What the Patriots Can Teach You About Cybersecurity

Share with your network!


Spygate. Deflategate. Thousands upon thousands of Tom Brady and Bill Belichick memes. These are the things that the NFL — or at least sports talk — are made of. A recent investigation by ESPN’s Outside the Lines has set the Internet aflame and fanned the fires of this already smoldering controversy. And just when you thought you’d heard all there was to hear about these topics…we’re here to tack on a few more yards.


Time to look beyond the blustering, the finger pointing, the denials, and the invocations of the ideal gas law and get your playbook ready: These are the cybersecurity lessons the Patriots and their (alleged) machinations can teach you.

#1: IP and Proprietary Information Are Valuable to Your Competitors

At the root of Spygate were loads of accusations — and some admissions — that the Patriots had filmed other teams’ signals and subsequently used the information to improve their own game planning and execution. A healthy debate has persisted since 2007 as to whether the information moved the dial as far as wins and losses go. My take? It certainly didn’t hurt.

Sure, this is professional sports — but you don’t need X’s and O’s to illustrate how these practices might line up in the corporate arena. Would you want your competitors to gain access to your internal policies and intellectual property? Your roadmaps? Your plans for gaining an edge in the marketplace? No, no, and no. Because secrecy has its advantages, in football and in business.

#2: Social Engineering Is Easy and Effective

The ESPN article took a look at the historical aspects of the Spygate scandal and how it came to be that Patriots personnel managed to be in areas they shouldn’t be, cameras in hand, filming their competitors. According to the article, some basic social engineering tricks were all it took:

“…Patriots’ videographers were told to look like media members, to tape over their team logos or turn their sweatshirt inside out, to wear credentials that said Patriots TV or Kraft Productions. The videographers also were provided with excuses for what to tell NFL security if asked what they were doing: Tell them you're filming the quarterbacks. Or the kickers. Or footage for a team show.”

Yes, they were eventually caught. But their lies bought them time. And footage. And, according to many, maybe even a Super Bowl or two.

#3: A False Sense of Security Can Make You Careless

If you think that your hotel room, rented conference room, or other “home away from home” is off the bad guys’ radar, think again. And it’s best to remember that if someone wants something bad enough, a little garbage is nothing to dig through. These are the tales told by ESPN, which reported that Patriots’ staffers would search through visiting teams’ hotels in hopes of uncovering playbooks or scouting reports, and sneak into visiting locker rooms to steal play sheets.

The bright side for visiting teams is that they reportedly caught wind of the practice, with some coaches even leaving out phony play sheets to trick the Patriots. But, clearly, someone at some point (and perhaps many people at many points) were lulled into thinking that their temporary spaces were secure enough to leave sensitive information out in the open. It’s best to remember that Dumpster diving isn’t a hypothetical threat; your trash could be someone else's treasure if you’re not careful.

With Cybersecurity, Offense Is Your Best Defense

The end game in any organization is to reduce risk and protect assets. When it comes to cybersecurity, you absolutely need to have a strong defensive posture, but you should also be proactive: Stay on top of emerging trends and risks. Have a response plan in place should you ever face a serious breach. And get your employees off the bench — train them how to recognize and report potential threats.


Learn more about our unique game plan for changing behaviors and reducing risk. The Wombat Continuous Training Methodology takes a 360-degree approach to security awareness and training.