Welcome to the perpetual battle of good versus evil.
Nothing reflects the importance of gaming technology more than the issue of cyberattacks. In 2023, criminals became sophisticated to the point of inflicting damage like never before, affecting entire systems and properties around the U.S.
Casinos must counter with security measures and systems ranging from in-house products to engaging outside companies to ensure their security. Cyberattacks hit both the physical area of dollars and the emotional one of vulnerability.
MGM was hacked for roughly $100 million in September, according to a Securities and Exchange Commission report it filed in 2023. The company had to shut down several customer services to mitigate risk to customer information. Hotel customers couldn’t use key cards to enter their rooms. Employees were locked out of corporate emails for days.
Around the same time, Caesars actually paid out a reported $15 million ransom to hackers who threatened to shut down their operations.
Paying ransom to placate criminals? What has the world come to?
Throughout the industry, there were arguments for and against that approach. But one thing won’t be debated: This is not an aberration.
Cybercrime costs will soon exceed $10 trillion a year, according to Melissa Aarskaug, global vice president of Bulletproof, a GLI company. Aarskaug says this represents a significant increase from the $3 trillion estimated in 2015. Ransomware attacks alone were expected to cost $26.5 billion globally in 2023, she asserts.
Criminal sophistication on one side battles state-of-the-art technology on the other.
The Multi-Layered Cybercrime Effect
“In gaming, we see direct and indirect costs to a cyber breach,” Aarskaug indicates. “The direct costs are in the billions, because a single attack can be in the millions. The indirect costs are things like reputational damage, lost productivity, need for new gaming products, and the cost of implementing cybersecurity measures.
“Cyberattacks are on the rise and are not slowing down. Organizations like casinos have limited budgets and resources to manage their own IT and security in-house,” she says. “To increase scalability and cost-effectiveness, casinos are starting to outsource various IT and security functions to keep up with the demands.”
That, she indicates, is why casinos look to trusted partners such as Bulletproof.
Casinos face a world in which cyberattacks are more severe, frequent and sophisticated, according to Aarskaug. Cybercriminals constantly develop new attack methods, and they are becoming more skilled at exploiting vulnerabilities in software and hardware. This has led to a significant increase in the number of successful cyberattacks. The cyberattacks also cause significant financial damage and disrupt critical infrastructure.
“In recent years, we have seen a number of high-profile attacks that have had a devastating impact on organizations and individuals, causing complete closure and/or employees being let go,” she says.
“The threat landscape is more complex. The number of bad actors and hackers is increasing, and their motivations are becoming more diverse. Just about anyone can purchase out-of-the-box ransomware kits and attack an individual or organization. Large, publicly traded organizations with the best cyber talent and good cyber budgets are being hit despite their best efforts.”
If a breach can happen to one of the world’s largest casino operators, it can happen to anyone, she says.
The key takeaways to major cyberattacks are the importance of:
- Having a strong cybersecurity posture.
- Having a security plan for responding to cyberattacks.
- Sharing information about cyberattacks.
Here are three of many key measures casinos need to employ, she indicates:
- Employee awareness training and collaboration among industry peers.
- Multi-layered security measures such as setting up firewalls, encryption protocols, regular system updates and patches, intrusion detection systems, and endpoint protection.
- Get help from trusted security vendors who understand your business. It’s no longer cost-effective or realistic to do everything in-house; therefore, finding the right vendors to help you meet your needs is essential.
Other countermeasures may unfold on a larger scale, according to Aarskaug. They include:
- Ongoing regulatory compliance requirements state-to-state to safeguard customer data. States are requiring casinos and gaming suppliers to conduct cybersecurity and audit assessments regularly.
- Investing heavily in security with cybersecurity tools and expertise (both insourced and outsourced). Casinos are deploying firewalls, encryption, multi-factor authentication and intrusion detection systems to better protect their networks. Additionally, casinos often work with various third-party vendors for services like security posture assessments, penetration testing, and managed security services to help them improve their security posture.
- Preparing incident response plans and security posture assessments to mitigate the impact of cyberattacks. These plans include steps for containing breaches, notifying affected parties, and recovering systems quickly.
- Ongoing employee training.
“We continue to see human error as a significant vulnerability,” Aarskaug says. “Casinos are conducting regular training sessions to educate employees about cybersecurity best practices, including recognizing phishing attempts and maintaining data security.”
While casinos are continuously enhancing their cybersecurity measures, the evolving nature of cyber threats means there’s no absolute guarantee against attacks. The focus remains on staying vigilant, adapting to new threats, and investing in technologies and strategies to bolster defenses.
“Customers trust you with their personal information, and it is a company’s responsibility to safeguard it,” Aarskaug says. “When you are securing your customers’ information you are building trust, and you are also complying with legal and regulatory requirements. There is a growing number of laws and regulations that require companies to protect their data and systems from cyberattacks. Cybersecurity is not an afterthought; it is a fundamental part of our business. We are committed to investing in cybersecurity and making it a top priority in everything we do.”
