The NFL’s biggest game – and one of the largest sporting events on the planet – is just days away, offering millions the chance to be entertained for a few hours. Fans will be glued to their television sets to experience the drama, the competition and the showmanship. Will they be thinking about cyber threats? Probably not. But, surprisingly, business owners can learn some valuable lessons about cybersecurity from the Super Bowl.

The NFL is a business. And like many businesses, it works with a massive ecosystem of outside companies to deliver its product to the people.  Thousands of third-party vendors – from the rented stadium, ticket sellers and HVAC-system providers, to the retailers and halftime show techs – are required to produce the show. Unprotected third-party vendors provide a path of least resistance for cybercriminals to sneak through the digital back door, potentially compromising safety, leaving data unprotected and creating havoc for organizations.

While 71 percent of companies feel confident their security activities are effective, only 32 percent require third parties to comply with their policies, according to the most recent PwC Global State of Information Security Survey. Furthermore, the study found that third-party security incidents are on the rise. In the past two years alone, the number of companies attacked rose from 20 to 28 percent.

Having a plan to deal with vendors is important, but it’s just one of the lessons to be learned from the Super Bowl. Here are five takeaways about cybersecurity every business owner can score from the big game:


1.Offense is easier than defense: Defense has an impossible job on the field. It can’t possibly prepare for every play the offense runs. As the old adage says, “The best defense is a good offense.” Business owners that arm their companies with a strategic offense will be less vulnerable to cyber attacks than those who are constantly trying to play defense against a multitude of threats. Remember: the bad guys only have to be right once to take down their targets.

2.It’s a people game: Technology takes center stage in the big game. Massive video walls, anti-concussion helmets and interactive capabilities allowing fans to order a hot dog from their seats are all part of the experience. But the reality is, the game is won or lost by people. Companies that become distracted by cyber defense technologies may erroneously believe they are safe from an attack. As long as the human element is involved, risk exists.

3. Winning takes continuous effort: Like football, cybersecurity requires work. While the Super Bowl is the punctuation mark on the season, both teams traveled a long, tough road to reach the championship. It’s not a one-and-done situation. In business, it’s tempting to believe that purchasing a firewall on any given Sunday and throwing it in a rack provides adequate protection.  The fact is, cybersecurity and the management of cyber risks is never done.

4. Protect your assets: In a football game, there are only two things worth protecting: the quarterback and the football. The team that does the best job safeguarding these two assets wins. Likewise, in the business world, companies must identify their “quarterbacks and footballs.” Bank accounts, credit cards, identities, intellectual property and reputation are the five critical assets that need protection, and should be where all the energy is focused.

5. Teamwork: Businesses typically focus on their core competencies and outsource functions like payroll, banking, logistics and other specialized skills. As mentioned earlier, these third-party relationships can unwittingly pose a cyber threat by leaving the digital backdoor wide open.  Organizations working with third-party vendors should clearly spell out their position on cybersecurity in all contracts and require regular audits for compliance.

Unfortunately, cyber attacks are not a matter of “if," but “when.” Like football players, all companies will eventually get hit. The key to survival is being able to mitigate the damage and recover. Software alone, like helmets and padding for players, is not enough to protect organizations from injury. Players and companies must play smart by using proper mechanics and ensuring the entire team is on the same page.


This article was originally published in our monthly newsletter, Today's Cybersecurity Leader. You can subscribe here