As a sports nut and marketing nerd who worked for a marketing technology company before landing at SecureWorld, I am fascinated by how marketers try to reach consumers; and I usually have a pretty good idea when I first see a TV commercial, billboard, or print ad if it will be effective or not.
For that reason, I often pay more attention to the commercials than the games or shows.
With the baseball World Series firing up this week—I have no dog in the fight—and the NFL and collegiate football seasons in full swing (my Oregon Ducks are ranked No. 1), I was keenly interested in a recent Forbes Technology Council article. It examines how technology is transforming the sports and entertainment industries in an effort to "improve" the customer experience.
But where does my brain go on this topic, given that my current role is to build impactful agendas for cybersecurity professionals attending our conferences across North America, and to write for SecureWorld News? I want to know the cybersecurity implications of using more technology to reach more consumers, fans, and would-be fans.
A teaser of the Forbes Technology Council article breaks down the key points around the topic nicely, complete with cute emojis:
🌐 Industry Shifts: The COVID-19 pandemic accelerated the adoption of contactless payments and mobile ticketing in sports and entertainment venues to address revenue shortfalls and maintain hygiene.
🚀 Global esports boom: The esports market is seeing exponential growth, facilitated by platforms like Twitch and YouTube, promoting global reach and interaction among fans.
🏟️ Smart stadiums: Modern stadiums are equipped with technologies like high-speed Wi-Fi and beacon technology, providing fans with real-time updates, personalization, and enhanced convenience.
📱 Mobile engagement: Smartphone applications now offer live stats, replay videos, and augmented reality games, significantly enriching fans' in-venue experience.
🕶️ Immersive innovations: Augmented and virtual reality technologies redefine fan engagement by offering immersive viewing experiences that place fans at the center of the action.
📊 Data-driven personalization: Sports and entertainment venues are personalizing fan experiences using big data, similar to how platforms like Netflix suggest content.
Here's my reaction to every point made above. 🚩 Red flag emoji! Let's break it down; and their will be some repetitiveness.
- The increasing use of contactless payments and mobile ticketing heightens cybersecurity risks, particularly around data breaches, phishing attacks, and exploitation of vulnerabilities in mobile applications, leading to potential theft of sensitive personal and financial information.
- The exponential growth of the esports market, driven by platforms like Twitch and YouTube, increases cybersecurity risks such as account takeovers, DDoS attacks, and data breaches, which could compromise sensitive user information and disrupt gaming experiences.
- The integration of high-speed Wi-Fi and beacon technology in modern stadiums raises cybersecurity risks, including vulnerabilities to hacking, data breaches, and the potential exploitation of personal information gathered through real-time updates and personalized services.
- The use of smartphone apps for live stats, replay videos, and augmented reality games in venues introduces cybersecurity risks, such as data breaches, unauthorized access to personal information, and vulnerabilities in app security that could be exploited by cybercriminals.
- The integration of augmented and virtual reality technologies into fan engagement introduces cybersecurity risks, including potential vulnerabilities in data transmission, exposure to real-time location tracking, and risks from malicious actors exploiting immersive experiences to gain unauthorized access to personal information or systems.
- The use of big data to personalize fan experiences in sports and entertainment venues introduces cybersecurity risks such as the potential for data breaches, misuse of sensitive personal information, and targeted attacks exploiting behavioral and preference data collected from fans.
The marketing technology company I worked for has a software platform used by enterprise marketers and agencies as the foundation of performance-based measurement, namely using a "pixel" to provide impartial multi-touch attribution. In a nutshell, the technology tracks the customer journey from all those marketing touchpoints to a sale or signed service contract. From that data, marketers can figure out how to better reach their targeted audience.
There are ongoing debates over how ethical this "tracking" is—are folks' data privacy rights being violated?—but at the same time, marketers argue that their goal is to provide a better customer experience by serving up information that is helpful and customized.
Regardless, it's all about the data. Keeping that data secure is what organizations, enterprises, governments, and the third-party cybersecurity solutions and tools providers are charged with doing.
I am not a cybersecurity practitioner—I probably say that a half dozen times a week when I am asked for an expert opinion, or a vendor panelist wants to modify the starter questions for a threat landscape panel at one of our conferences—so I reached out to some of our practitioner and vendor friendlies for their thoughts on this topic.
Col. Cedric Leighton, CNN Military Analyst; USAF (Ret.), Chairman, Cedric Leighton Associates, LLC:
"There's really no hard line between an immersive tech/fan experience and protecting everyone's data," Col. Leighton said. "The real question is can technology, especially when it comes to cybersecurity solutions, keep pace with the demands of an immersive fan experience. Historically, cybersecurity solutions have lagged behind tech-based fan or consumer experiences. And that's a problem because security solutions are seldom 'baked in' when these technologies are being developed."
As for what can venue and sports management companies do, Col. Leighton said, "I think the key for venue and sports management companies is to demand that the technological solutions they seek have a robust cybersecurity component—a cybersecurity component that can keep pace with evolving threats to privacy and data piracy."
