Full Report
It’s snow joke – sporting events are a big draw for cybercriminals. Make sure you’re not on the losing side by following these best practices.
Analysis Summary
# Best Practices: Cybersecurity for Major Sporting Events
## Overview
These security practices focus on mitigating cyber threats targeting sports fans and related entities during major sporting events (like the Olympics). The primary threats identified include phishing, credential theft, malware distribution via fake sites/apps/streaming services, reconnaissance for hacktivism, and sophisticated AI-powered scams capitalizing on high public interest.
## Key Recommendations
### Immediate Actions (Quick Wins)
1. **Verify Official Sources:** Immediately cease engaging with any unsolicited messages (email, SMS, social media) related to the event that are not explicitly verified through official channels.
2. **Enforce Email/Link Vigilance:** Instruct all users to avoid clicking links or opening attachments in unsolicited communications, even if they appear sourced from official sponsors or organizers.
3. **Limit High-Value Access on Public Wi-Fi:** When attending the event, instruct attendees to avoid accessing sensitive accounts (banking, primary email) when connected to public event Wi-Fi; utilize a reputable Virtual Private Network (VPN) if connection is necessary.
4. **Do Not Scan Unknown QR Codes:** Implement a strict policy against scanning unknown or suspicious QR codes encountered at the event or received digitally, as these can lead to malicious redirects or malware downloads (Quishing).
### Short-term Improvements (1-3 months)
1. **Deploy Robust Endpoint Protection:** Ensure all organizational and personal devices accessing event-related information or networks have current anti-malware software installed from a reputable vendor to mitigate risks from phishing and drive-by downloads.
2. **Educate on Fake Commerce/Ticketing:** Distribute clear guidance demonstrating how to spot fake ticketing, accommodation, and merchandise sites, emphasizing the danger of third-party resale platforms for high-value items like tickets.
3. **Social Media Support Scrutiny:** Train staff and advise the public never to share personal or booking information when interacting with social media accounts claiming to offer "official support" off-platform; insist on using official communication channels only.
### Long-term Strategy (3+ months)
1. **Establish Official Channel Reliance:** Develop and widely disseminate a clear list of definitive official URLs for ticketing, merchandise, and official apps to drastically reduce the attack surface from SEO poisoning and lookalike domains.
2. **Integrate AI Scam Awareness:** Develop ongoing security awareness training that specifically addresses AI-generated threats, including deepfake videos targeting decision-makers or fans, emphasizing critical thinking about unexpected or emotionally charged content.
3. **Formalize Volunteer/Hiring Vetting:** Document and adhere strictly to published official procedures for volunteering or employment recruitment, explicitly communicating that official organizers will never request upfront fees for volunteer work or processing.
## Implementation Guidance
### For Small Organizations
- **Focus on Phishing Education:** Prioritize mandatory, frequent training sessions focused entirely on identifying malicious links, urgent requests, and identifying non-official support requests via social media and email.
- **Mandate Reliable Anti-Malware:** Ensure all endpoint devices used by employees or volunteers interacting with event logistics use a reputable, centrally managed anti-malware solution.
### For Medium Organizations
- **Develop Official Communication Checklists:** Create a formal verification standard (e.g., "If it contains a link regarding payment, call the sender to verify the URL") for all inbound communications related to event assets (tickets, sponsorships).
- **Map Official Stream Sources:** Pre-select and communicate only the authorized streaming providers (e.g., NBCUniversal, BBC) for organizational viewing streams to prevent malware infection via black-hat streaming sites.
### For Large Enterprises
- **Implement Traffic Filtering:** Configure DNS filtering or web proxies to block access to known illegal streaming domain categories and newly registered lookalike domains preemptively.
- **Establish State-Actor Threat Monitoring:** Enhance threat intelligence feeds to specifically monitor for TTPs associated with state-aligned actors who have previously targeted significant global events with disruptive wiper malware against network infrastructure.
- **Deploy Advanced Email Filtering:** Utilize advanced threat protection (ATP) features in email systems capable of scanning URLs in real-time for phishing indicators and stripping malicious attachments (sandboxing).
## Configuration Examples
| Security Component | Configuration Best Practice | Rationale |
| :--- | :--- | :--- |
| **Endpoint Protection** | Enable real-time scanning and heuristic monitoring for zero-day malware insertion triggered by drive-by downloads from compromised advertising overlays. | Mitigates threats hidden within seemingly benign streaming site advertisements. |
| **VPN Usage Policy** | Require VPN use on all devices connecting to any network designated as "Public" or "Guest" for event access. Disable credential caching on those profiles. | Protects against on-path attacks prevalent on insecure event Wi-Fi hotspots. |
| **Email Gateway** | Implement DMARC/DKIM checks with strict enforcement for incoming emails claiming sponsorship or vendor status; flag any emails missing these alignment checks for manual review. | Reduces successful impersonation by cybercriminals spoofing genuine organizational domains. |
## Compliance Alignment
- **NIST Cybersecurity Framework (Identify & Protect):** Adherence to these practices aligns with identifying external threats (e.g., phishing campaigns, SEO poisoning tactics) and implementing safeguards (e.g., endpoint protection, strict URL verification).
- **ISO/IEC 27001 (A.16 Information Security Incident Management):** Preparation for event-specific scams contributes to incident readiness by anticipating high-volume, targeted attack vectors.
- **CIS Controls (Control 3: Data Protection; Control 4: Secure Configuration):** Implementing strict controls on public Wi-Fi usage and deploying vetted anti-malware addresses the protection of sensitive data during travel/event presence.
## Common Pitfalls to Avoid
- **Assuming Third-Party Marketplaces are Safe:** Do not assume that listings on legitimate sites (like eBay or Airbnb) are vetted for ticket/accommodation fraud; scrutinize seller reputation and use integrated communication tools only.
- **Trusting Visual/Audio Authenticity:** Over-reliance on easily faked media; dismiss deepfake videos or audio clips impersonating officials or athletes regardless of how realistic they appear without external verification.
- **Ignoring Volunteer/Job Scams:** Falling for high-pressure recruitment tactics that ask for fees or excessive PII before formal acceptance, as official processes are free and structured.
## Resources
- **Official Ticketing Portal:** `https://tickets.milanocortina2026.org/` (and official hospitality link)
- **Official Merchandise Store:** `https://shop.olympics.com/`
- **Official Volunteer Portal:** `https://team26.milanocortina2026.org/`
- **Reference Framework:** Utilize documentation from established security vendors regarding current phishing and streaming link protection signatures for up-to-date threat defense signatures.