Cyber-attacks: are you prepared?
Peter Bassill, founder and senior security researcher at Hedgehog Security argues that with most employees working from home, online gambling businesses are at serious risk of cybersecurity attacks and hacks
Businesses that operate in the global online gambling industry are having to get used to new ways of working, with offices left empty and the vast majority of employees now working remotely or from home as a result of the ongoing Covid-19 pandemic.
While operators, suppliers, regulators and affiliates were quick to adapt to governments around the world mandating that employees work from home, it is important to reassess the systems and processes put in place with the current set-up the norm for many months to come.
This is certainly the case when it comes to cyber-security; the rapid transition from office to home working that businesses were forced to undertake will undoubtedly mean that certain areas of security have been overlooked, leaving organisations vulnerable to attack.
Cyber criminals and hackers are aware of these vulnerabilities and are ramping up their attacks on organisations at a time when they know their targets are focused on other pressing business needs.
Our data shows that attacks against people and their remote work systems are four times more likely to be successful. During Q2 2020, Hedgehog saw a three-fold increase in attacks against operators.
The main cybersecurity threats that online gambling organisations face are DDoS (Distributed Denial of Service) attacks, phishing, unauthorised device access, unstable networks and human error.
Cyber threats are constant and constantly changing. They are often highly sophisticated and if companies do not have the right protections in place, and regular training for staff around these systems and processes and how they work, they risk falling victim to an attack.
While an organisation can never be 100% protected from cyber threats, there are some steps that organisations can take now to beef up their cybersecurity systems and processes to make sure they are as protected as can be from potential attacks and hacks.
Multi-layer security
The rise in DDoS attacks is alarming and operators and affiliates in particular must ensure they are doing all they can to fend off such threats. To this end, install security plug-ins such as Wordfence and CloudFlare to block suspicious malware.
This prevents bot networks from being able to overwhelm servers and take sites offline. If cyber criminals succeed in their DDoS attack, they will then ransom the site owner/webmaster in order to cease the attack and bring it back online.
With staff working from home, monitoring potential DDoS attacks is more difficult which is why it is so important to have the necessary software and plug-ins installed and up-to-date.
It is absolutely crucial that staff use only work devices with two-factor authentication– desktops, laptops, smartphones, tablets, etc – to access your networks, systems, emails and so on. Personal devices must never be used. Ever.
Why? Because there is no way of knowing whether they contain the necessary cybersecurity software required to protect your networks and systems. Nor can you be sure the device and software installed is up-to-date.
In addition, you can set two-factor authentication on work devices requiring staff to enter two types of confirmation in order to access networks, systems, communications, data, etc. This is particularly important in the event a device is lost or stolen.
Use a virtual private network (VPN) to allow staff to access your systems when working remotely. This, combined with a state-of-the-art and up-to-date firewall, provides maximum protection for when employees access files, data and communications from home.
People power
All of the above is something that a chief information security officer, or a virtual CISO, would be able to implement and deploy. And for medium to large-size enterprises, filling such a role could be the difference between succumbing to or fending off an attack.
A CISO is also responsible for undertaking monthly cybersecurity audits, identifying weaknesses and implementing improvements to ensure protections are as solid as they can be. Of course, for smaller businesses they can outsource this work to a specialist.
Underpinning all of the above is regular staff training. There is absolutely no point in having these systems and processes in place if your staff are not aware of the threats being faced, the tools available to mitigate them and the role they play in the fight.
If you have a CISO, they should take responsibility for this and if you are outsourcing cybersecurity management, they will most likely offer training also. Training should be monthly so that the entire team is aware of the latest threats being faced and the steps being taken to mitigate them.
By following the above, online gambling organisations can be sure they are doing all they can to protect their networks and systems from attack while their employees work from home. They can also be sure they are setting the highest standard for when they can slowly return to the office.
Peter Bassill has more than 26 years of information security experience and is the cybersecurity adviser to a number of organisations and CISO’s spread across the globe, helping them maintain an appropriate risk appetite and compliance level. His passion is ensuring all his clients stay as safe and secure as they can be.