TL;DR: The 2026 World Cup will span three nations, 16 cities, and millions of visitors, creating a highly interconnected supply chain of governments, transport, telecoms, hospitality, finance, and vendors that attackers can use to reach higher-value targets, according to SecurityScorecard. The lesson for security teams is that ecosystem visibility and third-party resilience now matter as much as defending owned infrastructure.
NHIMG editorial — based on content published by SecurityScorecard: cybersecurity risk across the 2026 World Cup ecosystem
By the numbers:
- The 2026 tournament will span three nations and 16 cities.
- NTT Corporation recorded approximately 450 million cyberattack attempts targeting Olympic systems during the 2020 Tokyo Olympics, held in 2021.
- The 2026 World Cup will involve millions of projected visitors.
Questions worth separating out
Q: What breaks when third-party access is not tightly governed in large event ecosystems?
A: When third-party access is not tightly governed, attackers can use the weakest supplier or contractor relationship to reach core operations.
Q: Why do large events create such a difficult risk picture for identity and access teams?
A: Large events multiply trust relationships across borders, organisations, and technology stacks, which makes identity governance harder to see and enforce.
Q: How do security teams know whether third-party risk controls are actually working?
A: They know controls are working when they can continuously identify every external party with access, show who owns that access, and revoke it quickly when the relationship ends or the risk changes.
Practitioner guidance
- Inventory all external access paths Build a complete list of vendors, contractors, managed service providers, and sub-processors with access to event-related systems, including hidden or inherited dependencies.
- Tighten lifecycle control for delegated access Review temporary accounts, shared credentials, and partner integrations for expiry, offboarding, and ownership.
- Test containment across partner boundaries Run joint exercises that assume a supplier or contractor is compromised and validate how quickly access can be revoked, routes isolated, and critical operations kept running.
What's in the full article
SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:
- How the company detects previously unknown vendors and shadow dependencies across an external ecosystem.
- The specific way threat intelligence and third-party risk data are combined to prioritise which exposures need action first.
- Why continuous monitoring matters when the vendor landscape changes faster than a periodic review can capture.
- How operational teams can separate meaningful signals from background noise during a high-profile event.
👉 Read SecurityScorecard's analysis of cyber risk across the 2026 World Cup ecosystem →
2026 World Cup ecosystem risk: what security teams need to know?
Explore further
Perimeter-first security is the wrong model for mega-events. The article shows that the real attack surface sits in the interconnected ecosystem around the event, not inside one organisation’s own network. That means a supplier, contractor, or managed service dependency can become the operational entry point even when the primary target is better defended. For identity programmes, this is a reminder that trust chains extend beyond formal ownership boundaries. Practitioners should treat delegated access as a governance asset that needs lifecycle control, not a static integration.
A question worth separating out:
Q: Who is accountable when a supplier compromise disrupts a multi-organisation event?
A: Accountability usually sits with the organisation that granted the access, the partner that failed to protect it, and the business owner who accepted the risk without a clear control boundary. Frameworks such as NIST CSF and third-party risk governance approaches expect defined ownership, documented escalation, and provable control over external access. Shared operations do not remove accountability.
👉 Read our full editorial: 2026 World Cup cyber risk exposes the limits of perimeter security