Leon Allen: “88% of all data breaches in gambling are caused by an employee”

We catch up with Continent 8 Technologies Cybersecurity Director Leon Allen to discuss the recent attacks against the land-based and online gaming sectors, with bad actors exploiting vulnerabilities and looking to access private and sensitive user data. Vulnerabilities are a serious issue for gambling businesses, but the good news is that 88% of all data breaches could be traced back to an employee’s mistake, meaning that people have a greater role in ensuring that businesse are safe. As businesses face an increasingly challenging landscape, constant policy review and commitment to training employees is the gaming industry’s strongest bulwark against this ever-growing threat.

Q: Can you comment on the recent attacks against big gambling companies from the sector - Caesars, MGM Resorts, and even online platforms such asStake.com, all got attacked over the past few months - what are your thoughts on this?

The gambling industry is one of the most heavily attacked industries, and this is clear to see from the recent spate of high-profile operators falling victim to the incredibly sophisticated and complex methods being deployed by cybercriminals. Why is it one of the most attacked sectors? There are several reasons.

This is a growing industry with a vast customer base generating billions of dollars in revenue each year. This makes it perfect for those seeking ill-gotten financial gain. What’s more, online casino and sportsbook operators often use multiple web applications and APIs, and this presents plenty of opportunities for attackers to gain access to their systems and networks.

That said, it’s important to understand that human error was to blame for the recent attacks, and this is something that we are seeing more and more. Statistics show that 88% of all data breaches are caused by an employee mistake, and this makes human error the biggest point of weakness for the majority of operators and suppliers.

This is why it’s so important for organisations to take a multi-layered approach to cyber security, and to ensure that all employees – from the board down – are made cyber aware through regular training. This is the only way to ensure true resilience.

Q: Is anyone safe - player data, company data? Are businesses and consumers in this sector coming to the realization that their data will eventually be stolen?

The recent high-profile attacks in our industry and others underline a critical shift in cybersecurity thinking. It is now a case of when an attack will be launched against an organisation, not if. It is no longer enough to hope for prevention; an organisation must be fully prepared for an inevitable breach with no business immune. Indeed, if the recent attacks are anything to go by, the bigger the business and the higher its profile, the more likely it is to fall into the crosshairs of cyber attackers.

This is why businesses must prioritise cybersecurity, and it requires buy-in and support from the very top of the organisation – whether the board or the C-suite. While this will come at a cost to any business, the losses incurred by a successful attack or data breach far outweigh the initial and ongoing investment required to ensure resilience. This investment should cover a multi-layered approach, taking in DDoSand WAAP protection as well as MDR/EDRand SIEM/SOC as well as the necessary employee training.

Resilience also comes down to the individual, with plenty of ways for employees to better protect themselves and the wider business from a cyber-attack. This includes using multi-factor authentication, keeping software up to date and using strong passwords. Of course, some employees will not be aware of these things without first being trained.

Q: How do we move on past this and what can companies do to restore public trust in their products? We saw MGM Resorts investors not really react that adversely to the news of the attack. From a business standpoint, investors seem to have developed a thick skin for this kind of thing, but this doesn't make it right for consumers.

After an attack, the organisation must review policies and best practices to avoid any repeats. Communication with employees and customers is also key – be as open and honest as possible and dedicate resources to supporting customers directly impacted by the attack or breach. By analysing the attack and learning from it, the organisation can strengthen its cybersecurity defences and prevent a similar attack from happening again – remember, the majority of attacks are successful due to human error, so improved training is often all it takes to significantly improve resilience.

The global online gambling industry is tightly regulated in the vast majority of markets and cybersecurity must be considered as part of an organisation’s compliance obligation. In regulated US states, for example, operators and suppliers are required to have specific infrastructure and processes in place when it comes to cybersecurity. Take Pennsylvania as an example which has requirements around having a board-approved information security policy which conforms to the standards of the most recent version of the NIST (a set of guidelines for mitigating organizational cybersecurity risks) cybersecurity framework. The West Virginia Lottery requires annual external Vulnerability Assessment and Penetration Tests (VAPT) to be performed.

Q: Are CTOs prepared for this level of threat or are they just realizing that they are occupying a position that would take a lot of hard work and effort?

Cybersecurity is an evolving threat, and it is incredibly tough to keep up with the ever-changing threat landscape. In most organisations, IT and security teams and overwhelmed and in some cases, drowning. Alarming statistics reveal that only 4% of alerts are actually investigated, while nearly two-thirds of in-house teams suffer from alert fatigue. This is why companies need to work with cybersecurity partners such as Continent 8 Technologies, as this ensures they are prepared to take on the critical threats their businesses will face.

Q: Do you think the industry recognizes the urgency of the matter and what are the steps that can be taken to safeguard consumer and business data moving forward?

The industry is very much aware of the risks and threats it is up against, and the recent high-profile attacks have pushed cybersecurity to the top of the boardroom agenda. But cybersecurity isn’t new – at Continent 8, we have been protecting the industry for more than twenty years. But the sophistication and complexity of attacks are reaching new highs, and organisations must keep pace if they are to be truly resilient. Cyber attackers will continue to target the industry for many years to come, and every business must do what it takes to protect themselves because an attack is coming their way.

Image credit: Casino Guru News