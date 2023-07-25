Americas

  • United States

Asia

Europe

Oceania

Popular Topics

Topics

About

Policies

Our Network

More

HomeHow the Football Association of Wales gives cyber threats the boot
mhill
by Michael Hill
UK Editor

How the Football Association of Wales gives cyber threats the boot

Feature
Jul 25, 20235 mins
Access ControlThreat and Vulnerability Management

For the FAW, an effective cybersecurity game plan includes access control and end-user awareness training.

Soccer ball sitting in the grass
Credit: Thinkstock

European football (soccer) is often called the "beautiful game," but the security threats and challenges faced by the Football Association of Wales (FAW) are far from pretty. The governing body is responsible for protecting the integrity of the sport in Wales, with technological advancement increasing priorities around safeguarding sensitive information, player data, and operational systems from cyber risks. This makes an effective game plan for kicking cyber threats out of play key for the smooth running of the organisation, Evren Karaibrahimgil, ICT manager at the FAW, tells CSO.

Evren Karaibrahimgil

Evren Karaibrahimgil, FAW ICT manager

Football Association of Wales

"The cybersecurity challenges the FAW has faced over the past 12 months have mainly been keeping on top of end-user awareness, identifying potential vulnerabilities, and ensuring all aspects of our infrastructure are secure - both local and cloud based," Karaibrahimgil says. This encompasses security for all hardware (firewalls, switches, APs, servers) across the FAW's three sites, its Office 365 tenancies, overseeing end user awareness and education, and ensuring all third-party suppliers and providers are compliant, he adds.

Third-party access, hacking among FAW's biggest cybersecurity threats

Third-party access and hacking are among the biggest cybersecurity threats the FAW faces right now, Karaibrahimgil says. The former centres around a lack of control of third-party environments, while the latter would most likely materialize through an end user's Office 365 account via an email, he says. "While our third-party providers all operate in secure environments, we have no control over their infrastructures and no way of knowing of any vulnerabilities they might have."

User awareness, 2FA, access control key to addressing FAW's security risks

The team has taken several approaches to addressing the challenges and risks it faces in the last year or so, with educating end users the biggest hurdle to overcome - particularly in relation to identifying phishing emails, Karaibrahimgil says. "Whilst we can bolster our cybersecurity infrastructure, we cannot eliminate junk/phishing emails 100% as some always slip through. Educating end users on identifying these emails can be challenging as not everyone can spot them easily, or [they aren't] as IT aware." End user awareness is crucial to identifying malicious emails, and the FAW ran a cybersecurity awareness course provided by the Union of European Football Associations (UEFA) to ensure users can distinguish between real and fake emails, along with working with new cybersecurity partner PureCyber in this area, Karaibrahimgil says.

"We have been using 2FA on our Office 365 tenancy for quite some time, but now we enforce it across the board for all accounts and hardware. We also employ the usual commonplace policies such as strong passwords, regular password changes, and the inability to use the same password again. This ensures users don't have weak or stale passwords, and drastically reduces the risk of hacking." The DAW also employs DMARC and SPF DNS records on all its domains to ensure there can be no email spoofing, which is imperative, Karaibrahimgil adds.

External access control has come into purview, too, as has data backup and migration. The FAW team disabled external access to its firewall, restricting and locking it down to only specific IP addresses. Meanwhile, all servers and data are backed up locally and to the cloud, with the firm in the middle of migrating its files to Sharepoint. "All our Sharepoint and Office 365 data is now also being backed up by PureCyber, which has given us added resiliency in case of a catastrophic event," says Karaibrahimgil.

Infrastructure monitoring, pen testing, Cyber Essentials among cybersecurity priorities

The FAW's chief cybersecurity priorities right now are continuing to engage with users on awareness, addressing hardware security, and reviewing and monitoring of the infrastructure, Karaibrahimgil says.

"In the event of a breach, we must ensure the swift security of end user laptops and make sure no malicious activity takes place. We now have this covered in a manner where we can manage, control, and shutdown devices, almost in real time and remotely. This has drastically reduced the risk of any malicious activity resulting from a potential hack/breach."

Regular review and monitoring of FAW's infrastructure is crucial to ensuring it can identify and address any potential cybersecurity flaws and issues before they happen, Karaibrahimgil adds. "With IT being a dynamic environment, our infrastructure landscape changes all the time, and with these changes we must ensure there are no potential vulnerabilities." This will be a key priority moving forward, too, he says, especially in relation to security risks emanating from the FAW's external infrastructure such as hosting companies, websites, and external systems. "In working with external companies, we need assurance that they are cybersecurity compliant and resilient - any potential preaches could be catastrophic, especially from a data protection perspective."

The FAW plans to engage in annual penetration testing, both internally and externally, to identify any potential vulnerabilities within the company as well as its partners, along with engaging with the Cyber Essentials certification program, aiming to complete it fully over a 36-month period, Karaibrahimgil says.

mhill
by Michael Hill
UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author

Most popular authors

Show me more

feature

How the Football Association of Wales gives cyber threats the boot

By Michael Hill
Jul 25, 20235 mins
Access ControlThreat and Vulnerability Management
Image
news analysis

Threat actors actively exploiting critical flaw in NetScaler ADC devices

By Lucian Constantin
Jul 24, 20235 mins
CyberattacksZero-day vulnerabilityNetwork Security
Image
news

Vast majority of organizations are no longer vulnerable to MOVEit

By Apurva Venkat
Jul 24, 20234 mins
Application SecurityVulnerabilities
Image
podcast

CSO Executive Sessions Australia with Simona Dimovski, CISO at Helia

Jul 17, 202315 mins
CSO and CISO
Image
podcast

CSO Executive Sessions Australia with Chris Mace, CISO for the New South Wales Public Service Commission

Jul 10, 20239 mins
CSO and CISO
Image
podcast

CSO Executive Sessions / ASEAN: Hieu Minh Ngo on top cybersecurity vulnerabilities to watch out for

Jul 10, 202316 mins
CyberattacksCybercrime
Image
video

CSO Executive Sessions Australia with Simona Dimovski, CISO at Helia

Jul 17, 202315 mins
CSO and CISO
Image
video

CSO Executive Sessions Australia with Chris Mace, CISO for the New South Wales Public Service Commission

Jul 10, 20239 mins
CSO and CISO
Image
video

CSO Executive Sessions with Daniela Fernandez, Head of Information Security for PayPal Australia

Jul 07, 202315 mins
CSO and CISO
Image