Report Suggests Cybersecurity Risks at the Olympic Games Will be Widespread
While previous Olympic games have faced cybersecurity threats, the Games of the XXXIII Olympiad, also known as Paris 2024, will see the largest number of threats, the most complex threat landscape, the largest ecosystem of threat actors, and the highest degree of ease for threat actors to execute attacks. To defend against these attacks and avoid significant disruptions, International Data Corporation (IDC) estimates that revenue from cybersecurity services in France will increase by $94 million (€86 million) in 2024 as a result of the Olympic Games, adding just over two percentage points to total cybersecurity services spending.
Paris 2024 will be the most connected Games ever, including but not limited to back-of-house systems, financial systems, critical national infrastructure, city infrastructure, sport technology, broadcast technology, and merchandising and ticketing. And while risk is clearly highest for venues and other assets used directly for the Games, it permeates outward and seemingly unrelated assets can come under attack, including critical national infrastructure and many French businesses. Outside of France, IDC expects security services revenue in the rest of Europe will increase by $57 million in 2024 as a result of the hosting of the Olympic Games in Paris.
“Cybercriminals are leveraging global sporting events like the Olympic Games to craft new targeted threats to businesses and citizens, knowing that their target is often distracted and more prone to social engineering,” said Richard Thurston, research manager, European Security Services at IDC.
“We can expect to see an unprecedented level of threats launched during the Paris Olympic Games supporting a variety of financial and political motives targeting not only the Olympic Games but also unrelated organizations,” Thurston continued. “Fortunately, many organizations in France have been working to accelerate the strengthening of their cybersecurity posture ahead of the Games. Furthermore, the Local Organizing Committee is working with a range of highly skilled cybersecurity companies to mitigate risk to the Games itself.”
“The threat extends to a wide range of potential targets beyond the Olympic infrastructure itself, including things like fixed and mobile networks in Paris, transportation infrastructure and companies, hotels and the leisure industry, and financial networks,” added Thurston. “Organizations can expect threat actors to deploy a full array of tactics, techniques and procedures, such as ransomware and data exfiltration, exploiting application vulnerabilities, social engineering, tailored phishing attacks, and denial-of-service attempts aimed at taking down online services.”
In preparation for the Olympics, a national service (ANSSI) was created under the authority of the French Prime Minister and attached to the General Secretariat for Defence and National Security (SGDSN). ANSSI is responsible for the management of the strategy for the prevention of cyberattacks at the Games.
The system set up by ANSSI, in collaboration with several entities involved in the organization of the Games, is structured around the five main axes: increase knowledge of the cyberthreats to the Games; secure critical information systems; protect sensitive data; raise awareness in the Games ecosystem; and prepare to respond to cyberattacks affecting the Games. ANSSI has implemented an awareness-raising plan aimed at hundreds of players in the Games ecosystem and organized several crisis-planning exercises.
In addition, the Local Organizing Committee has appointed Eviden to manage cybersecurity services and operations, which can be delivered from a dedicated security operations center (SOC) for the Games as well as up to 17 SOCs worldwide. This marks a continuation of Eviden’s parent company Atos’ partner activities with the International Olympic Committee. Other technology vendors that are partnering directly with Paris 2024 include Alibaba, Deloitte, Orange, and Cisco.
In the private sector, organizations in France are moderately well-prepared for the additional threats that will accompany the Olympics. Incident management and response is already a main cybersecurity priority for 61% of large enterprises in France, and nearly half believe they currently have sufficient threat hunting or threat intelligence skills. However, less than 20% of French businesses believe their cybersecurity posture is mature or better, and smaller organizations are likely to have lower levels of skills and preparedness.