Nick Nocton
Welcome to the Mishcon Accumulator Podcast in association with EGR. In this series of podcasts, we will be exploring the latest trends and topics in the betting and gaming sector. I am your host, Nick Nocton, I am a Partner in the Mishcon de Reya Betting and Gaming Group and I am joined today by colleagues, Mike Owen and Mark Tibbs from MDR Cyber. We are going to discuss all things cybersecurity in the betting and gaming sector. Part of the Mishcon de Reya Group, MDR Cyber helps businesses and individuals to meet the challenges associated with cyber risk. In this podcast we are going to consider some the most pressing threats and emerging sources of risk, what can companies do to protect themselves and what should business leaders do when things go wrong. Mark, Mike, thank you for joining me today. Firstly, please tell me a bit about yourselves and what you do.
Mike Owen
Thanks Nick. So, I am Mike Owen, I am the Cyber Consulting Director here at MDR Cyber and I lead up our cyber advisory activities helping clients to understand the risks they face and how to address those in a strategic manner. Alongside that we also offer services to assist our clients in preparing for and actively managing cyber incidents.
Mark Tibbs
My name is Mark Tibbs, I am the Cyber Intelligence Director at MDR Cyber so I lead all of our investigative and threat analysis activities. That means helping our clients understand some of the external cyber threats against them.
Nick Nocton
So, I understand that you at MDR Cyber have done a lot of research to identify the main threats to data and services in the betting and gaming sector. Can you tell us what the main threats that you have identified are?
Mark Tibbs
At MDR Cyber we keep a database of attacks so we look at like public reporting, we look at big attacks that have happened against firms but we also have our own instant response activities where we look at what’s happened to our clients to see whether we can work out if there is particular tactics or techniques that attackers are using and then we can help our clients by offering them mitigation advice around those specific tactics and techniques. You might be forgiven if you read the news for thinking that most attacks are the work of sophisticated nation states, North Korea or China or something like that but that really isn’t the case against the betting and gaming industry. The attacks that we’ve looked at shows it’s much more of a motivation for financial gain so much more of these attacks are around fraud or extortion, in particular.
Nick Nocton
Well, extortion is not new, why has it become so important?
Mark Tibbs
Well, it’s not new, no, it’s important for a couple of reasons; it’s ramping up back in maybe five or ten years ago, it was individuals and consumers that were targeted by things like Ransomware - so that’s a type of software that can lock your files and then demand a ransom to unlock them - and we’ve seen those attacks much more focussed towards enterprises, corporations, it may partly be because corporations are paying but it’s also because it’s big game hunting, the attackers think they can get more money out of a corporation than an individual. And another key risk, not just the betting and gaming companies, is that of what we call ‘business email compromise’. So, these are frauds in which employees’ or suppliers’ emails are compromised and impersonated to facilitate fraudulent payments of invoices so an attacker can control bank accounts. This is a huge problem for businesses at the moment. I think the FBI released some figures last month or the month before saying that it’s $26 billion of reported losses in about five years to this kind of fraud and it’s actually one that’s pretty straight forward to mitigate against in many circumstances. We see clients coming to us with these problems and actually sometimes the key mitigation advice is turn on two factor authentication which means not allowing people to get remote access to their emails without a second factor of authentication, be that a dongle or a code or something like that, and that can really frustrate the efforts of the cyber criminals again to email accounts and make changes and intercept communications.
Nick Nocton
Do you think it’s realistic to expect the introduction of two factor authentication into the user side of betting and gaming?
Mark Tibbs
I think you could say that a lot of organisations… so, if you look at like Facebook and Amazon and big tech companies that offer lots of customer accounts, they all offer now two factor authentication as an option, they don’t mandate it but they will advise you to use it if you want to be secure. So, yeah, is it commercially a good idea for betting and gaming companies? I think that’s a decision for them to make but certainly in terms of security, if you want to secure your customers’ accounts, that is a very good step to stop attackers gaining access to them but appreciate that there are sort of impacts to the customer journey, customer experience by doing that and if that, you know, the bottom line for the betting and gaming companies themselves.
Nick Nocton
Okay, Mike, a question for you. Obviously the betting and gaming industry is highly regulated but what sort of regulatory obligations are placed on operators with regard to cyber security and how effective are they?
Mike Owen
So, you are not going to hear this very often but compliance is actually a really interesting challenge for betting and gaming. It’s a challenge on both sides, so on the side of the firms that are actually providing the service, they have the challenge of deciding what is an appropriate level of security for them and for the regulators, they have to try and decide either what sort of benchmarks they want to set or what standard they are going to get people to comply to. And, up until now, what we have tended to see is that the regulators are moving towards requiring compliance with ISO 27001. Now, 27001 for those who don’t know, it’s basically in industry standard for cyber security and most firms who are looking to standardise will be tending to go for ISO 27001 so, on first glance, you could say that it’s a suitable way to go in your requirements but the problem that we are seeing is that at the end of the day, ISO 27001 actually presents some real challenges for both the regulator and the firms that are trying to implement it because at the end of the day it’s actually a little too flexible.
