The growing threat of cybercriminals targeting businesses globally is one that integrated resort operators must take seriously.
The past year has witnessed the onset of a cyber security pandemic that remains rampant, with a 168% year-on-year increase in cyberattacks targeting organizations across the spectrum.
In Macau alone, the Judiciary Police recorded a 400% rise in computer crime cases in 2021, compared to the previous 12 months. The threat landscape has significantly evolved in terms of sophistication and frequency of attacks, with ransomware, distributed denial of service attacks (DDoS) and customer data theft comprising the most common incidents.
The gaming industry constitutes a prime target for cybercriminals intent on extracting illegal gains and obstructing business activities. Data has become mission critical to operations throughout the IR ecosystem, from gaming optimization and customer relationship management to procurement and staffing. The integration of complex networks of on-premise and cloud environments with third party vendors’ systems creates a multitude of potential weaknesses in IT systems architecture and presents a challenge to securing networks against attack.
RANSOMWARE: THE NO 1 THREAT
Ransomware attacks pose the largest disruption to business. These involve the use of malware by cybercriminals to infiltrate the victim’s data systems and encrypt critical data, effectively preventing the victim from accessing or using the affected file servers, databases and applications. The criminals demand payment of a ransom sum in order to provide the decryption key and restore the victim’s access to files and data.
Ransomware can gain entry to an organization’s systems through a phishing incident, security holes or inactive accounts. The malware is programmed to disseminate rapidly throughout the network and paralyze the organization’s entire operations. In a recent incident in May 2021, the IT operations of AXA’s Asia Assistance division across Thailand, Malaysia, Hong Kong and the Philippines was the subject of a ransomware attack which also compromised the personal data and medical records of customers in Thailand.
In recent developments, ransomware demands have also included the threat of public exposure of the compromised data and files if the ransom amount is not paid. Given the nature of the IR industry, data and personal information concerning patrons has always been considered especially sensitive and the potential threat of open publication in a ransomware incident presents a critical concern.
To mitigate the impact of these incidents, cyber insurance policies commonly cover the payment of ransom sums and related costs and expenses to address ransomware attacks. However, public policy developments over the past year, especially in France and the US, have triggered authorities to strongly discourage companies from paying ransoms or extortion demands and to focus instead on preventative measures to protect against ransomware attacks.
Moreover, gaming operators may find that payment of ransom demands is prevented by regulations on counter-terrorism financing under national gaming laws. The cybercriminals behind ransomware attacks are usually anonymous and there is limited information to determine their underlying motivation or the final destination of the ransom payment. It is crucial, therefore, to consider the question of legality before contemplating a response to ransom demands, in order to avoid violating regulatory obligations and committing an offence.
As a consequence, operators will need to devote greater resources to mitigating the effects of a ransomware attack through implementing advanced prevention and back up data management capabilities Currently, just 11% of organizations are reported to be able to recover mission critical data within 72 hours of an attack, and only 2% of disaster recovery efforts align with their business’ defined recovery requirements. The challenge is especially acute for IRs, where multiple enterprise tools and systems are implemented across teams to manage data, each with their own security and access settings. This fragmented collection of systems renders problematic the simultaneous review of status and control settings across the various technologies, exposing the IT environment to the risk of an orchestrated cyberattack.
The occurrence of ransomware attacks is likely to proliferate going forward as the practice of Ransomware as a Service (RaaS) evolves. RaaS is a software delivery model that provides access to off-the-shelf ransomware tools for a commission, enabling cybercriminals with limited technical knowledge to execute ransomware attacks in return for a percentage of each successful ransom payment obtained using the software, which accrues to the original ransomware developers. The volume of security intrusions conducted by these affiliates in RaaS attacks may potentially overwhelm an organization’s threat detection defences, leaving the network under-resourced to identify and protect against more complex and critical cyberattacks.
DATA THEFT INCIDENTS
The value associated with customer data in the gaming industry continues to provide incentives to cybercriminals to perpetrate data theft and data breach incidents. In 2021, the dark web saw a consistent stream of both Chinese and English-language threat actors post for sale customer personal data, including personal information and financial details, taken from the databases of online gaming companies and platforms. Hospitality companies in Asia have also been targeted, with Centara Hotels & Resorts reporting a cyber attack on its network in October 2021 in which photo IDs, names, addresses, emails and booking details of guests were compromised.
The real cost to operators is felt in the loss of reputation and customer confidence in the operator’s brand, systems and operations as a result of these data security incidents. This may manifest in customers closing their accounts, migrating to competitors or withholding consent to storage of their personal data in future, resulting in a loss of revenue and negative impact on the operator’s share valuation.
INTELLECTUAL PROPERTY THEFT
It is not only the theft of data, but also of intellectual property, which forms a fundamental problem for gaming companies. Valuable proprietary source code and software code signing certificates are frequently targeted by network intrusions and subsequently resold for profit by cybercriminals on the dark web.
However, it is not merely the commercial aspects of cyberattacks with which organizations must contend, but also the legal and regulatory implications. In Macau, for instance, IR operators are classified as private critical infrastructure operators and subject to additional obligations under the Macau Cybersecurity Law. These include heightened detection and incident response duties, security self-assessments and regulatory reporting. The benchmark for preventing and mitigating cyber risks is, therefore, significantly higher, with corresponding liabilities for failure to meet the required standards.
Data protection regulation, equally, imposes security obligations for personal data and reporting requirements in the event of data breaches, as well as penalties for non-compliance. The extra-territorial effect of China’s new Personal Information Protection Law and, in Japan, the amendments to the Act on Protection of Personal Information will require operators to comply with additional data management measures for personal information of overseas customers, including security and data breach notifications.
PREPARING FOR THE INEVITABLE
Essentially, it is highly probable that organizations will be subject to one, or potentially multiple, cyberattacks in the coming months. The objective, therefore, is one of damage limitation, which depends largely on the speed of the operator’s capabilities to detect, respond to and overcome a cyber incident.
Pro-active penetration testing and incident response simulations are critical to ensuring teams are threat-ready and trained on incident response protocols. Response plans, however, should not be limited to IT security teams but also include PR, communications and customer service teams.
A well-prepared cyber security breach communications plan is an essential, though often overlooked, component which sets out pre-approved draft notifications and template statements, as well as the chain of approvals for subsequent releases. It is vital to establish these plans in advance as the time-sensitive situation of a cyber incident requires immediate action in order to restore the company’s relationship with affected parties and public reputation as quickly as possible.
The cyber threat remains a very real and ever-increasing concern for business continuity and operations in the digital age. It can only be mitigated with continual improvements to defence and security tools, penetration testing and incident response training drills.