BLOG

Canadian Gaming Summit – Panel Q&A

In June, Continent 8’s Innovation Director, David Brace, participated in a panel at the Canadian Gaming Summit.

The panel ‘Cybersecurity: managing risk in a brand new market’, delved into the lack of strategy new iGaming operators have in tackling cybercriminals and hackers. He was joined by Sunil Chand (VP Cyber & Information Security, OLG), Jarvis Pelletier (VP IT & Gaming Systems, SIGA) and Carmi Levy (Director of Comms, Step Software) as they explored lessons learned from land-based operators and outside industries in safeguarding revenue, reputation and most importantly, the customer.

The interactive and popular session included questions from the audience. Unfortunately, time ran out to answer all of these, so David has provided answers to some of the questions below.

If you had to focus and invest on only one of the following, which would you prioritize on educating and managing: Players, Staff, Device/Hardware, Other?

Staff are your biggest strength and biggest weakness when it comes to cybersecurity. In fact, human error accounts for almost 90% of all cyber incidents. No matter how advanced the technology or how detailed the processes are, they are rendered ineffective if the people using them are not adequately trained and aware. This is why cybersecurity training and awareness programs for employees are crucial.

Employees need to understand the importance of following security protocols and be aware of the potential risks, such as phishing attempts or suspicious links. In addition, the cybersecurity team itself needs to be well-trained, up-to-date with the latest threats and countermeasures, and capable of responding quickly and effectively to incidents.

What are some examples of ransomware attacks, and what was the outcome?

One of the highest-profile attacks recently was the Kaseya VSA ransomware attack, which is part of a larger trend of supply chain ransomware attacks where bad actors target software or managed service providers. In this instance, the organisation REvil used an exploit in Kaseya’s remote monitoring agent to install ransomware on devices belonging to between 800 – 3,000 different organizations. A ransom of $70m in Bitcoin was demanded for the master key to decrypt all those affected devices, it is understood that the ransom was not paid, and that Kaseya engaged a number of cybersecurity forensic organisations to assist with mitigation and decryption of the systems. It took a substantial amount of time for some organisations to fully restore their systems, indicating that those organizations did not have up-to-date or complete cybersecurity protection and playbooks.

What’s rationally more realistic in a fast-paced gaming market? Planning for the worst or trying to avoid it, which could be perceived as friction?

All organisations must find a balance when it comes to cybersecurity, if you plan for and mitigate against every eventuality, you can’t operate as a customer-facing business. This is where risk management becomes a key part of a cybersecurity strategy; organizations should be in a continuous cycle of: Identify -> Assess -> Mitigate -> Monitor -> Review.

Risk management is a key part of Assess and Mitigate phases as all organizations will hit a point where the mitigation has such an impact on business services that the risk is accepted as part of operating a successful business. Instead, as part of this acceptance of risk, many organizations will choose heightened Monitoring and Reviewing in place of full mitigation, enabling them to still operate whilst being aware of the potential risk.

With AI evolving and phishing schemes getting more authentic how can should we adapt and become more agile to minimize risk?

As Phishing attacks are a form of social engineering, your primary method of dealing with them will always be a rolling education program for both your internal users and your external customers. Internal users should be regularly trained to identify suspicious emails and engage with the security team to validate such items. External users should be educated on your policies for handling PII, especially on the information you will not ask them to share via email or other electronic messaging.

Technology will play a part in monitoring incoming traffic and communications for suspicious activity, as with all aspects of security, it should be regularly updated and reviewed as part of the cybersecurity regimen.

Learn more about C8 Secure here.

ChattyGoblin: A new threat to iGaming and how C8 Secure can help

19 Jul, 2023

The iGaming industry is under a new threat. A malicious campaign, dubbed “ChattyGoblin,” has been targeting Southeast Asian gambling operations since October 2021.