The world of sports isn't just about what happens on the pitch – it's about protecting the people, infrastructure and data that make those moments possible. As experts in sports team, ground, and stadium cyber security, we're trusted by teams and grounds across the UK and globally to keep their operations secure, and their staff and fans safe.

As sports grounds are increasingly being used as multi-use venues and modern stadiums complex technological interconnected systems widen the threat landscape and heighten cyber risk.

Here we delve deeper into the cyber security implications of Martyn’s Law:

Martyn’s Law: What to expect

Cyber threats continue to evolve however it’s important that organisations realise it’s not just digital threats that they need to be aware of. The UK government has recently designed Martyn’s Law, or the Terrorism Protection of Premises Bill, that is due to become law in 2024. Martyn’s Law is designed to reduce the risk to the public from terrorism and other major incidents within public venues.

Whilst there’s different requirements as the size of the venue scales, any public venue that has a capacity of 100 people will have to adhere to the new law. These venues can include locations used for entertainment and leisure, retail, food and drink, museums and galleries, sports grounds, visitor attractions, temporary events, places of worship, health, and education. So if your organisation can put on events for over 100 people, they’d be included in this legislation.

The main focus of all literature for Martyn’s Law references protection against terrorist attacks but can aspects of cyber security be part of these requirements, and if so, which one’s are going to be critical for organisations to look at in line with their physical security controls?

Physical Security Policy

The majority of cyber security governance accreditations, such as IASME or ISO27001, expect organisations to hold a physical security policy that details access to premises, physical controls that are in place and how these are fed into the business risk register/assessment. This is going to be a key component that organisations will need to put together to prepare for Martyn’s Law. By knowing your current areas of weakness, and where the biggest risks to the organisations lie, you can prepare physical security controls and processes to mitigate these issues.

Physical Red Teaming

Typically sitting with experienced penetration testing teams, red teaming is a way for organisations to respond to a genuine cyber attack in a controlled manner. Sometimes this is conducted digitally with actions such as phishing simulations however red team exercises are also physically conducted. Within these tests, penetration testing teams look at the physical nature of security by trying to bypass physical controls and seeing how much the organisation would be impacted by this. This methodology is a great way to get an external, non-biased assessment of your physical controls.

Incident Response Simulations

Whilst companies might produce an incident response policy or playbook, the organisations with a more mature cyber security posture conduct simulations to test, validate and improve on their current processes. This creates a structured approach to incident response and allows companies to assess where any weaknesses lie in processes. Being prepared for an incident and knowing the processes of incident response inside out means that an organisation is in a better position to recover effectively and efficiently.

Don’t forget the Digital

Physical security is the key to Martyn’s Law but physical controls and access points can be disabled within the interconnected digital world most organisations operate in. Taking into account multiple cyber security services, they can be of value to mitigating major impacts within physical locations;

• Penetration Testing can assess ticketing portals to make sure there’s no vulnerabilities that can give unauthorised users ability to print tickets.

• Vulnerability Scanning can analyse the internal infrastructure for potential threats.

• A good governance approach can help a company fully understand all of their processes (both physical and digital) to make improvements.

• Supply chain management can help ensure additional checks are incorporated for suppliers with key access to the location.

• Phishing simulations can test users to identify their first line of defence capabilities.

In conclusion, the introduction of Martyn’s Law will be pressure on physical locations to ensure that they are doing as much as possible to mitigate against major impacts. Whilst the focus is on the physical side of things, it’s important to remember that digital systems and applications are so intertwined with physical systems that fully reviewing your cyber security, both digital and physical, is important.

Next Steps 

Remember, preparedness, vigilance, risk assessments and a review structure are key to safeguarding your physical location in the threat of a major incident. Testing against all potential avenues, both physical and digital, is the only way of truly understanding your organisations weaknesses and vulnerabilities.

For further information and support contact us or see our Sports and Stadium Sector information.