Why are organizations getting security testing done?
A great question with different viewpoints. For some organizations, it’s a request that’s made by an insurance provider or to satisfy compliance regulations. More than ever before, the gaming industry has heightened responsibilities to secure their environment, remain compliant with security standards, ensure player integrity and protection, and build brand reputation; causing gaming companies to look beyond the essential security assessments.
In today’s digital landscape, gaming organizations are becoming more aware and starting to create security plans. Over 20 gaming states have decided to move forward with security testing requirements for sports wagering and iGaming products. The industry’s exponential growth, along with ongoing cyber concerns, have forced organizations to take a deeper dive into identifying their security vulnerabilities and gaps and developing a strategy; implemented by investing in a CISO hire and/or partnering with security experts.
As we know – security breaches can cripple a company’s revenue and reputation; disrupting the casino, and in some major cases force the casino to close until the breach is fully remediated. In 2006, we’ve witnessed a major breach in the media with Ultimate Bet and Absolutely Poker. The cheating occurred because the perpetrators had access to unauthorized software code, which allowed the cheaters to see their players’ cards. To date, nobody knows exactly how much money the cheaters won. A security source code review would have brought forward any errors during development, vulnerabilities, or design weaknesses.
The gaming industry has done a great job keeping breaches under the radar, but with growth in social media, it’s becoming a bigger challenge to stay out of the public eye especially after the global pandemic. In 2020, MGM had a security breach that was publicized due to unauthorized access to a cloud server compromising 10.6 million guests. Leveraging Cloud technology may be seen as a risky investment for the gaming industry; not only due to tight restrictions but because if it is not deployed or managed properly it can result in more security vulnerabilities, gaps, and an increase in cyber incidents especially as the cybersecurity landscape evolves and the game changes along with the techniques & tools used to keep applications secured. It’s critical to gather industry insights and consult with security experts if this is the route organizations want to pursue.
Application security plays a significant role for businesses and customers as it enhances the player experience. Applications are behind your perimeter firewall. In some cases, you may have great perimeter security, but at some point, you must let your customers past to reach the desired application. If a potential hacker can exploit your application, they can access the rest of your network or application database. Web Application Firewalls have been a good fix. However, they don’t protect you against Web Application misconfigurations. The data being passed through the Web Application Firewall is valid web functionality like accessing a directory, but if this directory holds admin information, it could be a major issue. Some developers may not be fully trained with securing code and the pace of the gaming world’s usual development cycle is mostly quick to the market, or developers are rushing to fix a problem which may leave new bugs and security holes.
So, how can you ensure your application is secured? Authentication, encryption, logging and testing the use of automated tools to evaluate the effectiveness of the security actions. The reality is that organizations don’t always conduct application security assessments in the gaming environment for many different reasons including, added costs, fear of uncovering security vulnerabilities, weaknesses or gaps, investment in resources, time, & budget to remediate the gaps, etc. Although, gaming companies who take a proactive approach to strengthen their security posture when it is not required by a gaming regulator, Tribal commission, or casino policy are adding a new level of customer experience and competitive advantage.
A prime example is Everi, a gaming supplier whose mission is to lead the gaming industry through the power of people, imagination, and technology. In 2019, Everi encountered some challenges
with their newly acquired loyalty partner, Atrient. With customers top of mind, Everi was committed to working with a trusted security partner to help verify they were building the most secured products possible for their customers. Aside from loyalty, they also partner with Bulletproof to deliver secure, world-class cash management and gaming content solutions to their customers while improving their security posture. Through various security assessments, testing, and planning, Everi has seen a revenue growth of 25% from 2019 to 2021.
A key consideration to ponder is what exactly are you protecting and what are your objectives? A simple answer boils down to ensuring customer data, financials, and KYC information are secured and compliant. In the 10+ years I have been in the industry, I’ve heard people say time and time again “We will think about it when we have the budget or when there’s added pressure from leadership or stakeholders,”. All valid statements, but ask yourself, what if someone was successful at harming your organization? Who are the third-party providers you rely on? Are they secure, or have they ever had a security assessment?
It’s critical to start engaging in those security conversations; it does not make your organization more vulnerable or susceptible; in fact, it’s one tiny step towards the right direction. You’ll discover how you can reduce risks, strengthen security posture, and grow your organization; enabling your customers to have the best and most secured experience.