Lessons in incident response from the Olympics, World Cup
While the goal of every team is to keep possession, they often must hold the line, defend the goal and mount a comeback to win the game.
This is as true in cybersecurity as it is in sports.
Take high-profile events such as the Olympics or World Cup, for example. History has shown that these events, which draw billions of viewers, are ripe targets for the offense: cyberattackers.
Past events have been marred by phishing attacks, malware-ridden apps, fake social media accounts and spoofed domains, as well as DDoS attacks, hacktivism, state-sponsored attacks and infrastructure disruptions. The opening ceremony of the PyeongChang 2018 Olympics, for example, was notably disrupted by the Olympic Destroyer malware, which targeted Wi-Fi networks, ticketing systems and broadcasting infrastructure. The Milano Cortina 2026 Olympics were no exception. Italy confirmed it blocked a series of cyberattacks targeting its foreign ministry offices, Olympics websites and hotels in the Cortina d'Ampezzo area days before the games opened.
Yet history has also shown that defense wins championships -- a defense built by training consistently, keeping strategies sharp and warming up before the big event. In cybersecurity, this means preparing for when, not if, a cyberattack will occur -- i.e., having effective risk management and incident response programs in place.
In this Reporters' Notebook video, Tara Seals, managing editor of news at Dark Reading, David Jones, reporter at Cybersecurity Dive, and Sharon Shea, executive editor of TechTarget SearchSecurity, discussed the prevalence of cyberattacks on global events and how the challenges these events face are the same as those of everyday organizations.
Watch now for insights on Dark Reading's and Cybersecurity Dive's coverage of global event cybersecurity, as well as the risk management and incident response lessons CISOs from organizations of all shapes and sizes can learn from such attacks, from preparing an incident response plan to managing third-party risks.
And remember, as nine-time Olympic swimmer Mark Spitz said, "If you fail to prepare, you're prepared to fail."
For more coverage on cyberattacks on large events:
- Cyber threats loom over 2026 Winter Olympics
- 2026 FIFA World Cup poses significant cyber challenges
- 'Trial' DDoS attacks on French sites portend greater Olympics threats
- Russia aims cyber operations at Summer Olympics
- Paris Olympics cybersecurity at risk via attack surface gaps
- CISA blitzes Super Bowl with cyber campaign as businesses fumble security
For more on risk management and incident response best practices:
- How to build an incident response plan, with examples, template
- Incident response: How to create a communication plan, with template
- Incident response tabletop exercises: Guide and template
- Counter third-party risk with continuous vendor monitoring
- How to build an effective third-party risk assessment framework
- How to create a third-party risk management policy
Sharon Shea is executive editor of TechTarget Security.
Editor's note: The following transcript has been lightly edited for length and clarity.
Dark Reading's Tara Seals: Hello, everybody. Thank you for joining us for the latest installment of Reporters' Notebook, featuring editors and reporters from Cybersecurity Dive, TechTarget SearchSecurity and Dark Reading. I'm Tara Seals, managing editor for news at Dark Reading. I am joined here by:
TechTarget SearchSecurity's Sharon Shea: I'm Sharon Shea, executive editor at TechTarget SearchSecurity.
Cybersecurity Dive's David Jones: David Jones, reporter at Cybersecurity Dive.
Seals: Great, thanks for joining. The Winter Olympics just concluded in Milan and Cortina, and now we're looking ahead to the World Cup this summer in North America. These high-profile events draw billions of viewers worldwide, lots of visitors and involve many moving parts to make them happen. That makes them an attractive target for cyberattacks, and there's a history of attacks on these events over the years.
In Milan, for instance, this time, the Italian government said they thwarted some attacks, though they didn't detail them publicly.
While it might seem like these events have little in common with everyday businesses, I think there are valuable incident response lessons to be learned.
Dave, I know you've done a lot of reporting on some of the risks around these big events. That might be a good place to start.
Jones: Thanks, Tara. There are a couple of issues at play here, given the current global climate, including the conflict in Iran and challenges with key adversaries overseas. Events like these require careful consideration of the venue and coordination with allies to prepare and respond to potential incidents.
These events involve a wide range of potential disruptions, from physical security to digital security. You want attendees, including diplomats, celebrities and political leaders, to feel safe and welcome without turning the event into a stifling police operation.
One major attraction for attackers is the ability to make a broad statement to millions of people through disruptions, such as interrupting broadcasts or delaying live coverage. We've seen attempts at this during previous Olympic Games. Ensuring these events proceed without visible disruptions is a significant undertaking.
