Detect; Respond; Recover

Cybersecurity is not a game.

As originally appearing in Canadian Gaming Business magazine.

It’s 2017. Everyone should be aware by now that no industry, government body or institution is immune to cyber-attacks. Malware, ransomware, data dumps, hacks, phishing – these attacks and others like them contribute to the threat landscape for casinos, online gaming providers, and lottery organizations; and this threat landscape is as vast as it is complex. IBM reported that ransomware attacks were up 6,000% in 2016[1] – the staggering rise in frequency is scary enough on its own, but when applied to an industry worth hundreds of billions, such as gaming, it’s plain to see why such crimes are attractive to hackers, and a huge threat to business operators.

While the threats listed above are not specific to any one sector, there are types of threats that are targeted specifically at sectors within the gaming industry. While it’s obvious for casinos that protecting the money-making slot machines and their surveillance systems is a top priority, there are areas that can be open to hacks: stores, hotels and restaurants that most often accompany the casino gaming floor. For lottery, ticket terminals can be susceptible to malware or ransomware, rendering them inoperable. It’s even possible that hackers can attempt to steal the algorithms of scratch tickets. In online gaming, the crown jewels that attackers are after are the credit card numbers and other personal information that customers provide when they sign up for an account or make payments.

Professionals in the cybersecurity space preach that basic security hygiene can go a long way in preventing attacks, or at least in minimizing the impact when an attack occurs.  This basic security hygiene includes establishing a security program, establishing a risk management process, identifying the assets that need protection, establishing and maintaining secure configurations on systems, good data backup and recovery processes, good anti-malware controls on endpoints (laptops, desktops, servers), and having good network perimeter security controls.  An often overlooked security vulnerability is the human factor; proper security awareness training that help staff identify and report suspicious events is paramount to security.

Not all defensive measures are created equal, and there is no silver bullet solution to preventing all attacks. Every day, hackers are getting savvier. The cutting edge security measures of today could very well be broken tomorrow. As an additional precaution, many businesses have cyber insurance, but is that enough to protect your business entirely? While it may help to reduce the financial impact of a cyber breach, it doesn’t necessarily reduce reputational damage or the loss of consumer confidence following a breach; these two aspects are largely unquantifiable, but extremely valuable for any business.

Before it’s too late…

Above all, following best practices and frameworks should be a given. A useful resource is the Cyber Security Framework from the National Institute of Standards and Technology (NIST). There are also protective measures that are gaming-industry specific. The World Lottery Association has produced a Security Control Standard based on ISO 27001. It provides a framework of controls specific to the lottery industry, and any lottery operator can seek to obtain this certification. While these are just two examples, we recommend adopting one or more of these or other similar frameworks as a way to educate yourself on the latest trends and threats, and as a way to show your Board of Directors, staff and patrons that you take the security of their information seriously.

Diving deeper into prevention, consult professionals to ensure your operations not only meet, but exceed requirements. For example, a legal compliance review done by professionals with industry expertise can help review your policies, contracts and service level agreements with third parties. We highly recommend a security process and technology review as well, to ensure your information security processes, systems, network architecture, and data storage elements meet industry best practices and regulatory standards.

We’ve seen recently that attacks have happened to even the most sophisticated of infrastructures. The extent of the damage though, is often a result of how the initial threat is handled. It’s only human nature to panic or succumb to the threat (which is largely why ransomware has been such a successful tool for attackers). Developing an Incident Management Process or Breach Response Plan is important to help everyone remain calm and focused when responding to an incident. Such plans can become the guidebook on how to navigate a security incident without losing your head in the process. Like a communications or strategic plan, Breach Response Plans should be crafted and tested in advance, so they are given proper thought, and all pertinent stakeholder groups are considered and involved.

Detect. Respond. Recover.

Like “reduce, reuse, recycle” is the unofficial mantra for environmental practices, “detect, respond, recover” should be your slogan when it comes to cybersecurity incidents. There are a number of signs you should watch out for when it comes to cyber-attacks, such as (but not limited to):

  • Obvious sign:  A ransomware screen pops up on an infected system stating that files are being held hostage and a ransom is demanded;
  • Less obvious sign:
    • systems behaving erratically, even crashing;
    • An abnormally high volume of network traffic hitting your Internet-facing servers; and/or
    • An abnormally high number of failed login attempts on servers or network devices.

You’ve been hacked. What now?

It’s impossible to deal with such situations alone. Plain and simple: there are three key professional teams you need on your side in the instance of an attack: a legal team, a PR team, and a cyber security team. Have these teams on hand, and ensure they are briefed on your current practices, management team and risk tolerance now. We want to emphasize the “now”, because if you have to catch these professionals up to speed on your organization, and then elaborate on the threat while the threat is in your systems, it might be too late. Valuable time gets lost in the information sharing that could have been engaged in eliminating the attack.

Law firms are invaluable in that they will help you maintain client-attorney privilege. The right law firm can work with your insurance companies on your behalf to ensure breach response works with insurance policy requirements and of course, provide litigation defense, should it be needed.

It’s obvious that reputational damage could be irreversible in such instances. Needless to say, public relations professionals can help craft your messages, communicate what’s necessary, to whom, and when needed, and can manage your brand throughout. It has actually been demonstrated that negative events may, if managed properly, ultimately even improve a client’s reputation if the response is dealt with appropriately (not that we recommend this avenue for brand improvement!).

What may be the most important of all, is dealing with the actual threat. Crisis management coordination and forensic efforts can help detect and remove harmful external agents which may remain inside your systems.

We’ve heard many industry leaders and security experts discuss the thought that in this day and age, attacks are unfortunately imminent. It’s not about ‘if’ they will occur, but ‘when’, given the advanced skills of these criminals and the prospect of such lucrative paydays. So have the conversations with your stakeholders, enable preventative measures, and have other professionals at the ready. Leave the game of chance to your patrons, not your security procedures.

We would like to acknowledge Peter Czeglady of Aird & Berlis, and David Greenham, of Richter Advisory Group for their contributions to this article.

[1] http://www.cnbc.com/2016/12/13/ransomware-spiked-6000-in-2016-and-most-victims-paid-the-hackers-ibm-finds.html