A gaming operation could spend a billion dollars to deter an attack, but without effective internal defenses and a comprehensive, well-rehearsed plan outlining clear attack remediation and recovery steps, operators will find themselves exposed and unprepared when an incident occurs.
This new reality means leaders in the gaming industry must adopt a philosophy that we call “assumption of incident.” Casinos can no longer hope to achieve flawless cyber security across their sprawling network perimeters. It’s a sad truth: enterprise networks must be considered semi-permeable. Operators must be ready to respond to an attack. Some security experts call this notion “assumption of breach,” but this only captures incidents of improper access to confidential data. Assumption of incident reflects the various other risks facing gaming businesses, including gameplay hacks, theft of electronic funds, money laundering, and cyber attacks that knock online gaming operations offline or cause full-on business disruption.
Gaming industry security programs must be based on the assumption that cyber incidents of all kinds can and will occur, and that companies must be prepared to fight, survive and recover. Optimizing cyber defenses, while being ready to respond to and recover from an incident, is better known as “cyber resilience.”
In practice, this means hunting for signs of intrusion, performing rapid damage mitigation and rehearsing plans for a quick rebound. At the heart is a dedication to resilience, because the games must go on, the money must be safe and the players must have confidence in the game and the house.
Below are the three key pieces of advice for a realistic, budget-friendly and effective cyber resilience program for casinos in today’s “when-not-if” environment:
Know your greatest risks. It all begins with knowledge. You have to address your greatest risks first and budget the greatest proportion of resources to these areas. Your first inclination may be to think about slot machines, chips or cash and accounts on hand. Yes, these are valuable assets that need to be protected, powered on and uncompromised. But what if table games were forced to close, too? What if the data casinos possess on players and patrons were compromised? In a cyber risk assessment, appropriate questions include: Is gameplay code stored securely? How is the personal information of players protected in the gaming environment, and networks of the hotel, retail operations and restaurants? Are there internal network barriers that prevent an intruder from pivoting from his place of entry into your digital vault? Company leadership, legal counsel, compliance executives, IT/human resources professionals and security experts must work together to identify where sensitive and regulated data is stored and make sure these systems are tightly controlled in accordance with the current threat environment and business needs.
Have a plan for disasters. In a data breach scenario, seconds matter. This is not the time to figure out who to call, what to say and how to avoid additional damage. Writing and practicing an incident response plan gives a gaming organization the power to act immediately in case of an attack. Often this includes identifying a team of first responders. The same multi-disciplinary group that worked together to identify valuable data should be involved, plus public relations executives. For gaming companies particular care should be placed on PR, third-party assistance and getting the business back up and running.
Public relations and crisis management professionals should be an integral part of the incident response plan, ready to begin providing counsel immediately following the discovery of an incident. For casinos, reputation is everything. To attract and keep players, customers must believe games are free from tampering and that the money in play and in their accounts is safe and secure. Competition is tight and trust is a major factor.
Outside legal and technical counsel are particularly valuable in the highly regulated gaming industry. If you wait until thegaming commission is headed your way or a lawsuit is filed to bring them on board, it’s too late. That’s because one of the primary advantages of engaging third-parties is the opportunity to extend legal privilege to an investigation as it’s happening.
Business continuity considerations include planning for the immediate and professional preservation of data to avoid any additional losses, having copies of essential data stored elsewhere, back-up power supplies and back-up servers.
Create a culture of resilience. People are security’s weakest link. Just clicking on the wrong e-mail or accessing a critical system from an insecure Wi-Fi network can set off a chain of disasters. Cyber security has to become central to core business operations and practiced throughout the enterprise—it cannot be dependent upon a single tool or the IT group. Therefore, casino leadership must evangelize and incentivize security throughout the company. Leadership must take what they’ve learned in the risk assessment and use the incident response team to create strong, multidisciplinary security policies that complement existing operations and culture. Many of our clients create a security committee, with a multidisciplinary composition similar to the one described earlier, who meet on a quarterly basis to review security issues, consider security policy and practice and prepare updates for the board. They meet more often if an issue arises.
The gaming industry has the attention of cyber criminals. Like retailers, a casino holds payment transaction information related to buying chips, hotel rooms, and food. Like a bank, it manages the storage and transmission of vast amounts of money. Like a cryptocurrency operation, online gaming businesses may offer the possibility of anonymous transactions through the use of chips. These risks could lead to paralyzing cyber incidents, and no one has the budget to guarantee cyber-attack prevention. The best answer to these challenges lies in accepting that at some point, failure is inevitable. Prepare the board of directors, the CEO and all levels of your company’s operations for it. Scream it from the hilltops… the worst can happen, and there’s no doubt something bad will. The time to prepare is now. Ignoring the inevitable will only ensure more serious consequences when it occurs.