Baron Pierre de Coubertin, founder of the modern Olympics, famously remarked: "The most important thing in the Olympic Games is not winning…but fighting well."
While athletes at the upcoming Summer Olympics will compete hard to earn medals, a battle of a different kind will take place behind the scenes: the fight against nation-state threat actors and other cybercriminals.
The Olympic Games pose the perfect environment for cybercriminals to wreak havoc. These high-profile events reach a global audience of billions, and successful attacks can garner substantial attention for nation-state threat actors attempting to further their nefarious agendas, or hacktivists trying to spread a message.
There’s also an opportunity for attacks for the purpose of financial gain. The sheer amount of commerce and consumer data surrounding the Olympics is massive, creating a plethora of opportunities for cybercriminals to carry out ticketing and travel scams or steal consumer data to commit identity theft or fraud.
There were a staggering 450 million attempted cyberattacks during the Tokyo 2020 Summer Olympics, which took place in 2021 because of the pandemic, including malware, email spoofing and phishing, as well as fake websites made to look like they were associated with the Olympics. The games went on without incident, thanks to robust cybersecurity measures surrounding the event, but cybercriminals have had the past three years to refine their techniques.
It may not sound like much time, but technology years are similar to “dog years” in the sense that the technology can change drastically in just a single year. Cybercriminals have new technologies at their disposal — most notably generative AI — and there are exponentially more vulnerabilities to exploit since the world has become that much more interconnected since 2021, as we saw last week with the CrowdStrike outage.
Add to the mix heightened geopolitical tensions and armed conflicts, and the 2024 Summer Olympics are “facing an unprecedented level of threat,” according to Vincent Strubel, director general of French cybersecurity agency ANSSI. In fact, ANSSI anticipates eight-times more attempted attacks than the Tokyo games.
It has never been a more critical time for organizations to bolster their cybersecurity posture. It’s true not only for companies directly related to the Olympic Games, but also for those further down the supply chain that are not often exposed to this level of risk and are potentially more vulnerable to cyber threats.
How to go for the gold in cybersecurity
With each Olympic Games, new digital experiences emerge to delight attendees and viewers, whether that’s through streaming services, ticketing websites, or e-commerce offerings. At their core, these experiences are all connected by application programming interfaces (APIs). These APIs serve as communication lines that enable various software components or applications to share information with each other. In many instances, that information contains sensitive data, and all it takes is one unauthenticated or misconfigured API for cybercriminals to gain access to said data.
We found the number of APIs an organization maintains grows with the size of the organization. A survey found that nearly 40% of the largest companies surveyed reported having more than 250 internal APIs. Times that by the huge number of companies either directly or indirectly affiliated with the Olympics and the attack surface gets enormous. We need to make API security a top priority leading up to the Summer Games, but it’s easier said than done to secure APIs because of their vast numbers and their dynamic nature.
Fortunately, technology has evolved right along with cybercriminals’ tactics over the past few years. Today, products that leverage automation and machine learning (ML) help companies effectively catalog, monitor, and protect their APIs by detecting and alerting them to anomalous behavior. These tools support a proactive approach to API security so companies can identify problems before attacks happen.
Larger organizations also might consider setting up a security operations center (SOC) ahead of the games. There’s never a good time for a company’s systems to go down, but events like the Olympics are especially downtime-sensitive, and companies can’t afford to risk losing sales, website visitors, and overall productivity. Having a SOC in place lets organizations respond to issues quickly to avoid downtime.
Finally, it’s important not to overlook the role humans play in upholding security. Leaders need to raise awareness around the increased level of risk surrounding the Olympic Games and offer cybersecurity awareness training as needed. Everyone within the organization must stay vigilant when it comes to common social engineering tactics malicious actors may use leading up to and during the games.
There’s no silver bullet when it comes to cybersecurity, and we will undoubtedly see successful attacks during the Summer Olympics. But by practicing defense-in-depth and layering API security on top of existing security processes, including setting up a SOC, offering cybersecurity awareness training, security teams can position their organizations to thwart attacks.
Stas Neyman, director of product marketing, Akamai