Casinos can’t afford to gamble on poor cybersecurity
Managing cyberrisk must be a key focus
TRIBAL NATIONS QUARTERLY |
The threat of cyberattacks is growing in both scale and sophistication. Consider the following findings from the NetDiligence/RSM 2016 Annual Cyber Claims study:
- As of the end of November 2016, approximately 900 data breaches had been reported, compared to 781 in all of 2015.
- Cybercriminals are targeting companies of all sizes, with 87 percent of reported breaches coming from companies with annual revenues of less than $2 billion.
- Breaches of any size and at any size company can be extremely costly. Our study found breaches with total costs of more than $5 million at companies of almost every size. In one case, a breach involving only a single data record had a cost between $1.5 million and $2 million.
Cybercriminals are targeting all industries, including the gaming and hospitality industry. Among attacks detected in Las Vegas alone was one where the attackers had breached servers throughout a company. Malware detected in the company’s point of sale/card processing system resulted in fraudulent activity on guests’ cards, with attackers gaining access to guests’ card information, including names, card numbers, expiration dates and internal verification codes. This attack went undetected for more than a year and affected 20 hotel properties and thousands of guests.
The breach quadrangle
Cyberattacks happen in four stages:
- Infiltration, when attackers first gain access to your systems
- Propagation, when the attack spreads through an organization seeking targeted data
- Aggregation, when targeted data is collected
- Exfiltration, when the data is removed from the your system and delivered to the cybercriminals
While preventing infiltration is one vital step of an effective cybersecurity strategy, too many companies are overly focused on preventing breaches without devoting sufficient attention to detecting, containing and eliminating them after they have occurred. A significant number of high-profile incidents could have been prevented with better internal network security, which would have led to earlier detection and elimination—before most of the damage occurred.
Segmentation and data classification are vital
Segmentation with isolation and data classification are central to effective cybersecurity. Effective segmentation with isolation controls helps prevent attacks from propagating throughout a network even after one system has been successfully compromised. Each segment is assigned:
- A unique virtual local area network (VLAN) identification (ID)
- A security level
- An IP address range
- Access control lists (ACLs) to control traffic
Through this segmentation process, propagation can be defeated because internal network communications are filtered by source/destination address and port/protocol, allowing only legitimate traffic that matches ACL permit rules to flow.
Data classification creates levels that control access to sensitive data. Through this process, you:
- Create classification levels for data.
- Identify and control which systems are allowed to house and access data.
- Determine which individuals have access to which data.
Other security activities
Red and blue team exercises and incident response exercises can also be effective cybersecurity tools.
- Red and blue team exercises allow you to use your own personnel along with a team of skilled external attackers to test your cybersecurity. They generally offer more benefits than typical penetration tests. The red team penetrates your network and remains until they are identified by the blue team. Then the red team shows how long they were in the network, what data could have been compromised and what system vulnerabilities they exploited.
- Most companies have developed an incident response plan, but many have not tested that plan. Through an incident response exercise, an independent security group facilitates a realistic security incident. Through the exercise, your organization can test the effectiveness and interoperability of all aspects of your incident response plan and identify and address any plan weaknesses.
What should you ask your chief information officer today?
Cybersecurity is a real strategic risk for your organization and should be treated as one. Ask your CIO these questions today:
- What are our biggest IT security risks?
- What is our strategy to mitigate those risks or respond to an attack?
- How well protected is our data and how have we tested that protection?
- How quickly can we respond to an attack?
- What is our backup plan?
- How much should we be budgeting for IT security each year?
For a more detailed discussion of cybersecurity issues and strategies for the casino and gaming industry, view our webcast, IT security threats affecting the gaming industry.