The gambling industry has been transformed by the eGaming sector. This sector is a great example of how new market segments can be created by disruptive technologies. However, the cyber security threats to this technology driven industry are growing ever stronger and have the potential to damage the future of this sector if customer confidence is broken.
The market valuation of the global eGaming sector is estimated to grow to approximately £40 billion ($50.65 billion) in 2017, doubling the sector’s market value in 2009. As money continues to flow, it makes it more attractive to cyber criminals as a small percentage is still a big number. Importantly, criminals are not always external, the threat is sometimes closer to home, in form of malicious insiders or careless employees.
From an external perspective, Distributed Denial of Service (DDoS) attacks remain a persistent threat to eGaming due to the predictability of peak website traffic during major sporting events. DDoS attacks are used to take a website offline by flooding the web server with more traffic than it can handle. This threat is evolving as attacks are becoming commoditised with DDoS services available from just £8 ($10) to £800 ($1,000) per day . eGaming organisations need to reassess their DDoS protection capabilities to confirm that they continue to be appropriate and whether they can scale to cope with either an increase in size or greater frequency of attacks.
Phishing attacks are also a significant area of concern because they play on human vulnerabilities. Attackers know that people are often the easiest way to target an organisation. We all share lots of information every day and attackers are harvesting publically available information to devise ever more sophisticated and credible emails targeted at specific employees, a technique called spear phishing. Attackers only need one click on a link in an email to release their malware and ransomware into the network. This can have devastating consequences on business operations as malware can disrupt critical systems and ransomware can encrypt vital data until a ransom is paid. Payment is usually requested in bitcoin, a virtual currency, which offers a high level of protection to the identity of the attacker.
The key to defending against ransomware attacks is performing regular backups of critical data, stored offline, to ensure it can be recovered even if the original data is encrypted. Having tightly controlled access rights, particularly for file servers, also helps limit the damage of ransomware attacks because only data which can be accessed can be encrypted.
Preventing phishing attacks on the other hand requires educational and awareness campaigns to keep employees vigilant for suspicious emails. Technical solutions such as email sandboxing, which open and test email links in a secure isolated environment, can also play a key role in stopping malicious emails reaching employees.
Traditionally organisations have focused on protecting their data from the external cyber threats that we have covered above. Threats posed by insiders have had less attention. Who do we mean by insiders? Insiders are essentially employees. The threats may come from malicious employees who want to steal data for personal gain or for revenge or it can be careless individuals who think they are above company security policies or may simply put data at risk by human error.
This threat is becoming more complex as employees are increasingly working remotely and accessing data outside of the traditional network perimeter. This makes it more difficult to understand what normal user behaviour looks like and it increases the risk of employees accidentally causing a data breach.
Data breaches caused by insiders have the potential to be extremely damaging. Insiders are trusted individuals who are likely to have access to a range of data, including potentially the most sensitive data that the organisation holds.
In addition, there is an interesting twist to the insider threat, which involves compromised insider accounts. Cyber criminals are increasingly trying to steal user credentials. Once a hacker has compromised a trusted user’s credentials they are effectively an insider. This can give unrestricted access to data until it is discovered that the user credentials have been compromised.
To combat the insider threat, organisations need to understand what level of access to data is provided to whom within the organisation, where that data is stored, what controls are in place to protect that data and what data is considered to be the most valuable.
Traditional security controls should be designed to restrict employees from accessing data they do not need for their job within the network, applications and databases. Privileged access, such as administrator or super user access, should be further restricted. The number of privileged users should be the minimal number that are needed for the size and shape of the organisation.
Access right reviews detailing user access levels, performed on a periodic basis, is a valuable control to ensure that employees maintain the appropriate access to data as required.
Detective controls such as monitoring account logs of individuals, are key to ensure that those users who have privileged access, are not misusing those rights. Maintaining and updating asset registers in line with an information classification policy would help to identify who should have what access to confidential information.
These on their own may not be sufficient to mitigate the insider threat. Data loss prevention tools and behavioural analytics are likely to become more common. Data loss tools are designed to restrict data that meets some pre-defined criteria from leaving the network. Behavioural analytics tools model what normal user behaviour (whether it be employee or customer) looks like in order to highlight what may be unusual activities, such as repeated access attempts to a customer database at 3 in the morning. Technology alone, however, will not solve this problem. Organisations will need to invest in security awareness training in order to educate employees about how to work in a secure manner highlighting the consequences of breaching security procedures. The insider threat appears to be growing generally and should not be ignored.
What new trends might we see moving forward? In the future it is predicted that we will see a rise in attacks against the integrity of systems and data rather than the traditional attacks against confidentiality and availability. We are already seeing examples of these types of attacks in the financial sector, a good example being the 2014 Carbanak malware attacks which stole between £240 million and £800 million by modifying transactions and redirecting payments to anonymised accounts.
Whilst these attacks are targeting financial services, it is likely that attackers will look at other sectors over time and this is something that the eGaming sector should have on its radar. For example, integrity compromising malware could be used to manipulate game parameters to make guaranteed profits, redirect transactions or adjust account balance information.
Defending against cyber-attacks may seem to be overwhelming but it is becoming an area of critical importance. You won’t be able to be 100% secure, however, by taking a pragmatic, risk based approach, focused security controls can be implemented to mitigate the threat posed to your most valuable assets.
Understanding and prioritising the most valuable assets is an important step which is not as easy to do as it sounds. Without consensus on what assets are the most valuable, critical data may not be protected by adequate security controls. Equally if organisations do not fully understand the cyber threats they face, investments cannot be focused in areas which are most vulnerable to attack.
Once you have prioritised what you need to protect against what threat, the next step organisations should take is to perform a gap analysis of their security controls against the threat. This approach will highlight areas where assets may not be properly protected. This forms the basis of the creation of a roadmap of remediation / augmentation activities that are designed to mitigate the risk to an acceptable level.
The eGaming sector has shown it’s resilience to adversity by continuing to grow year on year despite tough economic times. That same spirit needs to be used in the battle against cyber security threats in order to maintain consumer confidence and regulatory compliance. If this can be achieved then the eGaming sector can continue going from strength to strength.
© 2018 KPMG LLC, an Isle of Man limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.