Inside Asian Gaming

APRIL 2018 INSIDE ASIAN GAMING 29 “Companies will invest in cyber security tools but fail to recognize that’s not the whole solution. The reality is that unless you get the right people, those tools may provide a false sense of security.” IN FOCUS that best intentions don’t always translate to best practice. “I think major casinos these days understand where the risks are coming from,” says Smolanoff. “The key is implementing strategies across the board. It’s moving away from technology- based solutions to a more governance-based solution – why do you have an information security program? What do you need to protect? How are you going to protect it? What procedures are going to be used to implement policies? And then once you understand that, what kind of technologies do you need to enforce your policy? “Much of the time, companies and organizations do this in reverse order. They buy some expensive cyber security tools and then build the security policies around them, leaving the overall governance with gaps. That’s not the way things should go. It should be the other way around.” Needless to say, data protection means more than simply installing the latest version of anti-virus, data loss protection tools or security monitoring. “And we’ve seen that too,” Smolanoff laughs, “because most information security often gets delegated to IT and IT loves to buy tools and deploy them. Why do they do it? They’re not sure but they think that it will work to protect them.” Smolanoff points to three main components when it comes to protecting data – people, processes and technology. “Historically, information security was usually grouped in with information technology requirements,” he continues. “But IT and information security have opposite mandates. IT wants to keep the lights on and get things moving quickly. Security wants to slow things down to verify who you are, so there is this sort of ‘push and pull’ between them. “And when you think about the process side of this, we’re talking about people and we’re talking about technology, but really, far too often security technology would be implemented and configured but then companies do not have the people with the know-how to use these tools, interpret the alerts and understand when real threats are occurring amidst the noise. “What really needs to happen is casinos, companies in general, need to have a better governance structure in place with senior leadership involved in the process. Policies and procedures must be put in place but they need to be implemented properly with business Macau’s casinos are at constant risk of a cyber attack