As the world becomes increasingly digital, the world’s casino operators are taking cyber security more seriously than ever before. But as leading risk mitigation company Kroll explains, risks remain – and not always where you might expect.
AS cautionary tales go, the downfall of once hugely popular Hong Kong singer and actor Edison Chen might seem a fair way removed from Macau’s gaming industry. But for Paul Jackson, former Chief Inspector and head of IT forensics with the Hong Kong Police Force, there remain some key lessons to be learned.
Chen was one of Asia’s biggest stars during the early-to-mid 2000s but his glittering career came crashing down in 2008 after he dropped his computer off at a repair shop, where a technician discovered and leaked over 1,000 intimate images of the actor with various female Asian celebrities.
“It was hardly the most complex hacking incident that I have had to investigate, but it hit the front page for several weeks and killed his reputation,” recalls Jackson, now Asia-Pacific Leader for the Cyber Security and Investigations Practice of risk mitigation firm Kroll. “The reputational aspect is what makes you realize just what a huge impact this sort of thing can have. Yes, he was careless enough to take his laptop for repair knowing that it had these photos in it, but the resulting damage was enormous. It’s certainly something I’ll always remember.
“Like with the Chen case, many data breaches that we investigate are not the result of high sophistication or technical capability on the part of the culprits. Ultimately, many breaches are the results of human error or failures to maintain effective governance. It may not be the most technical case I’ve ever worked on, nor the most sophisticated, but boy was it high profile and reputation damaging. The Chen case has parallels to everything we read in the news today where someone makes a simple mistake and pays a heavy price.
“Cybercrime is about reputation.”
For Macau’s world-leading gaming industry, data is everything. Yet just as Chen let one simple oversight take him down, so too are Macau’s casino operators discovering the value of attention to detail.
“One of the biggest gaps that we see – and it’s not just the gaming industry – is that companies will invest in cyber security tools but fail to recognize that’s not the whole solution. The reality is that unless you get the right people, those tools may provide a false sense of security.
“I think Macau has a bit of an issue there because of the difficulties with bringing experts in from overseas.”
Given the huge amounts of money at stake, it is no surprise that Jackson rates the gaming industry among the very best when it comes to allocating resources to combat cybercrime.
But he and colleague Jason Smolanoff – Kroll’s Senior Managing Director, Global Practice Leader, Cyber Security and Investigations – have also seen enough in their time to recognize that best intentions don’t always translate to best practice.
“I think major casinos these days understand where the risks are coming from,” says Smolanoff. “The key is implementing strategies across the board. It’s moving away from technologybased solutions to a more governance-based solution – why do you have an information security program? What do you need to protect? How are you going to protect it? What procedures are going to be used to implement policies? And then once you understand that, what kind of technologies do you need to enforce your policy?
“Much of the time, companies and organizations do this in reverse order. They buy some expensive cyber security tools and then build the security policies around them, leaving the overall governance with gaps. That’s not the way things should go. It should be the other way around.”
Needless to say, data protection means more than simply installing the latest version of anti-virus, data loss protection tools or security monitoring.
“And we’ve seen that too,” Smolanoff laughs, “because most information security often gets delegated to IT and IT loves to buy tools and deploy them. Why do they do it? They’re not sure but they think that it will work to protect them.”
Smolanoff points to three main components when it comes to protecting data – people, processes and technology.
“Historically, information security was usually grouped in with information technology requirements,” he continues. “But IT and information security have opposite mandates. IT wants to keep the lights on and get things moving quickly. Security wants to slow things down to verify who you are, so there is this sort of ‘push and pull’ between them.
“And when you think about the process side of this, we’re talking about people and we’re talking about technology, but really, far too often security technology would be implemented and configured but then companies do not have the people with the know-how to use these tools, interpret the alerts and understand when real threats are occurring amidst the noise.
