Transforming Gaming’s Data Security Management

Today’s gaming industry faces unprecedented challenges in safeguarding data privacy and security. The rise of digital betting, new interactive gaming formats, and hybrid on-site and remote experiences opens the door to new methods of cheating and heightens the risk of events like account takeovers, ransomware, and denial of service attacks (DDoS). These potentialities are not just IT concerns; they are integral to an organization’s overall operational health. 

Companies can protect their assets and build trust with customers by prioritizing data privacy and security – setting themselves up for long-term success in the competitive gaming industry. Market data shows that clients spend and engage more with a business that has a trustworthy security record, and less with a brand that has recently experienced a breach or other trust-impacting event. 

How does your cybersecurity system measure up? Find out through a Microsoft cost analysis and security assessment.

Top Data Protection Considerations

Companies can and should take steps to bolster their data protection practices today. Here are 7 considerations, best practices, and actionable solutions for companies to factor into their strategic planning:

1. Navigate regulatory scrutiny

The gaming industry is contending with increased regulatory scrutiny — more frequent audits, more rigorous compliance requirements, and more stringent enforcement actions. This scrutiny often translates to higher compliance costs in the form of fines and penalties for non-compliance and delays in project timelines as regulatory approvals become more rigorous. 

Solutions

• In preparation for more frequent audits, companies’ internal review programs can work with a third party to perform an assessment. These assessments provide cost-effective support and potentially lower the costs of regulatory burdens when working with the auditing boards of regional and national gaming commissions.
• Penetration testing and tabletop exercises can help companies comply with cybersecurity requirements, like Nevada’s cybersecurity regulations. By evaluating likely cybersecurity risks, teams can decrease their exposure to social engineering or ransomware attacks.

2. Maintain customer trust through transparency

In a world of expanding gaming and leisure options, customer retention is critical. With 65% of sports bettors worried about the security of their personal information on betting platforms, companies must treat proper stewardship of customer data as a pillar of customer retention. Assurance programs can help foster trust among customers by ensuring clients understand the importance of proper protection of customer data.

Solutions

• Enhancing cybersecurity on gaming and entertainment platforms and applications can prove to a company’s customer base that their account and stored value are safe.
• Companies can adopt specific trusted frameworks, like the American Institute of Certified Public Accountants’ (AICPA) SSAE18 SOC 2 or the International Organization for Standardization (ISO) 27001 certification program, to measure and prove their commitment to protecting customer data.

3. Monitor and limit data access

From account creation, to credit confirmation or booking, to account maintenance and support, gaming customers demand a uniquely high level of contact throughout the customer lifecycle. Regular contact with customers can often lead to higher vulnerability to cyberattacks as employees gain increased access to customer information – potentially leaking data either through malicious intent or accidental mismanagement. Slow response or incomplete customer empowerment can lead to customer turnover. While it is important that companies implement increased security processes, they must also maintain agility and flexibility in order to efficiently meet customer needs.

Solutions

• Limiting unnecessary data visibility can considerably lower font-line data risks. Companies should determine the data that is truly necessary to enable their customer service functions and consider enlisting an application security consultant to evaluate workflows and help assess if and where access to customer data can be pared back.
• Companies should also deploy privileged identity management technologies to ensure requests for client data run through controlled and secure systems. This way, they can be monitored and audited for potential misuse.

4. Evaluate insider threats

Whether their business is in video games, online betting, or other gaming operations, gaming organizations must maintain a robust internal verification process to protect against insider threats. Insider threats can be malicious or accidental and include things like security sabotage or neglectful data protection from employees. Insider associated incidents can also include infiltration by external threat actors through legitimate role-based access. An active security team should monitor for excessive data use within reasonably assigned permissions and verify that security indicators are affirmatively transmitting and being processed throughout the security analysis process.

Solutions

• Companies can deploy insider risk management capabilities in their productivity applications and use machine learning and other at-scale unsupervised identification mechanisms to target unusual use.
• Third-party platforms, such as BDO’s Active Assure, can monitor companies’ security tools as they respond to a generated incident. This technical validation can work in tandem with people-focused response training to keep insider threat recognition and response readiness high.

5. Expand cybersecurity tools

As gaming expands across various online mediums, companies must keep a unified view of their systems and applications to ensure secure and seamless operations across platforms. By integrating various systems — gaming platforms, customer relationship management (CRM) programs, payment gateways, and security protocols — companies can acquire detailed security insights across their properties and clients and resolve any gaps in security throughout the data transmission process. 

Solutions

• Companies should perform an application security review of the connectivity between systems. Because many applications use the same data, the specific mechanisms of those transactions can be a vulnerable asset.
• An unprotected application can be a threat to overall cybersecurity because of the application’s visibility into security systems. Companies should employ a “red team,” which is a security assessment that evaluates and identifies potential attack methods with the same threat based thinking an attacker might use. This can give companies an idea of where their cybersecurity plans may be vulnerable and where to reinforce security measures.

6. Avoid recovery costs

Incident recovery costs can be extremely high — even for a contained security incident. The average security breach costs more than $4M to remediate, according to a report by IBM, and can pull funds away from investments companies might have made to facilitate growth and improve the client experience. Companies can avoid these costs by investing in preventative security measures in addition to incident response plans.

Solutions

• Companies should complete tabletop exercises at least twice a year to simulate emerging or pressing threats. These exercises could cut response costs by preparing teammates for common response pitfalls and cybersecurity vulnerabilities. These exercises can also help locate weaknesses in a company’s cyber incident plan.
• While cybersecurity prevention assessments are valuable, companies should also carefully develop incident response plans to lower costs associated with incident recovery. Incident recovery requires planning, effective documentation and practice before a security incident occurs to help identify areas that need improvement. 

7. Protect brand reputation  

A company’s brand takes years and significant investment to build and is key to maintaining a loyal customer base and fostering trust and awareness. Cyber threat groups looking to cash in on an attack often do so by threatening to damage the target’s brand. There have been multiple cyber incidents among gaming and leisure companies in recent years that drove large payouts to threat groups. 

Solutions

• As companies prepare for complex threats like ransomware and artificial intelligence attacks, foundational capabilities become even more crucial. Investing in a data security and threat management review program can help reduce detection, recognition, and response times.
• Regularly use small engagements with risk management and maturity assessment consultants to help your security team step outside of day-to-day operations and apply extended security practice frameworks. For example, the NIST’s CSF 2.0. Framework helps identify vulnerabilities that could be exploited by adversaries and uncover opportunities for improvement

Planning Ahead

Gaming and leisure companies of any size and in any location can become a target. Threat groups can be both domestic and international, including nation-state actors and cyber-criminal organizations. Every organization must prepare its cyber defenses by regularly updating their cybersecurity practices and incident response and prevention plans.

Keeping up with evolving data security requirements can be difficult as cyber criminals continually become more advanced. BDO can help provide guidance at all stages of the process. From assessing current security systems, to implementing new security practices and programs and even to continuous monitoring and updating.