There are a few occasions that we get a very apparent example of how important basic cybersecurity is, regardless of where you are, and this year’s National Football League draft is one such example.
For those who don’t follow the NFL or the draft proceedings, multiple draftees received prank calls during the process, although one in particular is applicable to businesses of all kinds. Let’s examine this situation to reinforce a few critical cybersecurity best practices.
To begin, let’s discuss what happened and the ramifications these events have brought.
In Short, an iPad Was Left Unlocked
In order to preserve security, draftees don’t use their normal phones to communicate with recruiters. Instead, a fresh number is used, and these numbers are only provided to the teams participating in a given draft. One of these teams was the Atlanta Falcons, who distributed this contact information to their staff… including Jeff Ulbrich, their defensive coordinator.
This contact information was stored on Ulbrich’s iPad, which was left unlocked.
A few days before the draft began, Jeff Ulbrich’s 21-year-old son, Jax, was using this iPad and came across Shedeur Sanders’ draft contact phone number. The younger Ulbrich recorded this number, and on the second draft day, sat with a friend who called up Sanders and posed as Mickey Loomis, general manager of the New Orleans Saints. The friend told Sanders that the Saints wanted him as their next pick, only to tell Sanders he would have to wait a little longer, immediately hanging up.
For context, Sanders (the son of the famed NFL player Deion Sanders) was anticipated to be among the first 32 players selected, but wound up waiting until 143 other players had been drafted to various teams.
With video of the call emerging online, the younger Ulbrich has apologized for his involvement, but that has not prevented the National Football League from fining Jeff Ulbrich $100,000 and the Falcons organization $250,000.
Clearly, This is a Bad Situation for Everyone
Fines aside—and these are not fines to take lightly—the ripples of this issue are going to be far-reaching.
The Falcons management will now have to consider how much they share with the elder Ulbrich, while they have decided not to take any action against their defensive coordinator. In addition, whether or not this call impacted Sanders’ ranking order, the salary difference between the first pick and pick 144 is $42.2 million over four years. Comparatively, Sanders’ image, name, and likeness gained him $5.1 million during his last college season.
Jax has since apologized via a social media post addressing Sanders directly.
What a Business Can Take Away from This Situation
There are a few lessons that can—and very much should—be learned.
The Principle of Least Privilege
The concept behind the principle of least privilege is to keep everything on a strictly need-to-know basis, which is something that the NFL did do. Sanders himself has expressed his surprise and confusion because of the phone number’s secrecy.
While not directly related, one of the best ways to keep business data secure is to treat it similarly and restrict access to only those who need it, and only as much as they need it.
Authentication is Important
As the iPad that Jax Ulbrich used to get the number was not password protected, it can almost be seen as lucky that it was only used to access a number for a prank. All devices (especially those used for work) should be locked down through stringent authentication measures to ensure that the data they hold remains private. If that iPad had been properly secured, this mess would not have happened.
Phishing Comes in All Shapes and Forms
It isn’t a stretch to see this situation as analogous to a phishing attack, as the only thing that really separates the two is the motive. As such, it serves as a great reminder to always try to confirm communications through a secondary source.
We’re Here to Help Your Business Avoid Similar Mistakes
While the stakes are undoubtedly different, you can’t afford to risk your business’ future by making these same errors. That’s where TG Technologies can help. We’ll review your business and ensure it is properly secured against threats, helping keep an eye on things to keep them out.
Learn more about our modern cybersecurity services by calling (778) 900-1646.