Cyber-security advice for the Super Bowl and your business

New England Patriots fans call it a competitive advantage, the rest of the NFL calls it cheating.

So as the Eagles prepare for Super Bowl LII against the Patriots this Sunday, cybersecurity experts are advising both teams to take precautions to keep their playbooks from falling into the wrong hands.

In Spygate, one of the most notorious scandals to strike the NFL, a Patriots employee was nabbed in 2007 covertly videotaping defensive signals as the Patriots faced off against the New York Jets. An investigation reportedly turned up a massive archive of recorded signals and corresponding plays. Though that wasn’t strictly illegal, the NFL fined the Patriots and head coach Bill Belichick a total of $750,000.

“Spygate was Flintstones stuff compared to what’s going on now,” said Ed McAndrew, a former federal prosecutor who is now a lawyer specializing in cybercrime at Philadelphia’s Ballard Spahr.

McAndrew isn’t pointing fingers at the Pats. Every team is suspect, and every team is vulnerable, he said.

And the lessons McAndrew has for the Eagles are applicable to any business enterprise.

“It’s the same advice we’d use for any professional,” said the former assistant U.S. Attorney, “and the Eagles are just pros doing their jobs.”

The possibilities for sports espionage exploded in 201,1 when NFL teams began to use tablets to hold their playbooks. The tablets, if connected to the internet, are susceptible to hacking.

“The real risk now is that an opponent could steal your scheme, your game plan, or they’re going to know what play you’re about to run,” McAndrew said. “That potentially also could be through the interception of wireless signals between the coaches and the quarterbacks.”

Key information also could be released into the wild due to player forgetfulness.

“It only takes one player to lose an unencrypted tablet,  leave it in a car, have it stolen from them, and something valuable could be compromised,” McAndrew said. The digital playbooks are in everyone’s hands. That’s the big concern.

A big threat comes from players who, like most people, use similar passwords for different online accounts. “That creates a greater surface-attack area,” McAndrew said. “You know they are, because we all do it.”

“Just like we’ve seen celebrity accounts hacked and intimate photos stolen, you can just as easily steal plays,” he said. “So there are real security concerns about players and coaches preparing for the games. The greatest threat may not be Bill Belichick himself, but some third-party hacker who gets that information and decides to share it.

“We can’t run that risk this time. I don’t want to see the genius of Doug Pederson undermined by faulty data security.”

K2 Intelligence, one of the world’s leading investigations and cyber-defense companies, partnered with the NFL Players Association to limit athlete vulnerability.

“A lot of time the players don’t realize they’re high-profile targets,” said Robert Panella, a managing director of K2 Intelligence. “And it’s not just the athlete, it’s the family and friends who can put them at risk” by inadvertently releasing personal information.

The company often is called to conduct cyber house calls, said Patrick Doherty, also a director at K2 Intelligence.

“We go into their homes and have them put all their devices and accounts on the table,” Doherty said. “We don’t just go in and check on the modem, routers, and passwords. We show them their total exposure.

“Anything online is at risk,” Doherty said.

Playbook for online security

K2 Intelligence directors Robert Panella and Patrick Doherty offered tips to players and other professionals who want to keep their playbooks secure:

  • Public WiFi should always be deemed insecure. Whether upi are using a tablet, a laptop, or an iPhone, when traveling you have fewer protections and could be vulnerable to a man-in-the-middle attack. Someone could set up in a hotel, create an account that masquerades as the hotel WiFi, and intercept all of your communications.
  • Use a VPN (a virtual private network), or WhatsApp or Signal to encrypt your communications. WhatsApp and Signal are both free in the app store and encrypt data end-to-end, making for more secure texts and calls.
  • Do not commingle personal and professional data on the same device. Avoid accessing social media accounts on equipment used for business. Do not forward professional data to a personal account.
  • Use dual-factor authentication when signing on. Even in the event that someone learns your password, a second piece of information can help prevent a hacker from logging on through an unauthorized device.
  • Don't keep sensitive information in the cloud.

Ballard Spahr's Ed McAndrew adds these tips:

  • Immediately report any suspicious activity or the loss of a device immediately. If you're an Eagles player, alert your position coach. If a playbook is on a device that's gone missing, the team could wipe the device before it gets too late.
  • Don't share passwords and don't reuse them. It's simple data hygiene.