27 January, 2023

Do casinos have a Plan B amid cyber security threats?

Plan A Technologies Chairman Aron Ezra discusses the technical vulnerabilities that could leave casino operators open to a Southwest Airline-scale meltdown

What areas of tech security do you think casino operators are neglecting and why?

I wouldn’t say there’s one specific area being neglected. I’d say that most casino CIOs and CTOs are smart folks who are working hard in a challenging environment. But here’s why it’s so challenging. First, most casinos have a lot of businesses and brands under one roof – hotel, casino, multiple restaurants, a spa, maybe a bowling alley or movie theatre, retail stores and more. That usually means multiple different technologies that need to work together, which were never built to work together. Those integrations can be vulnerable to attack. Secondly, casinos also usually have a lot of legacy software – that’s generally more vulnerable to attack, as well.

Thirdly, the regulatory environment is a double-edged sword. On the positive side, regulation is a terrific way to ensure technology is built with a meaningful level of quality, doesn’t have backdoors, etc. But on the negative side, it also makes it more difficult for a casino to stay up-to-date on the latest and greatest. The newest security tools may not have been approved by regulators, so casinos can’t always use them. In extreme examples, gaming companies sometimes rely on solutions that were approved many years ago and are painfully outdated; rather than install more modern, secure solutions and go through the time-consuming and expensive regulatory approval process to use the more modern tools. Additionally, casinos are understandably attractive targets for malicious actors.

Furthermore, gambling tech has to do a lot of things – it incorporates loyalty software, financial transactions, KYC and AML tools, geofencing, games, security, marketing and much, much more – often being delivered by many different vendors. That’s a complex tech stack to manage. Finally, investing in technology upgrades can be expensive and complex, and most companies – regardless of what industry they’re in – tend to try to delay these upgrades for as long as possible, to avoid dealing with the headache and expense of the update.

There had been warnings from those working for Southwest Airlines that a potential meltdown was on the way. Have there been any similar warnings from those working in the casino industry?

Sadly, yes. I think one of the biggest moments that got everyone’s attention happened back in 2014 when Las Vegas Sands was attacked by Iran. And those hacks have continued.

Cyberattacks have closed down casinos in places like Arizona, Oklahoma, California, New Mexico and Wisconsin. The FBI Cyber Division in November 2021 issued a warning, as have various gaming commissions.

Is cyber security a blanket term that casino operators use? Does it miss smaller processes that are important to invest in as well?

Beyond shoring up the cyber security side, there are so many additional reasons to regularly review and update your software. Many casinos are using software that is no longer supported or updated by its original creator. I understand why – it’s often really expensive to update. But for a major enterprise moving many millions of dollars annually, that’s not usually a smart move and can lead to very serious issues.

Another legacy issue is that a lot of casinos use software written in outdated programming languages. It can be really tough to find engineers who still know it, and even harder to find engineers who want to use it. Older legacy tools can actually be a lot more expensive to maintain, and you lose out on many of the more modern innovations. Casinos are often very far behind when it comes to the cloud and modern DevOps improvements, which is a shame. Many casinos also use quite a few different software solutions that don’t work well with each other. This makes coordination of tasks difficult; it creates information silos and results in some serious inefficiencies. Interfaces can help somewhat, but this is an area to regularly review.

There are some incredible new solutions one can create to enhance marketing technologies, digital wallets, analytics, hosting tools and more – those solutions can have a meaningful impact on a casino’s bottom line. And, on a similar note, there are some technical modernisation initiatives that, frankly, just about every company should be implementing.

One of the best measures: do an audit of your tech stack and be ready to act on the findings

What preventative measures would you suggest that casino operators take to avoid a potential catastrophe, in regard to upgrading or maintaining their tech?

One of the best measures is to do an audit of your tech stack and be ready to act on the findings. Think of the audit like a medical checkup. You can’t go too many years without doing one. If you wait too long, a small problem can – and often does – turn into a major issue. It’s generally a lot cheaper and easier to fix the problem before it blows up into something awful. An audit helps you figure out what’s working, what’s outdated and where you should make some fixes.

Audits work best when conducted by an outside impartial company that can take a fresh look at the software and infrastructure. Usually, audits uncover at least a few areas of improvement and often uncover major deficiencies. My team at Plan A Technologies does a lot of these audits, and it’s sometimes pretty shocking what we find. It’s also incredibly rewarding to help operators avoid the catastrophes you’re talking about.

In the Magazine