Large-scale global events such as the Olympic Games, World Cups, and international summits present unique cybersecurity challenges. These events involve massive IT infrastructures, worldwide media attention, and participation from numerous organizations and attendees. This high profile makes them attractive targets for cyberthreat actors. For example, the IT systems supporting the London 2012 Olympics faced cyberattacks every single day during the games.1 Despite the constant assaults, including at least one major, well-orchestrated attack, robust preparations enabled organizers to fend off disruptions. This experience underlines why proactive cybersecurity management is essential for any global event in the digital age. By studying real-world incidents and the strategies used to mitigate them, security practitioners and auditors can strengthen their own event planning, incident response protocols, and risk assessment processes, ensuring resilience in high-pressure, high-visibility environments.
Major Cyberthreats to Global Events
High-profile events draw a broad spectrum of cyberadversaries, from opportunistic hackers to state-sponsored groups. A target-rich environment of critical systems, corporate sponsors, and user data makes these events especially tempting.2 In many cases, cybercriminals and hacktivists seek to cause disruption or steal data during such events (figure 1). Notably, during the 2018 PyeongChang Winter Olympics, organizers confirmed that a cyberattack occurred during the opening ceremony, temporarily affecting internet and broadcast services.3 While no critical operations were compromised in that incident, it demonstrated that determined attackers will attempt to disrupt event proceedings.
Nation-state actors have also targeted global events, usually with espionage or sabotage as motives.5 These sophisticated, politically motivated operations show how far nation-states may go to undermine the integrity of international events.
An attack during an event such as the Olympics or the World Cup guarantees worldwide attention. Any disruption (e.g., defacing a broadcast or knocking out a scoreboard) would be highly publicized, giving attackers notoriety through what is essentially a global billboard.6 The immense viewership and media coverage mean that even a brief outage or breach can have an outsized impact on the event’s reputation and public confidence. Attendees may question the safety and reliability of the event’s digital and physical infrastructure; viewers and fans could lose trust in the continuity and security of live broadcasts and online platforms; and stakeholders—including sponsors and partners—may doubt the organizers’ ability to safeguard reputational interests, sensitive data, and operational resilience. Attackers motivated by ego or ideology are aware of the publicity they could garner.7
In addition to direct attacks on event infrastructure, threat actors may also exploit the surrounding ecosystem. Phishing campaigns, ticket scams, and attacks on sponsors or partners often spike when big events take place. According to a UK National Cyber Security Centre (NCSC) study, 70% of sports organizations surveyed reported experiencing at least one cyberattack per year—a rate significantly higher than the average for enterprises.8 This underscores that major sporting events are on cybercriminals’ radars year-round. In one case, during the 2022 FIFA World Cup in Qatar, organizers partnered with private cybersecurity firms to bolster defenses. Microsoft, for example, supported Qatar’s cyberdefense by monitoring more than 634 million authentication attempts across tournament systems and infrastructure.9 The scale of that effort highlights both the enormity of the target and the level of protection required to secure a global event.
Best Practices for Securing Mega-Events
Securing a large-scale global event requires a comprehensive, multilayered approach. There are several best practices—spanning from strategic planning to technical controls—that security experts and auditors should consider when protecting large-scale, multinational events.
Rigorous Risk Assessment and Early Preparation
Event organizers must begin their cybersecurity preparations with a comprehensive risk assessment conducted well in advance of the event. This foundational step involves creating an exhaustive inventory of all digital assets and systems that will be relied upon, including official websites, ticketing and payment platforms, scoring and timing systems, venue IT infrastructure, Internet of Things (IoT) devices (e.g., surveillance cameras, heating, ventilation, and air conditioning [HVAC] systems, smart turnstiles), and communications networks. Each of these systems should be documented with clear ownership, data flows, and dependencies.
The next step is to identify critical assets—those whose failure or compromise could significantly disrupt operations, endanger attendees, or damage the event’s reputation. For each critical asset, specific threat scenarios should be developed. For example, what would be the impact if the real-time scoring system failed during a medal event? What if attackers exploited public Wi-Fi to spread malware to spectators’ devices? By visualizing such scenarios, security teams can better evaluate risk likelihood and severity.
Risk should then be prioritized using a formal methodology, such as a risk matrix or threat modeling framework (e.g., STRIDE, DREAD).10 For high-priority risk, actionable mitigation plans must be developed. These may include technical safeguards (e.g., network segmentation for scoring systems), process changes (e.g., enforcing change freezes close to the event), and backup strategies (e.g., offline scoring mechanisms).
