Protecting companies and customers from cybersecurity attacks takes constant vigilance and creativity, industry experts said during the “Cybersecurity In Land-Based and Online Casinos” panel Thursday at the SBC Summit Latinoamérica at the Seminole Hard Rock Hotel & Casino in Hollywood, Florida.
“Not only is it a moving target, but we’re always a step behind,” said Gabriel Szlaifsztein, LATAM general manager for Continent 8. “Every time we develop new solutions, the criminals are very creative.”
The recent cybersecurity attacks on MGM and Caesars have other gaming operators re-evaluating how they can keep themselves out of the headlines by preventing an attack of their own.
“MGM provides a great business case. They had to file $100 million in claims with their insurance company. That covers their immediate losses, but not their long-term losses. What you didn’t see in the news is all the job-board postings for $100 an hour for consultants to come in to rebuild their infrastructure,” said Brent Hutfless, executive director of IT & security for Wind Creek Hospitality. “You have to ask yourself, ‘If we have a shutdown for 10 days, what will it cost us?’ Is it worth spending a certain portion of that on cybersecurity measures? It’s not enough for us to say we’re doing what we need to do, but that we’re also taking things seriously. So if we do have a cybersecurity event, we have something in place that our insurance company is looking for.”
Szlaifsztein agreed, saying brand image is important.
“None of us would want to have our website in the news because there was a breach. This means players won’t be confident in your website,” he said. “The best investment is to calculate the cost of a data breach compared with investment in cybersecurity. Many of us were surprised by MGM, because we assumed one of the biggest companies would have the best cybersecurity. You get more visibility, because you’re bigger. Your investment must grow as your business grows.”
So how does a gaming operator protect itself best in this new criminal warfare?
“One of the things we ask is, ‘Do we have the skill set to do these things?’ If we’re going to take security seriously, how do we approach it? Do we hire staff? Do we partner with a firm?” Hutfless said.
Hutfless and Szlaifsztein said constant education of their staff is vital.
“We keep them aware of the various types of attacks. A lot of phishing attacks have gotten more sophisticated than the Nigerian prince,” Hutfless said. “You can create a very interesting message that looks legitimate, so people are interested in clicking on it. We’re constantly using an awareness program to make sure they know about these.”
“Training is very important. We not only make our own campaigns, but then we send our own phishing emails to test education,” Szlaifsztein added.
Technology is a crucial tool, Hutfless said. “We simply can’t hire enough people to look at all the anomalies. We see 800 million events a day. We don’t have enough eyes for that. We’re increasingly dependent on technology to help with it.”
While the cybersecurity focus is on tech-savvy criminals, E. Sequoyah Simermeyer, chairman of the National Indian Gaming Commission, said operators need to remember that they’re also at risk from low-tech attacks.
“Very low-tech criminals are preying on human tendencies,” he said. “We’re in a service-oriented environment, so something like a low-tech phone call can trick someone into giving out information they shouldn’t.”
Simermeyer also said that, from a regulatory viewpoint, working together is important.
“One lesson we learned from the pandemic is that tribal lawmakers need to work with operators and regulators to develop solutions. Another is working across jurisdictions and the importance of the industry as a whole adopting best practices,” he said. “We learned a lot by collaborating with U.S. government agencies and their resources. There is a responsibility across the industry to share resources.”