiful game," but the security threats and challenges faced by the Football Association of Wales (FAW) are far from pretty. The governing body is responsible for protecting the integrity of the sport in Wales, with technological advancement increasing priorities around safeguarding sensitive information, player data, and operational systems from cyber risks. This makes an effective game plan for kicking cyber threats out of play key for the smooth running of the organisation, Evren Karaibrahimgil, ICT manager at the FAW, tells CSO.

Evren Karaibrahimgil, FAW ICT manager Football Association of Wales

"The cybersecurity challenges the FAW has faced over the past 12 months have mainly been keeping on top of end-user awareness, identifying potential vulnerabilities, and ensuring all aspects of our infrastructure are secure - both local and cloud based," Karaibrahimgil says. This encompasses security for all hardware (firewalls, switches, APs, servers) across the FAW's three sites, its Office 365 tenancies, overseeing end user awareness and education, and ensuring all third-party suppliers and providers are compliant, he adds.

Third-party access, hacking among FAW's biggest cybersecurity threats

Third-party access and hacking are among the biggest cybersecurity threats the FAW faces right now, Karaibrahimgil says. The former centres around a lack of control of third-party environments, while the latter would most likely materialize through an end user's Office 365 account via an email, he says. "While our third-party providers all operate in secure environments, we have no control over their infrastructures and no way of knowing of any vulnerabilities they might have."

User awareness, 2FA, access control key to addressing FAW's security risks

The team has taken several approaches to addressing the challenges and risks it faces in the last year or so, with educating end users the biggest hurdle to overcome - particularly in relation to identifying phishing emails, Karaibrahimgil says. "Whilst we can bolster our cybersecurity infrastructure, we cannot eliminate junk/phishing emails 100% as some always slip through. Educating end users on identifying these emails can be challenging as not everyone can spot them easily, or [they aren't] as IT aware." End user awareness is crucial to identifying malicious emails, and the FAW ran a cybersecurity awareness course provided by the Union of European Football Associations (UEFA) to ensure users can distinguish between real and fake emails, along with working with new cybersecurity partner PureCyber in this area, Karaibrahimgil says.

"We have been using 2FA on our Office 365 tenancy for quite some time, but now we enforce it across the board for all accounts and hardware. We also employ the usual commonplace policies such as strong passwords, regular password changes, and the inability to use the same password again. This ensures users don't have weak or stale passwords, and drastically reduces the risk of hacking." The DAW also employs DMARC and SPF DNS records on all its domains to ensure there can be no email spoofing, which is imperative, Karaibrahimgil adds.

External access control has come into purview, too, as has data backup and migration. The FAW team disabled external access to its firewall, restricting and locking it down to only specific IP addresses. Meanwhile, all servers and data are backed up locally and to the cloud, with the firm in the middle of migrating its files to Sharepoint. "All our Sharepoint and Office 365 data is now also being backed up by PureCyber, which has given us added resiliency in case of a catastrophic event," says Karaibrahimgil.