.svg)
Body
Credential stuffing, DDoS attacks and phishing are the most common cybersecurity threats to the UK online gambling industry, according to a report commissioned by the National Cyber Security Centre (NCSC).
However, ransomware, a type of malware that demands a bounty to restore access to a computer, is still seen as the most severe threat to the gambling sector.
“I think the sophistication is notably different from 12 months ago. Attacks are harder to detect than they were,” said one UK operator’s cybersecurity lead.
Operators flagged that these attacks have become more thoroughly planned and hackers are buoyed by the fact companies have increasingly been paying up when their services have been targeted.
The NCSC is a UK government organisation that was established in 2016 to help the private and public sector avoid cybersecurity threats.
The report is based on insights collected from interviews with nine chief information security officers and other similar senior-level executives, as well as data from an open-link online survey promoted via the Gambling Commission and other industry bodies.
Ransomware is seen as a severe threat due to the industry’s lack of ability to defend itself against possible attacks and their potential impact on operations as well as reputation, according to the respondents.
When asked what the biggest threat will be in the next two to three years, operators' responses varied greatly, including the manipulation of gaming outcomes, attacks on financial and payments systems and the proliferation of AI verified accounts.
One of the greatest varying risks the report identified for gambling operators is their reliance on third parties, with respondents using between 75 and 10,000.
Cybersecurity concerns around the use of third parties stem from the possible leaking of confidential user data, as well as internal cyber-attacks if the content they provide is compromised.
Operators that use multiple games suppliers are most vulnerable to these threats, according to the NCSC.
To avoid this reliance, some operators develop their own games in-house.
Alternatively, operators can run risk assessments, implement corrective action tracking software or undertake regular reviews of their cybersecurity compliance procedures, according to the NCSC.
Risks posed by third parties or supply chains are a frequent topic of conversation among industry cybersecurity stakeholders, according to one respondent.
“We've had internal audits specifically focussed on it from our internal audit function. There's been specific conversations about it at the board level. I think the challenge we've got, as do others, is that audits are great for compliance, but it's not really mitigating risks,” the cybersecurity lead said.
Credential stuffing, which is the use of fraudulently gained usernames and passwords from one compromised site to access another, was identified in the report as the most common and prominent cyber-attack in the gambling industry.
However, the key concern of industry stakeholders from credential stuffing was reputational, as opposed to financial.
During the start of COVID-19 pandemic in 2020, one gambling operator said its team dealt with a 600 percent increase in incidents for a few weeks.
The operator believes people were testing to see if gambling operators had the same controls available to them when staff began to increasingly work from home in the UK.
The NCSC said it will continue to work with the sector to identify new risks.
David Boda, chief information security officer for Camelot and chair of the Gambling and Lottery sector NCSC Trust Group, said: “The threats we see are diverse and dynamic, but not uncommon. Ensuring robust cybersecurity practices internally and across our supply chain allow us to not just protect player data, but ensures every player has a fair chance of winning National Lottery games.”
