.svg)
Following a series of high-profile cyberattacks on gaming companies in the last 12 months, industry officials have said the combination of money and data possessed by operators continues to make them an attractive target for hackers.
Technology experts within the industry have said that the information possessed by the operators, as well as the operational and reputational risks associated with a high-profile hack, requires constant vigilance on the part of industry executives.
“[Hackers] know that the big thing for us is time is money, right,” said Jarvis Pelletier, vice president of IT and gaming systems for the Saskatchewan Indian Gaming Authority (SIGA) in Canada. “Any impact to our operations is money, so they know that that's going to be a hard impact to an operation if they're breached.”
He also added that publicly available data on revenue collected by casinos also gives hackers a clearer idea of what potential benefits could come from an attack.
“They can break it down, what's your daily GGR, and they can say, alright, let's see, a million dollars a day, we'll do a ransom of 5 percent at $50,000, and they won't care. They take advantage of that, so I think that's what makes it a little bit more attractive these days.”
“There's so much personal data that's being collected when customers come into a casino or engage with an online gaming business, providing a lot of information, there's not very many equivalents in everyday life where that's happening and you're surrendering that level of information,” added Lindsay Slader, senior vice president for compliance for GeoComply.
“So in turn, it becomes extremely valuable to the bad actors that may be trying to penetrate these systems.”
Last year, Las Vegas-based casino giants Caesars Entertainment and MGM Resorts both faced major ransomware cyberattacks that significantly affected operations. In Canada, a cyberattack on Gateway Casinos and Entertainment forced almost half of the companies 31 casinos to shut down for more than a week last April.
Pelletier and other technology officials speaking at last month's Canadian Gaming Summit said the increased prevalence of social engineering attacks, where attackers gain access through vulnerable employees by gaining their login credentials through phishing methods or other means, poses a particular challenge for companies.
“At the end of the day, they know that if an organization has 3,000 employees, that’s 3,000 attack vectors they can look at,” he said.
“I think [social engineering] takes the least amount of effort, really; they can run multiple attacks against multiple organizations,” added Anthony Ellis, chief technology officer for Las Vegas-based supplier AGS. “It's a low hanging fruit.”
Ellis added that although companies have been effective at stifling attacks through network intrusion, social engineering remains a new vector where companies still need to improve their efforts.
“It's the next evolution of attack threat,” he said. “We will get better at managing it, I've got confidence that we will build tools in the same way that we built tools for network intrusion.
“We will build tools for social engineering, and we will train our staff, and we will get through this.”
“The key thing is to remember that that weakest link is the people,” added Sunil Chand, a cybersecurity executive who previously served as chief information security officer for the Ontario Lottery and Gaming Corporation. “You need to help them understand the role that they play in the organization and protecting it.
“There may be 100 people, there may be 10 people, there will be five people responsible for security in an organization, but there's others out there who are part of the business, who are not just in tech, that need to understand that what they do in their daily jobs could impact an organization if they were to click on something that they shouldn't.”
Chand added that although he believed online gaming operators were in a better position to implement proper controls, brick-and-mortar businesses face a bigger challenge.
“There's technology out there that they're running that's maybe not updated, modernized, and that creates a larger attack surface,” Chand said.
“I'm not naive to think that there's not a huge investment that's required to bring those technologies up to par, but that's where I think the role of a CISO [chief information security officer] or someone who leads a security function has to identify those risks, and collectively, the business has to make a decision whether they're going to invest to remediate those issues, or they're going to accept it.”
Slader said that one benefit companies have in implementing stronger protocols is that customers have become more accepting of increased security measures as the prevalence of cyberattacks continues to increase in all facets of life, not just gaming.
“Anything beyond a login and password on an online gaming site, for example, may [previously] have been seen as costly friction from the operator's perspective, but also for the end customer, they don't necessarily want to go through this,” she said.
“I think it's now become so much more normalized that if they're asked to do some sort of multi-factor authentication or additional check … I think the general trend is that the everyday consumer is now buying into this, this isn't necessarily trouble, this is something that I want to make sure that my data, my identity, is secure and not a poor reflection of their consumer experience.”
