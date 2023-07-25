European football (soccer) is often called the \u201cbeautiful game,\u201d but the security threats and challenges faced by the Football Association of Wales (FAW) are far from pretty. The governing body is responsible for protecting the integrity of the sport in Wales, with technological advancement increasing priorities around safeguarding sensitive information, player data, and operational systems from cyber risks. This makes an effective game plan for kicking cyber threats out of play key for the smooth running of the organisation, Evren Karaibrahimgil, ICT manager at the FAW, tells CSO.\n\n\u201cThe cybersecurity challenges the FAW has faced over the past 12 months have mainly been keeping on top of end-user awareness, identifying potential vulnerabilities, and ensuring all aspects of our infrastructure are secure \u2013 both local and cloud based,\u201d Karaibrahimgil says. This encompasses security for all hardware (firewalls, switches, APs, servers) across the FAW\u2019s three sites, its Office 365 tenancies, overseeing end user awareness and education, and ensuring all third-party suppliers and providers are compliant, he adds.\n\nThird-party access, hacking among FAW\u2019s biggest cybersecurity threats\n\nThird-party access and hacking are among the biggest cybersecurity threats the FAW faces right now, Karaibrahimgil says. The former centres around a lack of control of third-party environments, while the latter would most likely materialize through an end user\u2019s Office 365 account via an email, he says. \u201cWhile our third-party providers all operate in secure environments, we have no control over their infrastructures and no way of knowing of any vulnerabilities they might have.\u201d\n\nUser awareness, 2FA, access control key to addressing FAW\u2019s security risks\n\nThe team has taken several approaches to addressing the challenges and risks it faces in the last year or so, with educating end users the biggest hurdle to overcome \u2013 particularly in relation to identifying phishing emails, Karaibrahimgil says. \u201cWhilst we can bolster our cybersecurity infrastructure, we cannot eliminate junk\/phishing emails 100% as some always slip through. Educating end users on identifying these emails can be challenging as not everyone can spot them easily, or [they aren\u2019t] as IT aware.\u201d End user awareness is crucial to identifying malicious emails, and the FAW ran a cybersecurity awareness course provided by the Union of European Football Associations (UEFA) to ensure users can distinguish between real and fake emails, along with working with new cybersecurity partner PureCyber in this area, Karaibrahimgil says.\n\n\u201cWe have been using 2FA on our Office 365 tenancy for quite some time, but now we enforce it across the board for all accounts and hardware. We also employ the usual commonplace policies such as strong passwords, regular password changes, and the inability to use the same password again. This ensures users don\u2019t have weak or stale passwords, and drastically reduces the risk of hacking.\u201d The DAW also employs DMARC and SPF DNS records on all its domains to ensure there can be no email spoofing, which is imperative, Karaibrahimgil adds.\n\nExternal access control has come into purview, too, as has data backup and migration. The FAW team disabled external access to its firewall, restricting and locking it down to only specific IP addresses. Meanwhile, all servers and data are backed up locally and to the cloud, with the firm in the middle of migrating its files to Sharepoint. \u201cAll our Sharepoint and Office 365 data is now also being backed up by PureCyber, which has given us added resiliency in case of a catastrophic event,\u201d says Karaibrahimgil.\n\nInfrastructure monitoring, pen testing, Cyber Essentials among cybersecurity priorities\n\nThe FAW\u2019s chief cybersecurity priorities right now are continuing to engage with users on awareness, addressing hardware security, and reviewing and monitoring of the infrastructure, Karaibrahimgil says.\n\n\u201cIn the event of a breach, we must ensure the swift security of end user laptops and make sure no malicious activity takes place. We now have this covered in a manner where we can manage, control, and shutdown devices, almost in real time and remotely. This has drastically reduced the risk of any malicious activity resulting from a potential hack\/breach.\u201d\n\nRegular review and monitoring of FAW\u2019s infrastructure is crucial to ensuring it can identify and address any potential cybersecurity flaws and issues before they happen, Karaibrahimgil adds. \u201cWith IT being a dynamic environment, our infrastructure landscape changes all the time, and with these changes we must ensure there are no potential vulnerabilities.\u201d This will be a key priority moving forward, too, he says, especially in relation to security risks emanating from the FAW\u2019s external infrastructure such as hosting companies, websites, and external systems. \u201cIn working with external companies, we need assurance that they are cybersecurity compliant and resilient \u2013 any potential preaches could be catastrophic, especially from a data protection perspective.\u201d\n\nThe FAW plans to engage in annual penetration testing, both internally and externally, to identify any potential vulnerabilities within the company as well as its partners, along with engaging with the Cyber Essentials certification program, aiming to complete it fully over a 36-month period, Karaibrahimgil says.