Seals: The Pyeongchang 2018 Winter Olympics is a prime example of disruption. The Olympic Destroyer malware caused issues during the Opening Ceremony, including taking down Wi-Fi networks, ticketing systems and contributing to flickering broadcast infrastructure. While the attackers didn't achieve their full intent, the incident highlighted the importance of planning and incident response.
Similarly, during the London Olympics, the UK thwarted an attack on the power grid. While nothing happened publicly, behind the scenes it was a frenzied incident response situation. These examples show how common these challenges are for large-scale events.
Dave, in your reporting on World Cup threats, what are some commonalities between these events and everyday businesses?
Jones: Major businesses often sponsor global events, send senior executives to attend or have critical proprietary or customer data at risk during these events. These executives, who have access to sensitive data, may be targeted personally, whether through tracking, compromised devices or identity theft.
Attackers could use stolen identities to send messages in their names, potentially gaining access to the company's systems. Protecting these individuals and preserving the company's reputation is crucial.
This isn't just relevant for sporting events but also for large company meetings, business conferences and multinational events. Companies need to ensure their security measures are robust to protect their people, data, and brand image.
Seals: Absolutely. If you distill the threats seen at events like the Olympics, World Cups and other big events like the Super Bowl, they're the same as those faced by everyday businesses -- just on a larger scale. Phishing, DDoS, hacktivism, infrastructure disruption, malware, data exfiltration, spyware implantation and more.
These global events provide a unique opportunity to see how incident response should be architected. The threats are the same, but the scale is larger. Sharon, can you talk about some incident response best practices we can learn from these events?
Shea: Absolutely, Tara. These events act as real-world stress tests for incident response. While we may not know everything that happens behind the scenes, it's clear they involve well-oiled machines monitoring, detecting, containing and recovering from attacks.
On SearchSecurity, we've published extensive content on layered defense, cyber resilience and incident response. Preparation is key. Organizations need a well-vetted, regularly tested and updated incident response plan to mitigate financial, operational and reputational damage.
First, create an incident-response plan outlining high-level priorities. Incident response is a team effort, involving responders, forensic analysts, security analysts, PR, legal and external law enforcement, as needed.
You also need playbooks with actionable steps to respond to specific threats like DDoS, ransomware and credential harvesting. And, of course, practice is essential: test playbooks through simulations, tabletop exercises, and red/blue team drills to see how the team reacts under pressure.
Practice, practice, practice. You need to test those playbooks, conduct simulations, tabletop exercises, red team, blue team drills. It's crucial to see how the team reacts under pressure. The first time an incident happens should not be the first time your incident-response team sees the incident-response plan or playbook.
Jones: Unless you're Allen Iverson, who never liked to practice, but that's another story.
Shea: I also wanted to touch on something Dave said earlier. These big world events highlight a reality we're seeing in organizations today: the third-party ecosystem.
Seals: Right.
Shea: Events like the Olympics involve ticketing agencies, streaming services, vendors, sponsors -- a massive network with a huge attack surface. One weak link in the chain can lead to significant consequences. This mirrors organizations working with partners, suppliers, service providers and other third parties. Vetting who you work with and continuously monitoring vendors is essential for maintaining a secure partner and supply chain ecosystem.
Seals: Absolutely.
Shea: Another critical point is communication. When the world is watching, how quickly and effectively you communicate during an incident matters as much as how quickly you remediate the issue. Internal and external communications are key.
Seals: Agreed.
Shea: You need a crisis or incident-response management communication plan. You want your employees, partners, the media, customers, regulators to have consistent, clear, accurate and rapid messaging. That helps maintain trust, minimize chaos and ensure coordinated incident response can happen. Fixing the issue is important, but so is ensuring the communication is handled effectively.
Seals: Events like the Olympics, World Cup or Super Bowl are meticulously planned over years, with incident response plans tested and refined constantly. Yet, even they face challenges from attackers exploiting cracks in the armor.
Jones: This underscores the importance of alliances and coordination between partners. Managing security -- both physical and digital -- for such events requires strong relationships across jurisdictions and countries.
Shea: Don't be the weakest link.
Jones: For example, CISA, the State Department, other agencies participated in preparing for the Olympics, and you need to know the role of your particular agency or your diplomatic corps or your security team in the plan, in the event of an attack if the lights go out, if the ticketing stops working. Everybody's going to have to spring into action at some level of coordination.
Seals: Absolutely. Yeah, 100%. All right, guys. Well, I think we can leave it there. I really appreciate your time. And for our viewers, once again, I'm Tara Seals with Dark Reading. I have been joined by Sharon Shea from TechTarget SearchSecurity and Dave Jones at Cybersecurity Dive. Thank you for watching.