Nick Nocton
Surely, flexibility is a good thing for the operator at least, or is that not the output that we are concerned about?
Mike Owen
Yeah, you can definitely say that it’s good for the operator. So, the problem with 27001, and it’s a problem and a benefit, is that it has been designed to be applied by anyone so if you are running a nuclear power plant or if you are running a travel advisory service, you could implement 27001 and you will make the choices that are right for your organisation but from a regulator’s perspective, they are tending to look across the environment that they are regulating and trying to reach a level where they have a consistent approach to risks across all the operators so that they can say that there is a consistent approach to protecting people’s data. But the problem with 27001 is each operator can make their own decisions and as a result…
Nick Nocton
About what?
Mike Owen
…about the risk that they manage. Yeah, so, firms will go away and decide what risks they face. If the regulator does not actually specific those, firms could come up with different answers as to what risks they are facing and then once they have identified them, even if they do find the same risks, they could find different ways of dealing with them or indeed in some cases they could actually just accept the risk which other bodies, or other regulator, might simply decide shouldn’t be accepted. So that’s the problem that you face and for regulators too require 27001 compliance makes sense as a first step, it’s just that it’s not going to get them to a point where they are seeing a consistent level of risk being managed across the industry.
Nick Nocton
So, your view is that they are not seeing the sufficient assurance activities that they should require.
Mike Owen
So, it’s an interesting one. They are seeing the assurance that they require but the assurance that they require is almost at a paper level because I have actually done 27001s outside of the betting and gaming space and ultimately when you are reviewing someone for 27001 compliance, you are just making sure that certain processes are in place. It doesn’t evaluate how those processes are exercised so, for example, if a process is: I have a risk. How do I decide whether or not it’s important? Each firm can come up with a completely answer to the same question and both will still be 27001.
Nick Nocton
Right. So, when somebody undertakes a data security audit, there is a typically an independent third party will be undertaking that audit. Does that not provide additional assurance?
Mike Owen
It doesn’t really because what we have tended to see in markets like this is that the services are very commoditised and at the end of the day the operators are being judged on whether they are 27001 compliant. So, even auditors trying to get as much business as possible then they will be obviously dropping the price and the service that they offer will effectively be one where you are getting what you are paying for and if you are not paying very much then you are probably going to get a raw review of are you 27001 compliant and that isn’t going to offer you the assurance over your decision making. But to be honest with the operators, I can understand why they would want that because at the end of the day it’s their decision to make.
Nick Nocton
And, what sort of problems are likely to arise from this sort of lack of sufficient baseline standard?
Mike Owen
So, ultimately, the problem that it gives rise to is that of an inconsistent level of security for clients’ data on your systems. It could come down to technical risks, it could be operational risks but at the end of the day what it boils down to is that the regulators will not have a clear view of exactly how a deal has been protected in the various operators.
Nick Nocton
Ultimately, consumers presumably therefore also have an incomplete understanding of the security that their data…
Guy Grainger
Exactly, exactly, and obviously they have expectations the industry needs to meet.
Nick Nocton
Okay. Mark, assuming that most firms actually do have the basics of their existing infrastructure secured against typical threats, what are some of the emerging sources of risk that you have identified?
Mark Tibbs
First of all, big assumption to assume that firms have got the basics under control; most of the attacks that we are see because they basics are not under control but I will ignore that and go on to your next question. If firms are doing all the basics and they are doing everything they should be doing then you know they are going to avert most of the attacks against them; that’s not the case if attacks are particularly sophisticated or if attackers are particularly persistent. So, if you have got a well resourced organised crime gang trying to get into your systems, that is a bigger problem for you than someone who is just chancing their arm or some kid in their bedroom trying to hack into one of your systems. However, what we are seeing a lot of is problems with Cloud installations so, many firms are moving to Cloud infrastructure so that means, you know, there’s big providers out there such as Amazon and Microsoft that provide these kind of services; they are fantastic for businesses because they offer a lot of flexibility, they offer space when you need it, they offer things like DDoS protection against denial of service attacks, there’s all sorts of benefits for going to the Cloud and that’s why companies are going to the Cloud. However, there’s also perhaps an over reliance on sort of like a sense of security by going to a Cloud infrastructure without really fully understanding it. We are finding people that have traditional IT security teams, then expecting their IT security teams to look after the Cloud which they are not familiar with them, the settings can be very, very complex and in fact that is one of the main reasons why people fail to secure their Cloud installations is because they haven’t read the documentation or, you know, they haven’t done something they should have done. It isn’t necessarily because, you know, that they are inherently insecure, they are not, it’s just they are quite complex.