“What really needs to happen is casinos, companies in general, need to have a better governance structure in place with senior leadership involved in the process. Policies and procedures must be put in place but they need to be implemented properly with business needs in mind and supported by the technology, not just driven by the technology.”
Making the threat far more difficult to deal with is the everchanging nature of cyber-attacks, with hackers becoming increasingly astute and technologically savvy. There is also a vast array of potential sources of risk driven by a variety of motivations.
“I tend to break them into four different groups,” says Jackson. “State sponsored attackers largely conduct an intrusion or theft of data for intelligence gathering purposes. Often this will be highly focused, such as a targeted attack to obtain intelligence on an individual of interest to them.
“Then there’s organized crime who are increasingly leveraging cyber criminals. Their motivation to conduct these types of intrusions is mostly financial and they seek to profit on data which they steal. For example, they may seek to resell it, or utilize insider knowledge to profit on the markets. Of course, there are also hackers operating alone, but the more sophisticated threats are coming from organized groups
“There are ‘hacktivists’ who conduct intrusions (or steal data from the inside) to promote a social or political agenda.
“Finally, there are malicious insiders – people who work there internally and want to find ways to damage the company or steal data to profit in other ways.
“I would say many of the fraud schemes that happened years ago, before the advent of modern technology, have just evolved over the years to take advantage of advances in computer systems. Not that much has changed, they have just tailored attacks using social engineering techniques to trick employees into inadvertently allowing access to systems or into facilitating fraud schemes.
“It’s a never-ending battle of wits. When I worked in the banking world, adversaries would constantly attack the online banking systems. We would detect those attacks and would build defenses, then they would realize those attacks weren’t working so they would try different methods. That would mean we’d have to reverse engineer their techniques and build detection models all over again. It’s a never-ending process.”
Likewise, language barriers that once might have provided some level of extra protection to companies based in places like Macau are being broken down too.
“I don’t think there’s any difference between Asia and the rest of the world anymore,” Jackson says. “I think in the past, because a lot of the cyber criminals came from non-Asian countries, it was a little bit difficult for them to attack systems which might have been in Chinese, Japanese or any other Asian language. But I believe this is less of a barrier now because of advances in translation technology driven by Artificial Intelligence.
“Google translate, for example, used to be a source of amusement for incomprehensible translations. Not any more since they began using AI a few years ago. They and other translation services are highly accurate now and this allows seamless ability to quickly understand data being viewed regardless of language.
“It just opens the door a little bit more. Add to that the fact that many Asian countries have weaker laws and regulations and I would say overall, if you are looking at the global landscapes, Asia is probably behind the curve. But it can be quickly improved and that’s where we come in.”
Ultimately the risks are many. More than merely financial, they include regulatory risks, compliance risks and as Edison Chen discovered, reputational risks which can be the hardest of all to recover from.
As Smolanoff notes, “The world has seen a lot of data breaches lately and some companies come out of it looking pretty good while others really take a big hit in the press. That really comes down to how these folks have prepared in advance to protect themselves and also test their capabilities ahead of time for dealing with a crisis.”
Adds Jackson, “I think we’re seeing an evolution. Data breaches have traditionally been all about easy access to money but we’ve seen a move in the last few years to business process hacking. A good example is the Bangladesh Bank attack (US$81 million was stolen in a cyber heist in 2016).
“I think the gaming industry is ripe for this because there are so many processes around it on how money is handled, how valuables are transferred. The criminals, they are extremely ingenious and organized crime in particular will look to use insiders so that they can learn more about internal processes that they can seek to exploit. They will look for ways to subvert those gaps in controls and processes. And they are patient as well. They’ll sit and observe. If they get access to email accounts, they’ll watch how communication is done, how business is done and look for those gaps and flaws and they’ll strike when the time is right.
“With casinos moving to attract younger customers with more innovative mobile solutions for gaming, yes they will attract more customers but they’ll also be bringing higher risks. If these are not thoroughly tested for security, operators will be opening themselves up to risks of attack.”