Bulletproof supplies comprehensive IT, security and compliance solutions to help casinos enhance their security posture, according to Aarskaug.
“We provide a wide range of services that you can choose from, including security assessments, such as PenTests and other types of security testing; compliance audits to ensure casinos are compliant with security standards (NIST, ISO / IEC 27001); IT, security or cloud consulting services; system/program migration or upgrade support; managed security services (Security Operations Center); Managed IT services (Network Operations Center); and more,” she says. “Whatever your IT, security or compliance needs are, we’ve got your casino covered.”
The Value of In-House Operations
Andy Goldberg, lead consultant for Centerfield Nine, helps casino clients maximize their data protection in-house. He acknowledges that the extent of hacking continues to reach significant levels of danger.
“Although ransomware, hacks and customer data theft have all become increasingly concerning in recent years, what really opened my eyes was the 2020 attack on Cache Creek Casino, which forced the casino to shut down for about three full weeks,” he says. “In 2023 we saw the huge disruption at MGM’s properties, and while it managed to keep its properties open, the attacks made global headlines due to the prominence of famous Las Vegas landmarks such as the Bellagio struggling to return to normal.”
Cache Creek shut down for three weeks at 100 percent revenue loss and MGM lost an estimated $100 million. Goldberg believes future impacts are likely to be more costly, and insurance companies will either raise premiums accordingly or refuse to insure against cyberattacks.
“If I had to predict a worst-case scenario, it would be an attacker who encrypts a casino’s entire player database, causing them to lose access to all player data,” he says. “That means points, offers, names, everything. I would hope every casino has sufficient backups, but sometimes the restoration process is untested, or some part of the backup process got corrupted along the way.”
Centerfield Nine builds solutions with data security and privacy among the top priorities, he indicates. As an analytics and technology consulting firm, his company is often granted access to client data sources.
The company has built numerous solutions for clients. However, the most straightforward is automating database marketing campaigns, Goldberg indicates.
“So many casinos, even with dedicated database teams, struggle to bucket players into appropriate segments, match up the offers with the segments, prepare all communication and set up all the offers in their CMS,” he says. “Often, one-off events or special invite-only promotions are another, separate challenge. Not only do we reduce the time it takes to complete these tasks by 90 percent or more, we bring the error rate down to near-zero, and often, we are able to work with marketing leaders to add additional ‘wish-list’ features to their campaigns.”
That list includes adding A/B tests, adding new dimensions or measurements on which to segment players, or providing guests with more flexibility in their redemption choices.
“And once again, in most cases, we do this with simple read-only access to your existing data source,” he indicates. “No writing, no extracting, no moving any of your data off-site.”
The company leaves a light footprint, Goldberg asserts.
“Besides campaign automation, we’ve built a platform for growing revenue by reducing churn among high-value guests,” he indicates. “Every casino has some five-figure guests whose contribution drops 50, 80, or 100 percent the next year. Our system is focused on identifying these players much earlier than typical abandonment reports, and allows you to take action.
“There’s no magic bullet; it requires buy-in and dedication from player development, but while most marketers focus on new player growth, millions in potential revenue is leaving the building, and that’s the leak we’re trying to slow.”
Goldberg says Centerfield Nine works directly with operators on their premises. Prep work includes inputting offer dates, and amounts to under 10 minutes. That involves creating mail files, email files, setting up a web/app portal and creating tens of thousands of individual offers directly in the casino’s CMS, and sometimes, additional marketing systems.
“We build solutions with data security and privacy among the top priorities,” he indicates. “As an analytics and technology consulting firm, we are often granted access to client data sources. However, the tools and the solutions we build add a very light footprint. In most cases, we only need read-only access to clients’ existing databases, and do so from within your protected, private network.
“Unlike other firms in this space, we do not extract your private data into a proprietary data source housed at a remote location, out of your control.”
Gamblers will instantly recognize the catchy name of the company. “Centerfield Nine” is what a craps dealer calls out when the nine is rolled.
Head in the Cloud, Data on the Mind
It’s going to be interesting to watch an industry giant perform in 2024.
AXES.ai President and CEO Earle Hall says his company has been laying the groundwork for the inevitable industry migration to cloud-based systems, big data and prevention as the method of embracing the potential of this era.
Hall is an internationally recognized entrepreneur, visionary and innovator in several different fields of technology. He serves as the CEO of AXES.ai network, the world’s premier cloud-based information management system for the gaming industry. He also is chairman of the Blockchain Technical Committee for the Gaming Standards Association.
The company already has the deepest, most heterogeneous big database of the entire land-based gaming industry. For more than 12 years, AXES Cloud has accumulated more than 57 billion lines of player and transactional data spanning 45 countries and more than 1,200 client sites.
Any company that comes closest to issuing blanket protection from hackers will enjoy a financial heyday. AXES.ai is considered to have the pole position in the race for casino data security.
The battleground is laid open for 2024. Top companies that can enhance security will literally create job security, for themselves at least.