Mike Owen
Yeah, it’s just worth bearing in mind that in some cases they can be fundamentally different. You know, when you take an existing IT team and take say a database administrator and suddenly plonk him down in front of an AWS virtualised database and then say ‘Yep, set this up for me’. He probably can, it’s just that there will be options that he won’t even know about that could leave him and the organisation in an insecure state.
Mark Tibbs
Yeah.
Mike Owen
Yeah, so one of the key things that people need to bear in mind when they are moving to the Cloud, and as you are saying Mark there is no question that the Cloud offers opportunities and value for people but what people need to bear in mind is that either you need to be bringing in people who know the Cloud or you need to be letting your existing teams upscale so that they actually understand what they are dealing with and they can configure it securely. There’s no problem with keeping your existing teams, you just need to bear in mind you can’t just flip a switch and suddenly exist in the Cloud.
Mark Tibbs
There’s been some rich pickings for attackers, and researchers actually, in this space so, people are going out there looking for data that is insecure either for bad reasons because they want to steal it or, you know, extort you for it and in fact there has been attacks that have been automated so people have developed programmes to go and automatically find this data that’s insecure and then encrypt it or wipe it and leave a little message up saying ‘Pay me in bitcoin and, you know, you’ll get your data back’. Equally actually, researchers have been doing the same thing to sort of… I suppose it’s to put pressure on companies to think about their security.
Mike Owen
A bit of self-promotion also.
Mark Tibbs
Bit of self-promotion as well, yeah.
Mike Owen
To be fair they have had some positive influences, I mean there are a couple of settings I can think of that relate specifically to what you are talking about which have changed one of the Cloud providers just because of security researchers continually going out and effectively prodding people’s storage practices.
Mark Tibbs
Yeah, and as I understand it, having looked at this a little bit, the big providers have also tried to simplify some of their configuration settings or make it easier to configure.
Mike Owen
Yep.
Mark Tibbs
So they have implemented sort of, you know, step-by-step guides securing yourself and some common pitfalls and things like that so, it is getting better but it is still a big problem.
Mike Owen
Yeah.
Nick Nocton
And leaving aside for a minute what can go wrong, can we briefly touch on what organisations should do when something does go wrong? For example, you mentioned the risk of extortion. What does a business need to do and how do they prepare for this kind of attack?
Mike Owen
So I think the first thing people need to do is build up a plan, that really is step number one for any organisation because when it comes to a security incident, you are going to be running around with your hair on fire and that’s the last time that you want people to be trying to sit down and come up with carefully reasoned decisions as to invocation or involving the police or the like.
Mark Tibbs
We run a cyber attack scenario, we’ve run it for some of our clients and some of our partners and one of those scenarios is an extortion scenario. We ask that question, ‘What would you do first?’ and inevitably, they’ll go ‘Oh, we’ll get our plan’ and then we say, ‘Have you got a plan?’ and they say, ‘No. Not really’.
Mike Owen
One of my favourites is the ones who immediately say ‘Well, we’ll call the police’. Really?
Nick Nocton
So, what’s involved in the plan?
Mike Owen
Yeah so I mean, obviously when you are putting together an incident management plan, no one’s trying to say that the incident management plan should cover off all the eventualities because you can’t practically put together a plan that’s going to address everything. But what it needs to do is cover off some of the basics just in terms of things like, for example, who is going to be involved in managing an incident? How are people going to communicate? And, what third parties are going to be involved? So, if you think of the advisors that people might need to bring in, for example. Whenever we run these example scenarios that Mark has mentioned, we invariably tend to speak to people who don’t have identified legal counsel, they don’t necessarily have identified cyber security people to deal with and oftentimes they haven’t worked out who is going to be doing their PR. PR is actually a great example just because when an incident goes wrong, it tends to snowball so you’ll get your first alert, everything will seem fine and then all of a sudden Twitter explodes and if you haven’t worked ahead of time how you are going to manage that with a good PR agency, you are going to really struggle.
Mark Tibbs
With a big extortion that has sort of locked lots of files, say it’s a big Ransomware attack, you know you see a lot of… it’s a very stressful time for the staff in particular, you see a lot of burnout from people so the last thing you want is to have them burning cycles doing things that they could have done in advance because you are going to have to send them home and you are going to have to… it just makes the problem worse so having a well-defined plan and having all those things in place means you don’t have to think about that whilst you are in the middle of an incident.
Nick Nocton
There are evidently a host of risks and nobody it would seem should be complacent about their existing security but I understand that you are reasonably positive about the future?
