Cynance CEO Stav Pischits talks Tim Poole through gaming’s biggest cybersecurity threats during the coronavirus pandemic, including where hackers draw the line; this article was originally published in the May/June edition of Gambling Insider magazine.
Can you detail what Cynance does regarding cybersecurity and how it’s becoming an ever-more important aspect for gaming companies?
The gaming world is a data-driven environment. There’s game data, financial data, the data that makes the engagement very personal for players. Long story short, the more data they have, the better. What we do is help companies protect their data and their assets. Obviously, there are a lot of assets to protect and funnily enough, attackers feel much better about attacking a gaming company than a bank from a moral point of view. When you think about it, both banks and gaming companies have money and large amounts of client data. But to hack banks can seem less moral, especially during a pandemic.
Even among hackers, there is some dignity. Here you have gaming companies who make a lot of money and people have different opinions about the gaming sector. Many offensive actors find it more legitimate to act against gaming companies. While banks are also very secure, regulation in gaming is not even half as tight as it is in the banking sector. Cynance tries to help these companies with their cybersecurity, especially now as retail customers move to online. We would call ourselves the digital bodyguards of online casinos.
With the coronavirus outbreak so widespread at the moment, what should gaming companies be aware of in terms of hackers exploiting the situation?
Environments are changing. If you previously had the majority of your company working on site and connecting to the corporate network in one way, you now have a completely different infrastructure. For companies that were established on much more distributed infrastructures, with people working from home and using a lot of contractors, it’ll be much easier to get accustomed to the new circumstances. But many companies are not there and were really based on-premise. So engaging internally, and externally, starting something new presents new difficulties. These difficulties I would not say are much different than what the companies faced before. You still have the basics of cybersecurity, with the crown jewels of the company you need to protect. These crown jewels didn’t really change.
But what changed is the way you operate and communicate, and the trust you need now to do the same things you did previously. If I worked in the finance department of a gaming company and needed to approve a payment to a major supplier, I would just come to my CFO and ask for approval. But right now, you can’t shout to your colleague, raise a hand or do something easily. You need to do something differently, implementing procedures that were documented in company policy – but that no one really paid attention to before. Now, it comes into force and it can create new challenges. Everything you do the first time, there will be some things not always working as expected.
What kind of ethical hacking campaigns does Cynance carry out to assess client cybersecurity?
It’s good to have procedures and policies in place. If you think you’re okay, there’s nothing as good as testing during a real-life scenario. You want to mimic the same techniques a hacker could use. The two major campaigns that can bring the most value for companies are, firstly, the external exposure assessments, assessing what malicious individuals can really do from the outside. A company has a certain amount of IP addresses, the company name and some other assets that are publicly available, so it’s useful to see what an adversary can do with this information. For example, if a large gaming company has four IP addresses and I try to scan these addresses, it may expose what kind of services and technologies they’re using. So it would be a good test to see what’s out there and what attackers can potentially do, closing as many gaps as possible.
The other campaign deals with phishing. If you have 500 to 1,000 employees working from home during the pandemic, our phishing campaigns were successful even before this. These emails appeal to users with specific information about the company. For example, if they use Zoom, I can send them an email to update their Zoom software. Now, with people working from home, think how successful those campaigns can be; people can’t refer to a colleague just sitting two yards away for verification. There are some codes of ethics between attackers and hackers but we can see cyberattacks are on the rise today. Attackers are exploiting the coronavirus pandemic like any other situation.
Out of the several you’ve already touched on, what is the single biggest challenge currently facing gaming firms when it comes to cybersecurity?
I would say it’s that companies don’t know what they don’t know, so to speak. Sometimes, for gaming companies, time to market is a challenge as they have to be so quick due to the fierce competition. Sometimes they neglect security and don’t realise what can happen. It’s not just that they can be hacked or be a victim of ransomware, there are plenty of other threats. It’s like going to the dentist: it’s much better and much more cost-effective to address a problem before it happens. The aftermath can just take companies completely out of business.
How important are GDPR considerations for gaming companies when working with data?
I really cannot stress how important GDPR is to gaming companies. Gaming companies are eventually in the chain a B2C business, which means there is so much personal data to protect. But the maturity level of these companies is usually not great; there are a lot of quick wins and companies are not aware of the risks here. There is a big difference as well between compliance and security. Good data security starts from the basis of compliance, but it’s not just about ticking the boxes.
What advice would you give to a new gaming operation starting from scratch when it comes to GDPR?
Firstly, get good engagement from the senior stakeholders. If it’s only important for people who aren’t decision makers, it’ll never work. You need to understand why GDPR is important as senior managers. So you really need this support from senior managers and to understand things from the top down.
If the support is there, you need to assess the processes. With this in place, you’ll be able to build something really sustainable. The first step is data mining and understanding what companies have and what they want to protect. After that, they can think about the different technologies to implement down the line.
How do you see the gaming sector developing in the cybersecurity field, bearing in mind the effects of the coronavirus pandemic?
Everything happening now is changing how companies and technologies work. You’re seeing a lot moving from on-premise to off-premise. This trend will be very dominant in the coming years. People will also get more things outsourced – not only for managing human resources but also technology and different processes. More concerns regarding data protection will arise, as so much outsourcing will increase your exposure to data breaches, with many more parties accountable for data protection.
Data protection authorities all over the world will gain more strength and their importance will rise, with more and more gaming companies fined for data breaches. But to finish on something optimistic, I think this will only do good for customers. Customers will only be able to get services that are much better for them; both the security and experience will be improved, so I am optimistic after all.