Despite ever-increasing investment, cybersecurity threats and attacks have become more prevalent, sophisticated and costly in the gaming industry.
In 2023, two of Las Vegas’s most prominent players–MGM Resorts and Caesars Entertainment–were paralysed by simultaneous, yet separate, cyberattacks, revealing just how much damage bad actors can inflict.
These breaches triggered starkly different responses: Caesars swiftly paid a US$15 million (£12m) ransom and resumed operations. MGM, on the other hand, refused to pay and is still suffering the consequences – most recently in the form of a class action suit won by consumers whose data was compromised due to the operator’s slow response to the escalating breach.
To date, the 2023 cyberattack has cost MGM over US$100 million (£80m).
And the situation is worsening.
Global cybersecurity firm Akamai Technologies, for example, reported a dramatic rise in gaming-related cyberattacks in Q1 2024, with bot activity quadrupling and web attacks–including Distributed Denial-of-Service (DDoS) assaults–soaring by 94 percent compared to the same period in 2023.
Meanwhile, the cybersecurity industry, currently worth some US$200 billion (£158.34bn) a year, is booming; and growing at 9.7 percent annually.
With attacks escalating, experts like Greg van der Gaast argue the time has come to change the conversation.
Rather than playing an endless game of whack-a-mole with outside threats, he believes operators need to look inward and strengthen operations by addressing issues at their source, enhancing process quality and outputs, and reducing vulnerabilities.
Who Is Greg van der Gaast?
This landed him on the wrong kind of watchlists.
And, after receiving what he describes as “the kind of employment offer you cannot refuse” from American authorities spent three years as a so-called “Ghost”, working under clearance from the U.S. Attorney General’s Office, undertaking “extra-legal activities, reporting back, and being “paid wads of cash in car parks”.
Rebooting The Discussion
Today van der Gaast no longer considers himself a hacker.
Now based in Britain, he’s now a best-selling author, consultant and public speaker, leveraging his unique, inside knowledge to reshape the security dialogue.
“We. Us. We’re the reason the threat landscape has grown so vast – we’re feeding it through inefficiency,” he asserts.
“Most industries are focused on risk-management, trying to shield themselves from attacks. But they fail to address the internal weaknesses that make them vulnerable in the first place.
“If you look at mature industries like transportation, oil and gas, and healthcare, they figured out long ago that improving the quality of processes and operations reduces defects and security risks.
“Security is becoming more expensive–and less effective–because it fails to tackle the root causes.
“Instead of focusing on security processes, we must focus on security outcomes.”
Embedding Security
While working as a consultant for an insurance firm investigating cybersecurity claims, Greg found that companies that rely solely on technical cybersecurity measures, rather than integrated security frameworks, are six times more likely to suffer a breach than those with structured IT departments and high-quality operational processes.
“Security departments and consultants protect against outside threats, often using tech, but that’s not how it should work,” he stresses.
“Someone working in security typically reduces issues to tech because that’s their area of interest, but what is required is a holistic, company-wide approach.
“The reality is that cybersecurity is a dream job: nobody knows what you’re supposed to be doing or if you are doing it, and if you screw up badly enough, they triple your budget. There is zero accountability.
“Technology alone cannot address fundamental security issues. Security departments have a shopping list of tools they want but no long-term strategy.
“21st-century security demands a holistic approach, analysing every department and operational process to identify weaknesses and proactively strengthen security from within.”
Reducing Vulnerabilities
So, how can iGaming companies change their approach to security and reduce their operational vulnerabilities?
Van Der Gaast believes that driving change doesn’t require a massive operational overhaul. But it does take time.
“It’s very simple,” he explains. “Every aspect of an organisation, from technology, personnel and processes, ‘ages out’ in one- to five-years. Instead of a radical transformation, companies should adopt the mindset of doing things properly from this point forward.
“The best time to start is now because real change takes time. And we’ve already seen that quick tech fixes don’t work.
“Building quality and security into every layer of the business can be a natural process that evolves.
“Start building today. Start operating with a high level of maturity in processes and quality. And you’ll slowly displace all the issues. Like your tech, they’ll age out,” he affirms.
“And in areas where it’s not possible to improve, at least you’ll be aware of where your weaknesses are.”
