The Issue of Gaming & Internet Crime

The Situation/Summary of the Threat

Internet gambling and online crime go hand in hand, internet gambling attracts quite a large number of online criminals who are hungry for easy money. As from March 2018, I have been the Cybersecurity Manager at The Marble Online casino. Since then, we have had to face many different online threats in the casino but not like the latest. Last Monday, we received a cyber extortion email from an online criminal group threatening to take the casino offline using a distributed denial of service (DDoS) attack unless the casino pays them a ransom of 5BTC. When this happened, we alerted the casino’s IT security team so that they were prepared for a possibly impending DDoS attack and took no further action. At the time, The Marble did not have an existing system in place for the prevention of this kind of attack. Not long after, four days later, on a Friday evening the DDoS attack was launched against the casino and for 30 minutes the casino’s website was forced offline. Consequently, casino users were unable to play for 30 minutes as the casino was unavailable for them.

The main lesson we can take from this unfortunate incident is the vital importance of having DDoS protection hardware installed at the Internet edge – something that IBM and ABS reportedly believed they did not need. This type of protection is the only way to protect an organization’s entire security infrastructure in the event of an attack. If our customers had incurred an attack like this, they probably wouldn’t have even noticed the attack taking place, and it certainly would not have compromised them from a security standpoint. As DDoS attacks target a full spectrum of security risks, it’s important to defend your entire security infrastructure and data against potential threats.

A proactive and robust cybersecurity strategy that is clearly communicated across your organization is your company’s best defense against cyberattacks. Designing and implementing an incident response plan is a critical component to an effective cybersecurity program. One reason Dyn was able to mitigate the attack quickly is that they had a response plan ready. The hackers in this incident designed and deployed a unique attack approach, and Dyn was still able to stabilize the breach before it destroyed the company.

Your company’s cybersecurity strategy must incorporate the ever-evolving nature of cyber threats. Focusing too narrowly on specific incidents could hinder your company’s ability to respond. CFOs need to ensure that their companies are prepared to react to new methods of attack by running “what-if” scenarios and testing response capabilities. Your company may not always be fully prepared for the attacks being conceived, but by testing your controls you can reduce your recovery time and cost.

On the other hand, it’s important not overcomplicate your response plan. Including recovery steps for all possible scenarios will result in a complex document that won’t enable employees to act quickly. Instead, your plan should focus on recovery scenarios specific to your critical business data, functions, and supply chain. Focus on building an incident response program that is able to work in multiple scenarios, accounting for people, places, procedures, and communications.

Dyn clearly had a team of experienced professionals in place to resolve an attack that could have destroyed their business. Every company, big or small, can take a similar approach to fighting cyber criminals. CFOs are spending millions of dollars on software and technology to protect their businesses from cyber crimes, and they should be investing more money in training their own people. Human error is the leading cause of cyber crimes, according to Verizon’s 2016 Data Breach Investigations Report. Training employees about the dangers of cyberattacks must include more than just sending around a list of dos and don’ts.

Get more creative. Consider using gamification for training exercises to present real-life scenarios to employees. One way to accomplish this is by having “pretend” hackers try to obtain proprietary information from your employees. If your office doesn’t properly react, the experience could end up a great lesson for everyone. For example, you don’t want your employees clicking on suspicious links in emails, so you train them to forward suspicious links to the security team. Then you send test phasing email to see what they do. When a user responds correctly they are rewarded by being placed in a drawing for a $100 gift card, winner drawn quarterly.

How to implement the playbook to ensure impacted stakeholders are aware of and committed to the steps you have recommended. Be clear on the purpose of engaging with stakeholders. The purpose will underpin the entire approach, influencing who will be engaged, how they will be engaged and what to engage on. Involve the right people. To identify the right stakeholders, it should be clear why there is a need to engage them and what the scope of the engagement will be. Who needs to know? Who has an interest? The answers will ultimately determine the composition of the target group of stakeholders. Consider also the risks to implementation if particular stakeholders are not engaged.

There is no one-size-fits-all approach to engaging stakeholders—each interaction should be tailored. Stakeholders have different expertise, objectives and capacity to engage with government. Don’t assume that what worked for one situation will work for another. Often a mix of approaches will be needed and you may need the flexibility to adjust your approach quickly.

Stakeholders should have a clear understanding of how their contributions will be used and the degree of influence their input will have as approaches to policy design and implementation are formulated. When stakeholders’ expectations cannot be met, anger, frustration or cynicism may result, which will affect the current and future relationship with government. The purpose of the engagement and the role of participants, including how their input will be used, need to be clear from the beginning.

Engagement is not just about collecting information. It involves a process of responding to information to shape and improve the quality of the initiative. Information from stakeholders may also indicate whether the engagement approach itself needs to change. Greater organisational benefits will flow if you share lessons learned from engagement across the agency, particularly where your agency regularly engages with the same set of stakeholders on a variety of issues.

Map your stakeholders Identify all the stakeholders that will have an impact or influence on the initiative, as well as those who are affected by it. Narrow this list down to identify groups and subgroups of stakeholders, and record what their interests are and their level of influence and impact. This stakeholder mapping will inform your engagement plan, which should be a living document that evolves during the initiative. Mapping also allows for better tailoring of engagement methods.

Plan the engagement. Think strategically about the engagement and be clear on why you and your stakeholders want to engage, what the issues are, what you want to achieve and how you will know if you’re successful. Incorporate this thinking into your engagement strategy to help ensure the approach focuses on material issues and effectively targets the right stakeholders. Develop an engagement plan that outlines the methods, timeframes, roles and responsibilities. The plan should pull together all elements of engagement from beginning to end, providing a pathway to guide team members through the engagement approach. Invest time in developing contingency plans for key engagement risks to help reduce delays. Use a mixed approach A mixed approach provides flexibility to manage the differences in relationships between stakeholders, allowing either a light-touch engagement or deeper partnerships where they are needed.

This approach may include activities to inform, consult and collaborate with stakeholders and use a combination of tools such as discussion papers, public forums, one-on-one discussions and social media. Learn from others. Tailoring an approach doesn’t have to mean reinventing the wheel. When planning, find out who else has undertaken a similar engagement and take the opportunity to share information and harness the skills and experience that already exist. This path can foster innovation and help make the process more efficient and effective for both government and stakeholders. Knowing the ‘vibe’ and outcomes from recent engagement with similar stakeholders can also help you prepare for what other issues may be raised and how they should be addressed, and avoid going over old ground with the same people.