With fans/consumers demanding improved Wi-Fi accessibility in venues, it comes with risks, of course. "Any publicly accessible Wi-Fi system is inherently risky. Personally, I avoid using them as much as possible and, as a result, I'll forego the promised immersive experience if I feel my data has a great potential of being compromised," Col. Leighton said. "It's very difficult to balance the desire for greater connectivity and the need for data security. One somewhat futuristic solution might be to incorporate encryption technologies at the device level. That would mean that any device connecting even to a public Wi-Fi system would encrypt its data so that it couldn't be compromised by 'war-driving' or similarly nefarious data collection activities."
With all that data, how is it managed and kept secure?
"Venue data management is a really big challenge for sports and event management companies. They have to have workable protocols in place to secure the data, and encrypting that data, both while it is at rest and in transit, is key to avoiding or minimizing data compromises," Col. Leighton said. "The venues and the sports franchises that take their fans' data security requirements seriously can differentiate their experiences from those venues and franchises that don't put those guardrails in place. Fan data security can be a marketing tool for them. But that can be a two-edged sword if a venue experiences a data compromise. The fact of the matter is that there's one constant in the world of data security and that is this: The greater the connectivity opportunities are, the greater the resulting attack surface becomes and the higher your risk of compromise is."
We also can't forget about physical security, which years ago seemed to be the only risk for attending a sporting event or a concert.
"Sporting and entertainment events have frequently attracted those who try to disrupt them in a physical sense," Col. Leighton added. "The Bataclan and Stade de France attacks in Paris in 2015 are examples, as was the planned attack against a Taylor Swift concert in Vienna, Austria. A nightmare scenario for both physical security (like police) and cybersecurity professionals would be an attack on a major sporting event or popular concert that combined physical and cyber attacks."
Darren Guccione, CEO and Co-Founder at Keeper Security:
"What's particularly concerning is that physical threats can also arise from these cybersecurity vulnerabilities. For instance, if a cyberattack targets a venue's access control systems, unauthorized individuals could gain entry to restricted areas, jeopardizing the safety of players, staff, and fans alike. Furthermore, attacks on operational technology—such as scoreboard systems or lighting controls—can create chaos during live events, potentially leading to hazardous situations.
"Venue and sports management companies play a critical role in ensuring the safety of their fans and stakeholders, and their information, from cyber threats. With sensitive data—ranging from ticketing and payment systems to fan information and player performance metrics—spread across numerous interconnected systems and devices, the risk of damaging cyber incidents is increasing faster than ever before.
"To provide an exceptional fan experience, operations teams, sponsors, players, coaches, fans, and vendors rely on a variety of technologies, including point-of-sale (POS) devices, IT infrastructure, and personal devices. However, this proliferation of tech creates multiple entry points for cybercriminals to potentially exploit. With high volumes of financial transactions occurring during events, hackers see a prime opportunity for fraud. Disruptive attacks on networks can also compromise game broadcasts or advertisements, leading to severe financial and reputational fallout for teams, venues, and their broadcasting partners.
"To combat these threats, it's crucial for organizations to implement robust cybersecurity measures—such as end-to-end encryption, strict access controls, and regular security audits. Establishing a centralized data management system can effectively organize information, while incorporating strong security protocols helps to prevent unauthorized access. Given that nearly 68% of breaches stem from human error—like weak or stolen passwords—it's also essential for organizations to prioritize employee training to enhance awareness of common scams and threats."
John Gallagher, Vice President at Viakoo:
"The massive impact of a successful attack is what motivates threat actors. This is no different for an attack on a sporting event than it would be for any other attack we've witnessed. For some, it is to make a point, others may gain a financial benefit, and for others it may act as a form of advertising. Threat actors increasingly operate as organizations with detailed structure and planning behind their attacks, so in many ways a successful attack acts as the 'Super Bowl' for their operation.
"When it comes to sporting events, one of the most disruptive items would be a loss of situational awareness, especially if IoT devices like IP cameras and security systems are breached. Similar to the plot of movies like Ocean's Eleven or The Italian Job, the planting of deepfakes or modifying data by breaching these systems can cause massive disruption by not having a clear understanding of what is happening.
"The widespread use of IoT devices that third parties bring to sporting events (caterers, entertainment, additional security) means that traditional IT security will not be sufficient, and the overall testing of those systems ahead of any sporting event to ensure that sufficient redundancy exists. Security for sporting events must also have a focus on resiliency; if bad things happens, is there an already established plan to minimize the impact?"
Glenn Gray, Head of Product at Auvik:
"Providing a consistent and secure Wi-Fi experience to fans and consumers starts with observability. As the old adage goes, you can't protect what you can't see. Strong, real-time visibility into your network's performance can help IT managers for arenas and venues avoid network bottlenecks and latency issues. A solid observability platform that includes mapping, documentation, and inventory management functions can help IT managers better understand their infrastructure's potential attack surface. From there, adopting best-in-class security practices becomes much easier."