Early stakeholder engagement is crucial. Event organizers must align early with the IT teams of venues, third-party technology suppliers, broadcasters, and cloud service providers. A shared threat landscape should be communicated across all parties, and joint incident response protocols should be established. As noted by RAND researchers, early engagement not only provides more time to remediate issues but also helps build trust and coordination across stakeholders.11
To support this proactive stance, organizers should:
- Engage cybersecurity consultants at least 6–9 months before the event to conduct architecture reviews and red team or penetration tests on critical systems.
- Conduct multiple rounds of vulnerability testing on high-impact systems such as ticketing databases, scoreboard controllers, and payment gateways.
- Implement supply chain risk management protocols, including:
- Vetting all vendors for security posture using questionnaires or third-party risk platforms
- Mandating security controls such as multifactor authentication (MFA), encrypted communications, and patch management
- Requiring compliance with industry standards such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 or SOC 2, especially for critical technology providers12
- Conducting spot audits or requesting security documentation (e.g., penetration test results, certificates of compliance)
Ultimately, by investing in early planning, testing, and cross-organizational coordination, the event security team can shift from a reactive posture to a proactive, risk-informed approach—significantly reducing the likelihood and impact of cyberincidents during the event.
Defense-in-Depth and Technical Controls
Given the high-profile nature of major international events, implementing a defense-in-depth strategy is not optional—it is essential. No single security control can effectively mitigate all threats. Instead, event organizers must deploy multiple layered defenses to reduce the likelihood and impact of cyberattacks.
Such a strategy comprises multiple key layers.
Network Segmentation
Dividing the event’s network into isolated segments is a foundational security control. For example, the scoreboard control system should be placed on a separate virtual local area network (VLAN) from public Wi-Fi, and the Olympics timing infrastructure should be isolated from the general internet. Firewalls and strict access control lists (ACLs) must be enforced between these zones. A well-designed segmentation strategy prevents lateral movement; even if one network is compromised, attackers cannot easily pivot to more critical assets.
Secure Configurations and Hardening
All servers, devices, and applications must be hardened based on security best practices. This includes disabling unused services, removing or renaming default accounts, changing default passwords, and applying the latest patches.
DDoS Protection
High-visibility events are prime targets for distributed denial of service (DDoS) attacks. All internet-facing assets, including official websites and video streaming platforms, should be protected by always-on DDoS mitigation services or services that can be activated quickly.
Endpoint and Server Security
Deploying endpoint detection and response (EDR) or extended detection and response (XDR) tools across critical servers, admin workstations, and sensitive infrastructure will provide real-time detection of malware and anomalous activity. Application whitelisting should be enabled on mission-critical machines such as scoreboards and broadcast systems.
Secure Communications
All sensitive data—whether in motion or at rest—should be encrypted using strong cryptographic standards. Access to sensitive systems, such as ticketing platforms or accreditation databases, must be through secure channels such as virtual private networks (VPNs) or zero-trust access solutions.
Continuous Monitoring and Threat Detection
A centralized security operations center (SOC) should be active throughout the event, utilizing security information and event management (SIEM) platforms to ingest and correlate logs from firewalls, servers, endpoints, and applications. Monitoring must include real-time alerts for known indicators of compromise (IOCs) and anomalous behaviors.
Incident Response Tools and Tested Backups
An effective incident response capability depends not only on plans but on having the right tools and redundancy measures in place. Pre-imaged laptops, spare switches and routers, and forensic toolkits should be maintained and ready to deploy. Crucially, air-gapped backups of all critical systems—scoring data, accreditation databases, event schedules, and ticketing records—should be available.
An air-gapped system is physically isolated from any external network, including the internet and the internal enterprise network. This makes it immune to remote malware propagation and ransomware encryption. In the event of a cyberattack, either in the form of ransomware or destructive malware such as Olympic Destroyer, an air-gapped backup ensures that organizers can restore from a last-known-good state without being forced to negotiate with attackers or risk reintroducing compromised data.
