By Justin Cosnett, CPO, Continent 8 Technologies
The so-called ‘new normal’ of remote interaction has resulted in millions more consumer IOT devices creating vulnerable interfaces that are ripe for exploitation by cyber criminals.
During the first few months of the pandemic, Continent 8 saw evidence on our own networks of significant growth in legitimate traffic to iGaming providers. There was a corresponding rise (compared with previous years) in the growth-rate of DDoS attack volume, complexity and frequency. While this rapid growth in traffic was something that needed close monitoring it didn’t really cause the same problems for iGaming as it may have done for other industries. The iGaming industry is one of the most frequently targeted by cyber criminals, so many of our customers are very used to dealing with ‘spikes’ and exponential growth in attacks across several fronts – and that meant the sector generally weathered the storm because robust systems were already in place to deal with it.
In this context we could be forgiven for thinking that we don’t need to do much more to combat increased threats to cope with the ‘new normal’, but the reality is that our ‘post-pandemic’ world will need to break down some of the traditional barriers between ‘corporate IT’ and ‘consumer systems’, as well as addressing the potential impact of consumer-based cybercrime.
Most of our customers will have received formal user InfoSec training, predominantly highlighting that ‘people’ are the weakest part of any secure system. We teach people about dealing with suspicious emails, tailgating awareness, password policies, ‘BYOD’ policy and so-on. All great ‘in a work context’. But many people are now in a mixed home/work context and they aren’t necessarily used to applying those same principals in their home environment.
Due to pressures IT departments may be using their own home devices to access their work systems. How many of those companies’ administrators made ‘minor’ exceptions to the VPN or other infrastructure policies to get them up and running quickly?
It has been widely reported recently that phishing attacks and other scams, targeted to exploit our natural human fears, have increased significantly during the pandemic. A major source of threat to consider, in the wake of the global pandemic, is a new type of insider threat. Not the type of ‘insider threat’ the we learn about in our infosec training (i.e. the sysadmin that got annoyed with their boss), but the innocent employee that has completed all their cyber-security training and follows company policy, but happens to be using their own computer at home for remote access and clicked a link in an official-looking email and now has someone watching their every move on the corporate network.
How do we respond? There’s certainly a technical element to it. Modern developments in intruder detection and prevention systems using machine learning to detect anomalies will be invaluable. Of course, forcing ‘compliance’ on endpoint devices, in terms of AV and Malware protection is a must, as is (if possible) re-tightening any of those ‘temporary’ weaknesses that were deployed by well-meaning IT departments to meet company recovery time targets. Better sharing of intelligence and policy data across our ‘corporate’ and ‘customer-facing’ systems will also help.
However, by far the biggest thing to address is one of user education in this ‘new normal’. The boundaries of work and home are now merged for millions worldwide and the iGaming industry is affected by this as well as many other businesses. The nature of our industry makes us a high-value target for bad actors and therefore our people are also high-value targets. We must help our people understand how to extend the same principals of ‘good practice’ to their personal internet-enabled lives and remember while doing so that not all of them are iGaming wizards with a computer science degree.
The days when we could control our cyber-risk by neatly defined network edges, tight computer policies and encryption, have now passed, and our user training needs to become more than just a tick box for compliance.
Learn more about our secure solutions here