Mark Tibbs
I am pretty positive about the impact that I think regulation has had. So, I think GDPR in particular has lifted up the baseline for many people because they’ve just had to start to think about it more. I think that has meant that basic security is more considered in most industries, including the betting and gaming industry. However, I do think that that potentially means actually what we are going to see is less volume attack but higher impact single attacks that are more sophisticated. So, if you do get hit, you know, and the attacker is successful, they might be more successful if you know what I mean so you are already seeing that as well, like I said, the shift from targeting individuals and consumers in Ransomware to targeting businesses, you are already seeing attackers thinking ‘I can get more out of this if I hit them hard and take more quickly’ but it does mean less people will be impacted but when they are impacted it will be severe.
Mike Owen
Yeah, and that makes sense just because once the basics are covered off for a number of people, the difficulty involved in launching the attack is higher and as a result they need to get more out of those attacks to make it worth their while.
Nick Nocton
We have mentioned earlier on the perceived inadequacy or insufficiency of over-reliance on the ISO standard. Do you anticipate that changing? Do you think regulators are likely to increase their expectations around cybersecurity?
Mike Owen
I don’t know what Mark is going to say but I would tend to say yes and it’s interesting, I used to be a big cheerleader for very flexible standards so, ISO 27001 and the like, until I got to audit a firm – this wasn’t in betting and gaming, I must confess – that had international offices, so they had a location in the US and a location in the UK and I trundled over to the US thinking to myself ‘Ha, well they clearly won’t be as good as the UK because they won’t be making carefully reasoned risk based decisions’ and when I compared the two, I discovered that the US was much better off.
Nick Nocton
And is that because they have specifically mandated requirements?
Mike Owen
It’s because the regulator had chosen exactly what they had to do and told them to do it and then marked them against that. So it took away their ability to produce some risk-based decisions but that was because the regulator made those decisions for them.
Mark Tibbs
I think it’s a tricky one to create regulation or standards that is a catch-all so I think in GDPR it says you must take appropriate measures to protect your data and that’s obviously quite ambiguous but that’s because it has to be flexible because technology changes and so do attackers change the way they do things, so it’s a moving feast, you can’t mandate specifically, you’ve got to do this, you’ve got to do that, obviously there are some…
Mike Owen
Yes. I was going to say, some places they have.
Mark Tibbs
Yeah there are some things like password hygiene and things like that but not everything can be mandated to the nth degree so I think there is a tension there maybe it could be more specific, maybe regulation could be more specific but it’s never going to catch everything.
Nick Nocton
It’s interesting you should say that. Presumably that provides an opportunity for advisors to add value?
Mark Tibbs
Yeah, I think that is necessary for a lot of companies because… for a number of reasons, as betting and gaming companies specifically, you will be exposed to different risks and threats to other sectors and actually as an individual company, depending on the technology you are running the processes you’ve got etcetera you will need to think differently about your cybersecurity and for that sometimes you will need external advice.
Mike Owen
It’s also worth bearing in mind, I mean this is a very lean industry, people aren’t overflowing with resource and I realise that cybersecurity practitioners are neither cheap nor plentiful so for a lot of organisations, they just aren’t going to have in-house resource to deal with this on a day-to-day basis so having people who can come in to assist I think is quite important.
Nick Nocton
In particular when things go wrong but also around designing…
Mike Owen
In both, yeah. So preparing for but then also when things do go wrong, it’s important to have people who have some experience in handling the issues.
Nick Nocton
And Mark, if things do go wrong, what legal tools are available for the victims of the crime?
Mark Tibbs
The benefit of our team actually is that we work with a lot of lawyers on a day-to-day basis so we are familiar with using some of the legal tools that are available to them. We have used things like injunctive powers to freeze assets where you are able to identify them in certain jurisdictions, we have used… what other injunctive powers have we used?
Mike Owen
So we’ve used them to effectively force people who had stolen data to not release that data.
Mark Tibbs
Yeah. We’ve done take down requests to infrastructure providers so where you’ve identified sort of websites that are revealing data or, you know, that have been used to send fraudulent emails, for example, we are able to go to the Registrar often and, you know, that they are taken down and often we’ve got a very good case because we’ve got a lot of good lawyers writing good letters to help that along. So, yeah, we’ve used our legal powers and our legal experience to sort of disrupt as well as recover.
Mike Owen
Yeah, and I think one of the interesting things about having legal powers is that it plays to an effort where we try and get businesses back up and running rather than focussing on the technical details of a particular incident and it’s something we’ve found sticks out in the marketplace.
Nick Nocton
On that note, Mike and Mark, thank you very much for your time today.
Mike Owen/Mark Tibbs
Thanks Nick.
Nick Nocton
That’s all for today’s podcast, I hope you have enjoyed listening. Please join us for our next podcast coming soon.
The Mishcon Accumulator Podcast in association with EGR. For more betting and gaming related content, visit mishcon.com/accumulator.