Threat Intelligence and Information Sharing
Threat intelligence should be leveraged before and during the event to stay ahead of threat actors. This involves working with intelligence agencies, commercial threat intel providers, and information-sharing groups. Many countries now have government cybersecurity units (such as the US Computer Emergency Readiness Team [US-CERT], the NCSC, etc.) that assist with events by sharing intel about planned attacks or known threat groups targeting similar events. By understanding the tactics, techniques, and procedures (TTPs) of likely adversaries (be it a nation-state known for targeting Olympic organizations or cybercriminal groups launching phishing campaigns), defenders can implement specific countermeasures.13
Ahead of the event, designated staff should comb dark web forums and social media for chatter about the event—this might reveal threat actors discussing exploits or selling access. During the event, new intelligence should be fed continuously into the SOC: If another league or event is hit by a novel malware, any organization should consider its own exposure. In essence, the event should be treated as an intelligence operation as much as a defensive one: Knowing the enemy, anticipating their moves, and sharing what is learned with trusted partners helps ensure that everyone benefits from collective knowledge.
An information-sharing framework should be established with vendors and partners involved in the event. If a vendor detects something suspicious on their end, they should know how to inform the central security team immediately. This could be facilitated by daily threat briefings during the event and a collaboration platform for all security stakeholders. Many major events now set up a joint security command center that includes cyber, where information flows freely between agencies (police, intelligence, IT security, etc.). The faster information is shared, the faster potential incidents can be prevented or contained.
Incident Response and Resilience Planning
Having a strong incident response plan is nonnegotiable. For auditors, a key question is: Has the event organization defined specific playbooks for likely attack scenarios? These playbooks should detail the steps to take in scenarios such as DDoS on a public website, a ransomware outbreak on user workstations, an unauthorized intrusion detected in a key network, or a leak of attendee data. For each, technical steps (e.g., isolate affected hosts, invoke DDoS mitigation, switch to backup systems) and communication steps (who informs leadership, should any event activity be paused, what should be communicated to media or attendees) should be defined. The incident plan should be tested and refined in exercises. For example, a drill can be conducted where the scoring system is presumed hacked an hour before a match—can the team restore from backups or switch to a manual mode quickly? Such drills build confidence and uncover weaknesses.
Resilience deserves emphasis: Despite best efforts, assume something will go wrong, and plan how the event will continue anyway. This might mean having manual fallbacks for critical operations. The Olympics, for example, have contingency plans to revert to manual scoring/timing if the digital systems fail, and paper check-in lists if the accreditation system goes down, so that events can proceed with only minor delays. In Super Bowl planning, organizers consider scenarios such as what would happen if the stadium's internet were cut, ensuring that critical local systems can operate offline if needed. By designing systems with graceful degradation (losing less important features but keeping core functions alive), the event can be made robust against shocks.
Another best practice is to have dedicated incident response teams onsite during the event, equipped to act immediately. This could include not only cybersecurity experts but also vendor technicians and cloud support engineers ready to rapidly troubleshoot and fix issues.
Finally, compliance with any incident reporting requirements must be ensured. If personal data is compromised, regulations such as the EU’s General Data Protection Regulation (GDPR) mandate notifying authorities and possibly affected individuals within tight time frames (e.g., 72 hours).14 The incident response plan should include notifying the appropriate data protection authorities or other regulators, and legal counsel should be in the loop to guide this process.
Compliance and Security Frameworks
Large events should align their cybersecurity programs with recognized standards and frameworks. This provides a systematic approach and assurance to stakeholders that best practices are being followed. Many organizing committees seek certification or assessment against standards such as ISO/IEC 27001 to demonstrate they have a comprehensive security management system in place. Implementing ISO/IEC 27001 means identifying information assets, assessing risk, and applying a rigorous set of controls (organizational and technical)—a discipline that can greatly benefit event security. Similarly, adhering to the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) can guide organizers through core functions: Identify, Protect, Detect, Respond, Recover.15 The NIST CSF is risk-based and can be tailored to the event; for example, under “Identify,” the event would catalog all critical systems, and under “Respond,” it would detail the incident response plans. Using such frameworks helps ensure that no major domain is overlooked (from physical security of server rooms to network monitoring to employee training).
Compliance with data protection and privacy laws is another pillar. Events often collect and process personal data of attendees (ticket buyers), athletes, volunteers, and staff. If the event touches EU citizens or is hosted in the European Union, GDPR applies strict rules on how data is managed and protected. Even outside of GDPR jurisdiction, event organizers typically choose to enforce high standards for privacy, both for ethical reasons and to avoid reputation damage from a breach. To comply, organizations should apply data minimization (collect only what is needed), ensure strong encryption and access controls on personal data, and have clear privacy notices and consent mechanisms for data collected during the event (for example, via mobile apps or registration forms). They should also be ready for data subject access requests or deletion requests, which can happen even during the event. Noncompliance can result in hefty fines: up to 4% of global turnover or €20 million under GDPR and negative publicity that could tarnish the event. Therefore, having a privacy officer or team to oversee data protection and coordinate breach response (i.e., if personal data leaks, how are users and authorities notified?) is a best practice.16
Finally, auditing and testing against these frameworks is important. Ahead of the event, audits can be conducted based on standards such as ISO/IEC 27001 or NIST’s CSF to gauge readiness. During the event, some organizations even bring in independent auditors to observe security operations and provide assurance, especially if required by insurance underwriters or governments. After the event, a postmortem audit is valuable to document what went well and what did not. Lessons learned can be fed into the next iteration of the security strategy.
