Gaming tribes need to get ahead of cyberattacks through due diligence and proactive preparation, according to a panel discussion at this week’s Indian Gaming Tradeshow & Convention in San Diego.
Moderated by Melissa Aarskaug, vice president of business development for Gaming Laboratories International’s (GLI) Bulletproof cybersecurity division, the panel stressed cyberattacks are a fact of life and the only way to protect gaming operations is to stay ahead of the criminals.
Pointing to the current landscape, panelists emphasised that cyberattacks are taking on new forms as criminals find new ways to penetrate secure infrastructure. The panel featured four industry cybersecurity experts:
- Scott Melnick, vice president of gaming security for slot supplier AGS
- Stephen Bailey, vice president of information technology for Cache Creek Casino Resort
- Oscar Schuler, chairman of the Alabama Tribal Gaming Agency Board of Regulators
- Tom Wojinski, partner in Wipfli.
Cat-and-mouse game
Melnick noted that while IT systems have become more secure, ransomware criminals are increasingly targeting staff members. This strategy was used in the MGM breach, where systems were accessed by someone claiming to be the organisation’s help desk.
He said ransomware has evolved into “extortionware”.
“Pay the ransom, or we’ll publish the tribe’s personal information,” he said.
Cybercriminals “are evolving while we evolve”, creating a cat-and-mouse game.
No one knows this more than Bailey, who dealt with a three-week shutdown of Cache Creek’s gaming operations after a ransomware attack in 2020.
“(Cyberattacks) are very impactful, not just for IT departments, but for business as well,” he said, noting that one vital safeguard is having a really strong incident-response (IR) plan in place to understand, contain and limit the damage from attacks.
He and other panelists said the business credo should be advanced planning. This means IR teams and cybersecurity contractors should ensure companies minimise risk and have a rapid-response plan in place.
“We do penetration testing once a year, including social engineering,” he said.
Penetration testers actively test a company’s precautions by impersonating IT employees. One recent test, Bailey noted, saw workers repeatedly handing over their PINs and access to their personal information.
“You can have layers of security in place,” he noted, “but you can’t control people.”
Good cyber insurance is vital, stressed Wojinski – including for the carrier who will handle damage claims.
Melnick added that an operator’s incident-response plan is just as important as securing the network. He said companies should treat their IR plan as if they have already been hacked.
“I’ve done penetration tests one day and a new vulnerability appears the second day,” he said. “Having the IR plan in place is very important.”
‘Education is key‘
Education also is key, said Schuler, adding that tribal casino executives, regulators and employees should have the same education and same game plan.
Phishing incidents in which hackers impersonate company executives have become more sophisticated through the use of artificial intelligence.
That means unusual requests from so-called “executives” need to be scrutinised immediately.
This scrutiny should extend to an operator’s vendors, noted Wojinski, who urged operators to ensure their vendors meet or exceed their internal cybersecurity expectations.
Vigilance of all stakeholders will make it harder for hackers. “They’re looking for low-hanging fruit,” Melnick said. “Unless it’s a targeted attack like MGM, they’re not educated on their target.”
Bailey added that IT officials often face an uphill battle in securing safeguards, because IT is a non-revenue-generating function.
“It is always a delicate dance between keeping IT running and improving cybersecurity status,” he said. “It’s a delicate dance to maintain operations while maintaining security.”
In the end, panelists said, training and education, constant soft monitoring, focus on potential internal threats such as disgruntled employees, multi-level authentication and frequent audits will give operators the best chance to minimise their risk.
Original Article
