16032022 022

Cybersecurity Risks: Considerations for Boards

The team at iBabs have shared some of their insights on the key elements that boards should be considering regarding cybersecurity. The article looks at cybersecurity in both the board roles themselves and embedding a culture that promotes it within the organisation as a whole.

Date: 31st Jul 2025

Author: iBabs

Just as sports teams need to properly prepare for common challenges on the field of play, they also require a plan for the governance risks they face. This is particularly important when it comes to cybersecurity. From elite clubs concerned about the leaking of key information to rivals to grassroots organisations trying to protect the personal data of members, having the correct policies, procedures and tools in place to protect your systems from external attack is essential.

This article explains the importance of cybersecurity in the sports and physical activity sector, the common risks to understand and how boards can embed cybersecurity into governance for the good of the organisation.

Why cybersecurity matters

Sports clubs manage large volumes of data that can be valuable to cybercriminals; with everything from sponsorship deals and contracts to financial accounts and the personal data of members passing through the board for scrutiny.

Many organisations in the sector are run on tight budgets by volunteers who may not have significant cybersecurity experience. However, even larger professional operations can fall foul of cyberattacks highlighting exactly why all boards need to implement cybersecurity measures.

In recent years:

     English football team Charlton Athletic was the victim of a ransomware attack in 2024, which wiped out significant financial data and records from its accounting system. The incident was cited as contributing to a £14 million loss for the club during the 2023-24 financial year.

     French professional basketball team ASVEL suffered a ransomware attack in which hackers stole players’ personal data, copies of their passports and ID cards, club financial documents, NDAs, contracts and other confidential information.

     The World Anti-Doping Agency (WADA) was the subject of a data leak, exposing the private medical details of huge sporting stars in the process.

Common cybersecurity risks

There are many ways that sports boards can become exposed to cybersecurity risks. These include:

Risk type

Description

Potential impact

Phishing attacks

Deceptive emails sent to individuals encouraging them to take detrimental actions disguised as official messaging

Data encryption, data theft, financial loss, third-party attacks, website attacks

Unsecured file sharing

The board member handles sensitive files using email or drives accessible by the public

Exposure of confidential data, reputational damage

Insider threats

Unintentional data leaks by trusted individuals within the board structure

Reputational damage, data loss

Poor password practices

Using weak or shared passwords to access board materials or confidential information

System compromise

 

Potential Outcomes

Whilst some hackers will simply attack an organisation’s infrastructure with the sole aim of disrupting their operations, many will do so with the aim of financial gain. The most common method of doing this is using ransomware. Once access to digital systems has been gained, outcomes from ransomware attacks extract money from your organisation can include:

 

Outcome

Description

Data Encryption

Attackers will encrypt some or all of an organisation’s systems, blocking access to highly important documents in exchange for a ransom payment (which the attackers may not honour). This can be combatted by having an effective backup system.

Data Theft

Hackers will make copies of sensitive data ready to be sold or made public. They may choose to sell data to other bad actors to target individuals with further attacks. This could include impersonation of organisation employees or volunteers to generate trust. Attackers may choose to leak the data to do reputational harm and/or to demonstrate intent to leverage ransom negotiations.

Distributed Denial of Service (DDoS) attacks

If an organisation is unwilling to cooperate with the attackers, they may use DDoS attacks to temporarily or indefinitely overwhelm your website or systems to take them out of action.

Third-party attacks

An additional factor to consider will be hackers contacting third-party associates including vendors and customers. This could be with ransom demands to stop them leaking their data or they use individuals’ email addresses to attempt to infiltrate other organisations through phishing or other methods.

 

How to embed cybersecurity into governance

The board is ultimately responsible for cybersecurity and this element of governance should start with the board and filter down to employees, coaches and volunteers, as well as stakeholders participating in the sport. To maintain their trust in your organisation and to keep their sensitive information safe, you should prioritise cybersecurity in your board’s work.

Here are some tips to embed cyberawareness at board level:

     Include cybersecurity updates as a standing item on your meeting agenda. Each feature should include a look at any concerns, issues or reports relating to the security of your IT systems.

     Assign clear roles and responsibilities relating to cybersecurity insight. Undertake training for whoever you make your digital governance officer or equivalent to support them in their position and so they can be a point of contact for related concerns.

     Create, approve, distribute and regularly review an organisation-wide cybersecurity policy, focused on the safe handling of data and best practice for using websites, apps and managing other sensitive information.

     Create a cyber incident response plan to minimise the impact caused by any cyberattack. Carry out dry-runs to ensure all relevant individuals understand their roles in the plan.

     Distribute meeting documents securely, such as agendas, meeting minutes, reports and other documents for discussion between board members to eliminate unsecured email chains and publicly accessible file sharing websites.

 

Steps to improving cybersecurity for boards

Here are some practical steps you can start taking today to tighten cybersecurity in your sports organisation.

  1. Review your existing cybersecurity policies

Do you currently have clear guidelines for your board members regarding how they should handle board documents and sensitive information they encounter while preparing for board meetings? Do they know what is expected of them in the event of a cybersecurity breach?

Asking these sorts of questions will help you understand the scale of the task required to mitigate potential risks. Use this information to rewrite your policies and make sure they cover the relevant areas of cybersecurity regarding your board.

  1. Assess your current workflows

How does information flow within your board structure? When the board chair and administrator create the meeting agenda, consider how they send out the board papers. Do they distribute them through unsecured channels, such as using unsecured PDFs and shared drives on public websites? Consider what happens if a board member accesses that information on their personal device and whether it is secure if that device is stolen, lost or someone else gains access to it in another way.

Secure board portals can offer a convenient and secure option to protect the data that you send between members which protects that information, even when using their personal devices.

  1. Educate and train board members

Knowledge is power in these situations and one of the key drivers for protecting your organisation from cyber-attacks at board level is to upskill members so that they understand not only the nature of the risk, but also the ways to prevent those risks from manifesting.

Many cyber breaches occur due to human error, such as failing to spot phishing attacks, not setting strong enough passwords and using unsecured channels to share data. By helping board members understand the dangers and potential outcomes of these activities and helping them to avoid them, you protect the board as well as the organisation and its stakeholders.

Conclusion

Sports boards already face enough strategic and operational challenges without adding the potential damage that cyberattacks can cause. This is why it is essential boards take on a cybersecurity mandate and implement a cybersecurity policy and a board member to maintain oversight of it.

Take a moment to evaluate your current board workflows. If you are still relying on email or other unsecured channels, it may be time to consider a more secure approach. Board portals offer built-in encryption, multifactor authentication and remote access controls, helping you protect sensitive information even if a device is lost or stolen.

Want to know more about iBabs?

iBabs Board Portal - Take Control of Your Governance

iBabs Board Portal offers secure digital document management, video conferencing, voting and automated follow-up on actions. Their platform offers uses AES-256 encryption that banks rely on and uses secure access control, meaning users can utilise granular permission settings so only authorised personnel using trusted networks can access your board’s sensitive data. iBabs is ISO 27001 and ISO 9001 certified.

Find out more