Conclusion
In an era where every major event is a potential cybertarget, rigorous cybersecurity management has become as fundamental to event planning as crowd control or emergency medical services. Global events such as the Olympics and World Cup take many years to plan and cost billions of dollars. If hackers attack during these events, they could put spectators’ safety at risk, stop TV broadcasts with an audience of millions, and cause a loss of trust in the event organizers. These problems could ruin an event that took years to prepare, even if the attack only lasts a short time. The cases of past Olympics and other events show both the reality of the threat and the effectiveness of preparation: With the right measures, even state-sponsored attacks have been foiled or mitigated.17
Ultimately, the goal is to ensure that athletes can compete, spectators enjoy the show (whether in person or online), and critical operations run smoothly despite the attempts of adversaries. Achieving this goal requires a blend of cutting-edge technology and human coordination. Each event offers lessons for the next; by learning from incidents (such as the Olympic Destroyer attack or the London 2012 daily onslaught) and continuously adapting, event organizers can stay one step ahead. Cybersecurity for big events is an ongoing journey of improvement—but with careful management, it is possible to host even the world’s largest gatherings with confidence in the security of their digital stage.
Endnotes
1 Glick, B.; “Cyber Attacks Launched at London 2012 Olympic Games Every Day,” Computer Weekly, 22 October 2012
2 Microsoft Threat Intelligence, “Cyberthreats Increasingly Target the World’s Biggest Event Stages,” Microsoft, 3 August 2023
3 Grohmann, K.; “Games Organizers Confirm Cyber Attack, Won’t Reveal Source,” Reuters, 11 February 2018
4 SentinelOne, “Cybersecurity at the 2024 Paris Summer Olympics: Safeguarding the Spectacle,” 24 January 2024, ; Office of Public Affairs, US Department of Justice, “ Six Russian GRU Officers Charged in Connection With Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace," USA, 19 October 2020, Bohnert, L.; “Cybersecurity and the Olympics: Protecting the Digital Backbone of the Games,” BeyondTrust, 31 May 2024, ; Elgan, M.; “How Paris Olympic Authorities Battled Cyberattacks, and Won Gold,” IBM, 23 August 2024
5 UK Foreign, Commonwealth & Development Office, “UK Exposes Series of Russian Cyber Attacks Against Olympic and Paralympic Games,” United Kingdom, 19 October 2020,
6 Cisco, “The NFL Relies on Cisco”
7 Bohnert; “Cybersecurity and the Olympics”
8 National Cyber Security Centre, The Cyber Threat to Sports Organisations, United Kingdom, 2020
9 Microsoft Threat Intelligence, “Cyberthreats Increasingly Target”
10 Rand, “Olympic-Caliber Cybersecurity: Lessons for Safeguarding Major Event,” 2018
11 Rand, “Olympic-Caliber Cybersecurity: Lessons for Safeguarding Major Events,” 2018
12 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Joint Technical Committee on Information Technology (ISO/IEC JTC 1), ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection—Information security management systems—Requirements, Edition 3, 2022, Secureframe, “What is SOC 2?”
13 SentinelOne, “Cybersecurity at the 2024”
14 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation [GDPR])
15 National Institute of Standards and Technology, “Cybersecurity Framework” USA
16 GDPR.EU, “What Are the GDPR Fines?”
17 Glick; “Cyber Attacks Launched”; UK Foreign, Commonwealth & Development Office, “UK Exposes Series”
Krutik Poojara, CEH, CISSP
Is a cybersecurity expert with more than a decade of experience in securing applications, infrastructure, and emerging technologies. He currently serves as a senior security consultant at Verizon, where he leads initiatives to secure artificial intelligence (AI) implementation and protect critical systems. His prior work includes securing the software development life cycle at NerdWallet and protecting millions of users from malicious apps while at Google. He is a recipient of multiple awards, including recognition from Upsilon Pi Epsilon (ACM) for excellence in privacy research, and has contributed as a reviewer for leading cybersecurity books and certifications.