For most of 2020, when brick-and-mortar casinos were forced to close due to the Covid-19 pandemic, one of the few ways for operators to maintain cash flow was online betting.
Though the Covid threat has faded somewhat, iGaming continues to expand. Marketing analysis firm Technavio estimates the market will grow by $114.21 million from 2020 to 2024. More than ever, cybersecurity is a critical issue for casino operators, and their patrons too, who want to feel assured that their online information is secure and their personal account data, including social security numbers, is protected.
“Online gaming has increased in popularity with people at home and doing things remotely,” said cybersecurity expert Justin Wray, director of operations and security at Indianapolis consultancy Core BTS. “With the rise of online gaming, the threat landscape is increasing too—not just the potential for the casino to be targeted, but their customers as well.”
When it comes to cyberattacks, he said, casinos are no less vulnerable than any other business—and may actually lure more hackers.
“We hear businesses say they aren’t data companies, but in reality, IT is a big part of any business,” said Wray. “Where things get interesting when talking about casinos is that (hackers) do have a different financial incentive in terms of a target compared to other industries. There have been various different instances that have hit the gaming industry. Data breaches, where people’s information was compromised, or ransomware attacks, where casinos have been impacted.”
Among the most notorious incidents was in 2014, when hackers crippled thousands of servers and computers at Las Vegas Sands properties, making off with customers’ credit card data, driver’s licenses and Social Security numbers (later, that incident was blamed on the government of Iran). Last year, casinos in Idaho, Wisconsin and California were forced to briefly close due to cyberattacks.
Perhaps the most bizarre incident took place several years ago at an unnamed casino where VIP data was accessed through a high-tech fish tank connected to the corporate network. Clearly, the threat is exacerbated by the has increased interconnectivity of the Internet of Things (IoT).
“Look at the gaming industry; look at how much they expend on physical security—the reality is, they take that very seriously. You go back in time and one of the most serious crime is someone physically robbing them. But in reality, today someone can rob someone without leaving their living room. You have to put that front and center as a physical threat.”
Back to Basics
However, when Wray advises clients on best cybersecurity practices, he says, “Go back to the basics. A lot of people look at the hot new widget or some new technology, and there’s a lot to be aware of. But you can’t skip the basic stuff. You have to have the solid security foundation before you add the high tech.”
Next is “understanding the difference between cybersecurity and IT. This is a common pitfall. People who do IT work versus people who do security are different individuals with different educations, different mindsets.” Briefly, cybersecurity deals with protecting data from internet hacks, while IT security encompasses the daily management of data. “Dedicating the appropriate resources to cybersecurity is the baseline aspect,” said Wray. “Make sure you have the right kind of people with the right kind of expertise to deal with that problem.”
Some countermeasures can be implemented very quickly; others will be more complex and costly. Again, said Wray, “That’s why you start with the basics. Look at security holistically. You can’t put people at the front door and ignore the back door. But you do have to put in the money and effort to do this.”
The Facts About Friction
It’s received wisdom that any perceived “friction” or delay in completing a signup or transaction is a deal-breaker for most consumers. Security checkpoints may feel like friction to users, and effectively stop their progression through a sales funnel.
In a 2018 article in Smashing Magazine, IBM UX designer Zoltan Kollin wrote, friction is “anything that prevents users from accomplishing their goals or getting things done. … It’s the opposite of intuitive and effortless, the opposite of, ‘Don’t make me think.’”
He advised designers to “embrace good friction” such as multi-layer authentication by making consumers aware that it protects their identities and their wallets.
The average cost of a cyberattack in 2020 was $3.86 million, costs which then trickle down to the consumer. Even for companies with cyber-insurance, the expense of downtime and lost business can’t be recovered.
Simple things like network segmentation and passwords for both internal systems and external populations of customers are fundamental consumer protections. Multi-factor sign-in “creates an authentication layer over and above your password, using some other step before you’re fully logged in. It’s a very minor inconvenience for the user that provides a tremendous amount of protection,” Wray said. “Now an adversary doesn’t just have to trick you into giving up a password. It raises the bar. It’s not foolproof, but it’s a regular thing that the average customer can do.”
The size of the casino or organization doesn’t affect the fundamentals, he reiterated. ““It doesn’t matter whether it’s larger and more complicated. Any organization of any size can do this cost-effectively.”