Inside Asian Gaming

March 2015 inside asian gaming 33 started as a small group, but they’re getting bigger and bigger. It’s probably 60% of what we do now.” Inside Asian Gaming spoke with Mr Hughes recently about how GLI provides clients this critical service. IAG : How broad is the scope of the IT and Internet security assessments you provide? Mr Hughes: It basically covers any computer IT system, not just gaming. It could be an operator’s hotel management system, for example. One of the big concerns that operators have is protecting the data they hold in the event of a breach. They’re holding player information. These might be high-net-worth individuals, they’re probably foreign nationals. The protection of the data [the operators] have on those players is very important to them. We conduct assessments not just from the point of view of threats from external people, but also from internal people. People from inside the organization who are accessing systems, accessing information and applications they shouldn’t have access to, either copying the data, modifying the data, creating data, all those different things. So we need to take a multi-layered approach. We work with the manufacturers that are providing those applications to make sure those applications are secure in the first place because that’s where it starts. Then when that application is being installed, ensuring it’s done in a secure environment. And then we look at how the client is configuring it—adding users, security policies and things like that. Our ISS team does the audits on properties and applications. We’ve been doing it even longer than three years, but in the last three years we’ve gotten our accreditations. If you want to start taking credit card payments you have to comply with requirements for security and robustness set by the PCI, the payment card industry. We’re an accredited test lab to do PCI compliance testing. As a payment processor you have to be PCI-compliant. The PCI standards cover any sort of credit, debit and cash card transactions, both online and the terrestrial casino part of it. Auditing players club systems is a big part of what we do as well. Sometimes people don’t think of player points as money, but points are extremely valuable because they can be redeemed for cash. It’s an area that sometimes can be most overlooked. If I have the ability to increase my player club balance by 20,000 points, I can convert that for cash or rooms or whatever. That’s real money, real comps. Also, player data is extremely valuable. If a competing casino or property got hold of it, they could target those players. The other part of it is protecting the players. If I go to a casino and give them my player card I have a certain degree of trust that the casino is not going to use that information for other purposes. So the last thing I want is for someone to steal or copy that data that records how much I play, how often I play—my spending habits. I don’t mind the casino knowing that because I get a reward out of it, but I certainly don’t want someone else to have access to that information, and so casinos will protect that. Do you do the assessments at a property level or do you need to do them at an even higher level? We do them at a corporate level. A lot of the corporates that are in both Macau and Las Vegas are looking to do enterprise-wide security assessments. So it’s done at a very high level. The IT and Internet security assessments are especially popular, given the need for companies to ensure they are able to withstand an ever-expanding variety of threats. “We started to do it about three years ago on a smaller, on-demand scale, but the demand for it has surged by tenfold. Everybody’s asking for it,” says Ian Hughes. Cyber Security