The casino industry shared information about cybersecurity protection at a tribal technology conference last week in San Diego and attendees expect those conversations to continue in Las Vegas when the Global Gaming Expo kicks off on Oct. 9 with a newly added session on cybersecurity.
The TribalNet technology conference, which set a record for attendance, offered nine sessions dealing with cybersecurity, along with panel discussions on gaming technology that also touched on the topic in the wake of the hacks at MGM Resorts and Caesars Entertainment. MGM, which said it returned to normal operations Wednesday, lost up to $8.4 million a day in revenue and extraordinary expenses, while Caesars paid a $15 million ransom.
Patrick Tinklenberg, vice president of IT at Sycuan Casino Resort in San Diego and an advisory board member of TribalNet, the host of the technology conference, said no one wants to be confronted by ransomware, but the hacks were perfectly timed for the conference and G2E.
“Every time you start conversations in forums like this, where everybody can share their experiences, the tools and strategies they use, and procedures and personnel they have in place, it makes everybody better,” Tinklenberg said. “The more we talk about it, the better off we are. The big thing people were talking about was how to make sure it doesn’t happen to us, that frontline people are well trained and aware of the risks of granting access to systems and how to defend against phishing and social-engineering attacks.”
Tinklenberg said they are “always hyper aware” of cybersecurity at Sycuan and they’ve had their anxious moments. Every casino believes that if they haven’t had an incident, they’re due for one and want to make sure it’s not as significant as what happened to MGM.
“They say they’re back to normal, but I’m not sure what that means,” Tinklenberg said. “They’ll be dealing with this whether it’s technologically, operationally, or reputationally for a long time. I can’t imagine what G2E will be like for them.”
MGM CEO Bill Hornbuckle will be interviewed by CNBC journalist Contessa Brewer on Oct. 10, in which the company may provide more detailed updates of the hacking. No cybersecurity sessions were originally on the G2E agenda, but one dedicated session was added this week.
Set for Oct. 9 on the first day of the conference is a session titled “The Latest in CyberSecurity: What To Do Now To Reduce an Attack and Recover Quickly.” It features Glenn Wilson, chief information security officer with the San Manuel Band of Mission Indians, and Jonathan Fairtlough, a principal at KPMG Cyber Response. Fairthlough appeared at the TribalNet conference as part of a deep dive on the Las Vegas hacks, a session closed to the media.
“Recent news of ransomware incidents at gaming and other companies has once again highlighted concerns for cybersecurity among stakeholders,” according to the session agenda for G2E. “Customers, operators, employees, and regulators worry about lost revenues, stolen data, compromised systems, and the pain of responding to – and recovering from – an attack. Because cyberattacks haven’t slowed and won’t stop, this session will cover how gaming companies can best mitigate the risk of an attack, including internal systems and processes, third-party protections, and insurance, plus considerations for response and recovery that can be implemented today.”
Another session that could touch on cybersecurity is also on Oct. 9, “Emerging Global Financial Crime Trends.” Cyber, however, isn’t mentioned in the description.
“I expect this conversation to continue and wouldn’t be surprised if it’s still the number-one topic of conversation going into G2E,” Tinklenberg said. “I’m sure there will be a lot of wild speculation, but also good candid conversation about how to make sure this doesn’t happen. I’m on the board of Tribal-ISAC, the tribal Information Sharing and Analysis Center, and one of the things we do is share information. We hope that within the bounds that they can, MGM will share what happened and how they remediated it. A lot of casinos are talking internally about this, but it won’t be in a forum until everyone is together and can start sharing information among themselves. G2E is a great place for that, because you get more of the commercial side.”
By G2E, Tinklenberg said the industry may know more about MGM’s response and changes in how they operate, as well as further revelations about the Caesars hack that netted customer personal information.
“They don’t know for a fact that that information isn’t out there,” Tinklenberg said. “That information just doesn’t just disappear. Even when you pay that ransom, things on the internet live forever.”
As for tribes, the timing of the attack, just as 2024 budgets are being finalized, should help information-technology executives get more funding for cybersecurity, Tinklenberg said.
“I had my first budget meeting with my team and the first thing I told them was we’re asking for more resources to beef up cybersecurity. We’re going to look for some additional tools to help us with the kinds of things we saw with Caesars and MGM. A lot of it is staffing and training and some of it is third party. The more folks you have looking at your systems and helping you with this, the better off you are. Most mature IT organizations in charge of cybersecurity understand that they can never have enough people looking at all the events coming in all the time.”
Tribal cyberattacks jumped in 2020 and continued into 2021 and some tribal casinos were shuttered for days after the attacks. But those have slowed since. Tinklenberg credited that to information sharing and tribes better defending themselves to be less exposed.
“Some of the initial ones were situations we could have been better prepared for,” Tinklenberg said. “Those have gone away, but the attacks are now focusing much more on schools and health-care facilities. Health information is way more valuable than financial information, but that doesn’t mean there isn’t a time when tribal casinos are seen as vulnerable again.”
The lesson that will be learned from the attack on MGM is that it isn’t just about throwing technology and a large number of people at a problem. Training and policies are vital to dealing with cybersecurity.
“They will probably reevaluate some of their third-party agreements on IT outsourcing and reevaluate how people have access to sensitive information and systems if those were part of how this happened. And I’m certain that training will be happening from top to bottom about cybersecurity awareness, safe behaviors, and defending against threats.”
TribalHub CEO Mike Day said that a record 1,400 people attended the San Diego conference, of whom about 700 were non-vendor attendees from tribes and tribal enterprises, beating the previous mark of 580 in 2022 in Reno. There were 172 exhibitors, 25 more than in 2022. As many as 20 vendors had a focus on cybersecurity.
“More organizations are understanding that technology is the engine that makes your tribe go, whether it’s the casino, hotel, health clinic, or government,” Day said. “It’s used in marketing, data, and analytics, and because we have so much technology, we need to secure it with cybersecurity.”
The 2024 conference will be held Sept. 16-19 at the Westgate Las Vegas. It was last held in Las Vegas in 2018, then Nashville in 2019, Dallas Metroplex in 2021, and Reno in 2022.
“It’s going to be bigger,” Day said. “We already have a great number of our exhibitors signing up and filling up our regional events throughout the year and want to be a part of what we’re doing.”