According to the panelists on the session, “Gaming and Cyber Risk Best Practices – Mitigate Risk and Sleep Better at Night,” it’s not a matter of if a casino will be targeted by cybercriminals.
It’s when.
“There’s just a wealth of information that is right there for people who want to hack into your system,” said Onoo Po Strategies President Bennae Calac last week at the Indian Gaming Association Tradeshow and Conference in San Diego.
That ranges from data about an operator’s computer management system to a customer’s personal information. But despite precautions taken, all information seems to be vulnerable to cyberattacks.
For tribes especially, the data at risk is incalculable.
“Some of the impacts that I’ve seen are a loss of trust, reputation, historical documents,” said Calac. “A tribe I work with was threatened with everything; now everything’s gone. … They got hit three or four times.”
The remedy, according to Maxxsure Chief Risk Office Kevin Thomsen, is to view cyber as the way an investor, not a gambler, would. Thomsen noted that those intimidated by cybersecurity are “betting on your team to have the best possible solution for your budget.”
But gambling, Thomsen said, is not a sure thing.
“What do investors do about every decision? They run simulations,” Thomsen said. “Why isn’t financial leadership in tribal gaming doing the same thing in and around cyber? There’s the allocation of budget. How well does my cyber insurance perform? Do I have the right amount of risk transference? These are all natural topics for fiduciary leadership that we encourage the leadership in Indian country to take advantage of.”
Moss Adams Managing Director of Cybersecurity Consulting Troy Hawes said it’s important to be aware of a how much of a company’s IT budget is devoted to cybersecurity. Hawes said that as much as 20% of those funds should be devoted to combatting cyber criminals.
“When you think about everything you have to put into place – the hardware, the software, the system – things aren’t cheap,” Hawes said. “You have to think about training your employees and time spent. These are things that we have to spend money on. If you talk about it from a fiduciary standpoint, you definitely have to have those conversations.”
Calac said it’s important that tribes be told about the risks of not having strong cybersecurity protocols. “It’s so important for us to be proactive in ensuring that we understand safeguards and to have them in place. I’m going back to what my dad said: ‘We’re ultimately responsible.’”
Thomsen noted that across industries, cybersecurity is treated as a separate entity and that many companies rely on their IT teams to resolve situations. Many companies rely on software to prevent cybersecurity attacks.
“But there needs to be a deeper and elaborate conversation, specifically with the casinos and the tribes, about identifying what IT does,” Thomsen said. “People don’t even understand what IT does. It’s funny sometimes, but people don’t understand that.
“You want me to go play football, great. I’m a running back, I’m not a lineman, I’m not a linebacker. You need people in the right positions and not strap your resources.”
Thomsen noted that he was brought in after a company he worked with was hit by cybersecurity breaches six or seven times. Each time the demand by the cybersecurity criminals was for $6,000-$7,000 to restore the system “because they knew they were going to get the money. They needed to beef up their game and hire IT specialists,” Thomsen said.
Hawes added that there needs to be communication between IT departments and other departments. Often, cybersecurity threats are not taken seriously. “You have to talk, you have to understand, and a lot of that is education between departments.”
