In my favorite episode of “Seinfeld,” George Costanza’s boss with the Yankees, Mr. Wilhelm, notices that some shoes, bases, helmets and batting doughnuts have gone missing. After noting suspicious behavior from Costanza, Wilhelm shares his misgivings with Mr. Steinbrenner. Costanza is summoned to The Boss’ office, but the investigation quickly derails and he slinks off to nap under his desk another day.
But truth can be stranger than fiction. Look to the drama surrounding members of the St. Louis Cardinals’ front office, who were implicated in a recent FBI investigation after allegedly hacking into the scouting network of the Houston Astros. When you dig into the details, the plotline seems utterly Seinfeldian.
After Cardinals General Manager Jeff Luhnow and a few other staffers left the organization in late 2011 to join Houston, some remaining members of St. Louis’ front office suspected that their former colleagues had left with sensitive information. Having no way to prove it, they allegedly dug up a master list of passwords Luhnow left behind, tried them against Houston’s networks and were able to gain access.
This initial breach is reported to have happened in 2013. In 2014, sensitive information from Houston’s network, including details from discussions with other teams about potential trades, was anonymously posted online. This was the first time Houston became aware that its networks had been compromised, and it prompted Luhnow to revert to using pencil and paper as his primary mode of recording scouting conversations.
Start regarding your data and insights as assets that are worth stealing, and protect them accordingly.
ESPN The Magazine and ESPN.com recently set out to rank the 122 professional sports teams across the four major U.S. leagues on the strength of their analytics staff, buy-in from executives and coaches, investment in biometric data and how much the team’s approach is predicated on analytics. The Astros ranked No. 2. You can imagine how difficult it must be for an organization fully committed to an analytics-based strategy to operate via pencil and paper.
A single intrusion into a strategically vital scouting network can damage an entire organization’s competitive edge; this had been going on for more than a year. If this kind of critical failure to protect core organizational assets had happened at a Fortune 500 company, the CISO, CIO and CEO would immediately be in the hot seat, and we could expect more than a few firings.
As if Houston’s breach wasn’t bad enough, it gets worse when you look at what allegedly motivated it on St. Louis’ end — the prevailing suspicion by Cardinals staffers that its own intellectual property had been stolen. Professional sports teams now collect and maintain a trove of highly sensitive intelligence, which serves as a lynchpin for developing a successful scouting strategy both within the organization and across the league.
The digitization of this data has created new risks for which security hasn’t been fully developed or provided. If a little bit of spite and dumb luck is enough for an outsider to find their way into sensitive troves of data, how easy do you think it would be for a privileged insider to gain access to the sensitive scouting and personnel files on a team’s network?
Organizations are woefully ill-equipped to detect an intrusion from the inside, let alone handle any kind of serious forensic investigation to prove who orchestrated it. St. Louis very well may have been victimized by an exiting staffer taking proprietary information along with them upon leaving the organization — it happens all the time across industries — but they were not in a position to know.
So, how do they prepare for that scenario? Baseball and other leagues must start by learning how information-sensitive industries approach the problem and identify successes elsewhere to find the right way forward. Take Formula 1 racing. The industry overcame its own embarrassing espionage scandal in 2007 and, in the intervening years, has seen top automotive design teams like McLaren, Ferrari and Williams completely revamp their approach to the protection of sensitive designs and other intellectual property in order to prevent them from falling into the hands of the competition.
If the biggest lesson sports organizations are taking away from this situation is “Don’t play fast and loose with setting passwords,” they’re not seeing the forest for the trees. Odds are, employees within just about every organization make mistakes on the network that can have far-reaching consequences. Worse yet, trusted members of the organization could be willfully and maliciously downloading and sharing sensitive scouting information to people outside the network.
Sophisticated corporate information security practices across sensitive industries like banking, healthcare and manufacturing employ many layers of protection to balance technology-driven solutions with a strong culture of innovation.
Sports teams — and any organization with sensitive intellectual property to protect — must approach securing their assets with the same mindset and level of commitment. To be actively aware of what is happening on the network, they must think and act like technology companies.
To properly protect core assets and intellectual property, look beyond playing defense with your network perimeter. Start regarding your data and insights as assets that are worth stealing, and protect them accordingly.