Tribal operations, including their casinos, are improving their ability to defend against cyberattacks, but continuously evolving threats compel tribes to remain vigilant.
That’s the message from Mike Day, Executive Officer of TribalHub, which will host its second-annual, free, virtual summit on cyber security on June 16. Navigating the Turbulent Cybersecurity Waters will runs from 8 a.m. until 3 p.m. Pacific.
The conference is geared toward a variety of leaders and decision makers within tribal government, health, gaming, and technology. This includes CEOs, CFOs, general managers, risk managers, regulators, tribal administrators, and of course, tech and cybersecurity executives, Day said. Even those working directly in commercial gaming can attend. More than 300 people registered for the cybersecurity summit a year ago.
Since November, when the FBI Cyber Division issued a warning stating that ransomware attacks against tribal entities have caused damages estimated to be in the millions of dollars, tribal governments, casinos, and health facilities have been under a heightened alert for cyberattacks. The attacks have caused disruptions, including temporarily shutting down casinos, theft of sensitive data like credit cards, and significant financial losses.
At the summit sessions, tribal leader and cyber experts will talk about everything from the basic pillars of strong security and cyber-budgeting strategies to cyber-insurance issues and specific cybersecurity services that are often best to outsource.
“This is all about improving security preparedness for tribes and understanding what they have to be wary of,” Day said. “From what we’ve seen in the past few years, not only are gaming and hospitality targets, but most tribes also process and store sensitive member health-care data, membership data, and other government information, all targets for theft. That data is valuable to the bad actors out there.”
In July, the National Indian Gaming Commission said that cyberattacks had jumped 1,000% since 2019. The issue came to even greater public awareness last June, when six Oklahoma tribal casinos were subject to ransomware demands, causing very public property closures. In August, the Ho-Chunk Nation in the Wisconsin Dells made the news as a cyber victim and the casino shuttered for four days. The Tesuque Casino in New Mexico also had to close for three days in September.
TribalHub has continued to address cybersecurity through educational sessions and a complete Security Educational Track at its annual TribalNet Conference. In 2021, it helped form the non-profit Tribal-ISAC (Tribal Information Sharing and Analysis Center) that helps warn, inform, educate, and prevent or mitigate cyberattacks for Native American tribes and all of their enterprises. Day said that sharing threat information and cyber security awareness among tribes has made a difference, despite the ever-increasing threats from nation states like Russia and hackers funded by governments.
“We’ve had members tell us that information sharing among Tribal-ISAC members has already saved their tribe from potential threats or breaches, helping them identify that they were in the process of being breached, and preventing further damage using threat information that had been shared with them,” Day said. “When specific threat information and identifiers were shared, they were able to quickly identify and mitigate the situation and it ended before it became a devastating business and financial disaster. That’s just one of the great values that sharing cyber threat information within a common community can provide.”
During the last six months, there have been numerous hacks and attempted hacks of casinos, but they haven’t reached the newsworthy level of ransomware attacks, Day said. The number of attacks hasn’t decreased; if anything, Day said they’re seeing more sophisticated tactics and attempts.
“At the same time, we’re seeing tribes and all organizations being a bit better prepared,” Day said. “Every week, a new threat intelligence report comes out about some widely used technology or software you need to patch. It’s never-ending and you need a team of technology and security people keeping up with it.”
Day said email phishing attacks have multiplied in the past year and become more personalized and sophisticated. It’s important for tribes to make sure they invest time and ongoing effort into an organization-wide security- awareness program, so all employees understand that if any email seems suspicious, they should report it to their security team and never open it, he said. Preparedness is essential when it comes to cyber security.
“Many of the breaches that have occurred most recently have had their impact significantly minimized simply by the affected organizations being prepared with properly secured and updated system and data backups,” Day said. “Many tribes and tribal casinos have invested in third- party 24/7 cybersecurity monitoring services. Their cybersecurity readiness is a little smarter, and thus, it’s gotten easier for them to recover from threats or breaches. Cybersecurity infrastructure is still very expensive and requires resources, but we haven’t seen as many casinos recently shut down for days or weeks on end, while figuring out how to safely get back in business and replace or recover data and systems.”
A daunting more recent issue facing tribes that will be addressed in the conference is cyber insurance. Lance Ewing, Vice President of Enterprise Risk Management and Operations for the San Manuel Band of Mission Indians, will lead a discussion on navigating the rising costs and changing landscape of cyber insurance.
“It’s become a real challenge. Insurance companies have created many new cybersecurity requirements in order to renew or underwrite cyber coverage,” Day said. “Many organizations are reporting that their insurance carriers are either dropping their cyber coverage or reducing the amount of risk they’ll take and amount they’ll cover. The number of new cybersecurity controls they’re adding to gain or maintain cyber insurance is significant and onerous. On top of that, costs are most often going up by factors of five to ten times year over year.
“The cost is dependent on the amount of coverage, but based on reports from tribes across the country, you should feel lucky if your cyber insurance cost has not at least doubled or tripled,” Day said. “Unfortunately, at some point and level of coverage, you really have to decide if the risk versus the benefit is worth it.”
Day said the cost increases are directly related to an increased number of large cyber payouts from hacks in recent years. A cyber insurance company may encourage or even demand that victims pay a ransom in a breach situation, because it will potentially lessen their total mitigation cost and risk, Day said. However, law enforcement and government officials very clearly state that tribes, casinos, and any organization should not pay a cyber ransom.
“They believe that ransomware payment is always going directly to a terrorist-type organization or encouraging and supporting further attacks and damage by criminals,” Day added. “Meanwhile, existing cyber-insurance requirements and policy may state that you have to give up control or decision making in a breach situation.”
Much of the success of tribes preventing cyberattacks in the last year stems from at least some technology staff dedicating time to cybersecurity, Day said.
“Now, you often have resources paying close continuous attention to network, data, and employee cybersecurity. And a lot more companies are offering SOC (Security Operations Center) services, so organizations can outsource some or all of their cybersecurity if they lack the staff, expertise, budget, or experience. Meanwhile, cyber products are continually improving and tribes sharing threat information with TribalHub members and through the Tribal-ISAC are doing a much better job of helping each other prevent cyber breaches. Both TribalHub and the Tribal-ISAC get the word out quickly when we see or are informed of any cyber threat to tribal enterprises. The message is simple. ‘This is what’s going on and this is what we know about how to identify it and prevent it. Get on it and get on it now. Don’t wait. If you wait, it may be too late.'”
The upcoming virtual cybersecurity summit is valuable even for smaller casinos that don’t have available resources and this is a free opportunity to learn, Day said.
“We will discuss cybersecurity from a business perspective, looking at the basic security pillars you have to put in place while focusing on best practices,” Day said. “We will also cover relevant security issues that are more difficult like working from home and the security requirements of multiple current data privacy laws. Additionally, we hope to give all attendees a better understanding of what cybersecurity services they should consider outsourcing”
For more information, to see the agenda or to register for the free Cybersecurity Summit, go to the website.
