As an industry, we have made great strides forward in the ongoing battle against cyber-attacks. New technology available on the market has helped to reinforce game providers’ security efforts. However, the onset of the Pandemic and the general lack of cyber security talent in the industry has created an increased risk factor that must be addressed immediately, in order to secure the future of the iGaming sector.
We spoke with Dafydd Williams, Head of Business Development at BIG Cyber to hear his thoughts on the growing need for cyber security solutions in the market and what is driving these changes.
The Pandemic caused cyberattacks to rise by 300% as reported by the FBI. Do you think this number will reduce as we ease out of lockdown into the ‘new normal’?
“The pandemic has created fundamental change in how people work, and many organisations have even realised cost savings as a result of this change so this, plus the latest polls of organisations, would seem to indicate that the new normal will still include remote working. Cyberattacks have not been dramatically modified to specifically address the new work paradigm so it is most likely that these attacks will not decrease. Remaining vigilant, monitoring your assets and resources, and evolving your security are just as essential now as they were pre-pandemic if you want to blunt the impact of cyberattacks.”
Cyber security is a global issue, regardless of industry. What are some of the gaming-specific challenges that you believe need the most focus?
“Identifying and Protecting Assets: From source code to physical casino gaming devices, gaming organisations must identify, classify, locate, and then appropriately protect their assets. For example, a quick search of common online auction sites will show that casino gaming equipment and internal components (including chips with game code on them) is easily purchased by anyone. By reverse engineering or planting malware on a chip and then getting it installed in a live gaming machine, an attacker can create new threat vectors for gaming organisations.
“Monitoring and Response: Often when an organisation is asked if they have experienced a cyberattack, they will automatically reply “no” but, unless you are consistently monitoring and triaging events on your infrastructure and endpoints, you will never know if you have been compromised. Gaming organisations are juicy targets for bad actors for several reasons, so 24/7/365 monitoring and triage of events and activity is critical; if you cannot afford to staff or equip a process like this then it is strongly recommended to find a third party to help.
“Cyber Resourcing: Like other sectors, gaming needs to take cybersecurity seriously by ensuring that proper security staffing and resourcing is in place today and into the future; with the global shortage of qualified security personnel, utilising outsourced security services can be an effective solution.”
Compliance can often be one of the biggest drains on an iGaming company’s resources. How can this process be streamlined whilst still enhancing cyber security?
“The phrase “you can’t know everything” is applicable here: regulatory or standards-based IT security compliance requirements can become overwhelming if your organisation has a multi-faceted business model (e.g., taking online payments, building products to resell, operating across different jurisdictions, etc.) so it can be wise to turn to third-party organisations who can help you to manage your various IT security compliance requirements. It is also recommended to map your various compliance requirements against each other (or have a third party help you to do this) because you can then quickly identify opportunities to build one security compliance solution and apply it across multiple security compliance frameworks.”
There are so many different forms of cyber-attacks being experienced in the market. Which types are the most dangerous for gaming companies and why? What can be done to mitigate the risks of these attaches going forward?
“The most prevalent forms of successful cyberattacks today are in the realm of social engineering attacks, e.g., phishing emails which are used as platforms for malware, ransomware, or other types of attacks. Most organisations today are very vulnerable to phishing, smishing, vishing, and spear phishing attack vectors and this is due to in part to the organisations publishing senior roles within their company on public websites (including name, photo, and possibly contact information) and organisation staff sharing their job title, employer, etc., on social media.
“With these freely available and published data points, cybercriminals have a ready-made database of possible victims. It is difficult to change established organisational or personal behaviours and the attackers know this, but proper and continuous training of all staff can be a good start to address this threat vector.”
“Transaction-based attack vectors would be the second most worrisome threat in gaming in my opinion: API-based attacks, money laundering, and large numbers of small transactions are examples that can affect gaming. Monitoring, timely response and staff training are some effective countermeasures although there are obviously others.”
Many gaming companies may view the standard, off-the-shelf cyber security products as good enough to suit their needs, especially when the financial cost is less. What is the benefit of using a tailored 3rd party solution instead?
“When you watch the Tour de France you see a lot of people on bicycles moving at incredible speeds or climbing remarkably steep mountain roadways but each of those riders is sitting on a bicycle that was custom fit (or custom built) for them specifically; why use a custom bicycle? It has been proven that customising the tool (a bicycle in this example) can greatly improve the results.
“This is similar to using COTS (commercial off the shelf) software or hardware in a specialised industry: you will either recognise there are gaps in its usefulness or, more concerningly, you may not realise that you are missing features, functions, or capabilities that could provide far more effective outcomes for your organisation. Therefore, it is highly recommended to seek out security tools and services that are tuned to your sector.”
Editor’s Note:
After speaking with Dafydd, it’s clear that we’ve now entered a new digital world with both existing and new threats. It’s important to stay vigilant and adapt to the ever-evolving landscape. Social engineering and transaction-based attacks are on the rise, in the iGaming sector especially. Becoming aware of the threat is the first stage of defence but in order to roll out an optimised cyber security strategy, 3rd party solutions such Big Cyber are on hand to provide products specifically tailored to your needs, ensuring the safety of our industry.