An inside job: Are operators sufficiently protected from insider threats?

Since the introduction of everyone’s favourite privacy regulation – GDPR – in May this year, City law firm Fieldfisher has claimed it is handling a 10-fold increase in cyber-security incidents. As a result, IT security has boomed and the Information Commissioner’s Office (the department responsible for dealing with major data breaches) can barely keep up. But thankfully, with increased general awareness across digital industries, businesses are far more aware of the threats being posed to their technology systems.

However, a recent case at the Gibraltar Magistrates Court has given rise to the less-discussed breed of cyber breach: the insider threat. The court fined a former BetVictor employee £2,000 for hacking into the operator’s systems after he departed the firm.

Local news reports on the Rock said the employee had accessed BetVictor’s system remotely using his login details that were still active on the system. The man told police he was merely accessing a personal work file and had no malicious intent to hack into the wider systems, which was fortunate for BetVictor.

But what if he had nefarious ambitions? Former Gala Coral chief information and security officer (CISO) Peter Bassill says by employing a large volume of people, operators are increasingly vulnerable to threats from inside their systems. “It can be harder for processes to be implemented quickly and efficiently,” Bassill laments.

“In times of austerity, security is one of those things that a lot of people look at and say: ‘it hasn’t happened to us yet,’ and they take a gamble on it.” The trouble with an insider threat is it is far more difficult to detect a breach, and if an employee has access to the system they can move around relatively undetected.

Bassill rightly points out that by being familiar with the system, a staffer is far more able to design an attack around it. “These ex-employees already have an advantage because they know what protection you’ve got or haven’t got. They know what your systems are, and which are vulnerable to certain things,” he adds.

“If you’re not doing annual or biannual penetration testing and you’re not making sure all your procedures are locked down, you’re already at a disadvantage against your ex-employee who is going to want to do something nasty.”

People power: Former Gala Coral CISO Peter Bassill says gambling operators are at a higher risk of facing insider threats because they employ so many staff who have access to the systems and customer databases

Preventative measures

Bassill’s current company, Hedgehog Security, specialises in penetration testing and offering virtual CISO services in Gibraltar. He says his role now is to analyse a company’s internal processes and carry out vulnerability scanning to determine the weakness of systems.

“Typically, you’ll run penetration testing on your inside [network], which is basically having people like me come in and look at your digital systems to carry out an attack to see what works and what doesn’t work, to find the gaping holes and fix them nice and easily,” Bassill notes.

“That doesn’t always happen and even where that has happened, the human factor comes into play a lot, so you’ll get people leaving an organisation and the manager will say they need their password to remain active for the next 30 days.”

Swedish monopoly operator Svenska Spel is in the process of overhauling its entire technology systems to meet new regulation in its home market.

Speaking to EGR Technology, CIO Jörgen Olofsson also highlights the importance of penetration testing to ensure its systems are secure. He adds: “It is difficult to protect against external threats and no easier to meet internal threats.

“We are ISO 27001 and WLA-certified, which provides the basis for our procedures and regulations regarding authorisation controls, separation of duty, etc. In addition to this, we conduct security reviews, internal penetration tests and take other measures to continuously identify flaws and possible holes that may need to be rectified.”

Olofsson also urges other operators to always consider the threats to its security and “never be satisfied” with preventative measures.

Keep it constant: Svenska Spel’s chief information officer Jörgen Olofsson advises other operators to “never be satisfied” with their preventative measures and to keep on their toes

The human element

Michael Josem, former security advisor at Ethereum-powered poker start-up CoinPoker, insists insider threats are often the result of human error and, thus, operators should implement certain processes to prevent these situations from arising.

“Every risk is different. I think in this [BetVictor] case there was no malicious intention as far as I could tell. The risk is so broad, so the business should be aware of its broader strategy, not just for the technology but the wider processes. The solution is having intelligent and conscientious staff.”

During his time at Gala Coral, Bassill established a number of his own preventative measures to deter employees from potentially posing a threat to the company, including changing the way the operator dealt with departing employees and their computer accounts.

Furthermore, he established user-awareness training to teach staff not to click on infected links within emails. Another recent example was when a former employee of an unnamed operator discovered a photo reel of holiday images had been shared internally after they were emailed by an ex-employee to a former colleague still working at the firm.

The email turned out to be malicious and gave the hacker access to the firm’s systems to pilfer its entire client list. In this situation, Bassill insists that good endpoint security, anti-malware and anti-virus systems, and an adequate security scanning solution for emails would prevent the hacker from being able to access any data.

Elsewhere, a November article in Real Business magazine suggested that insider threats were higher in recent times when considering many employees now work remotely and via the cloud, allowing for better connectivity but also more easily compromised log-in credentials.

Jan van Vliet, VP at data loss prevention company Digital Guardian, told the magazine: “With their knowledge of the network and access to company data, preventing a malicious insider from carrying out data theft can be difficult.

However, data-centric security technologies can go a long way in reducing the likelihood of these attacks. “These solutions prevent employees from copying, moving or deleting data unless they have given specific permission or approval to do so. These solutions also redact sensitive data from being sent in an email and will alert the system administrator to any attempts to move sensitive data,” he added.

Van Vliet’s is a worthy point considering the tendency for gambling companies to operate their tech systems in multiple jurisdictions. For the likes of Betsson Group, Kindred Group or GVC Holdings, it is nigh on impossible for a CISO to keep a watchful eye on every individual IT or tech staffer and the part of the business they are responsible for.

Black Swan: Probability expert Nassim Nicholas Taleb’s book on the chances of unlikely scenarios occurring highlights the difficulties companies face in preparing for all possible threats to their technology systems

Preparing for the unexpected

Josem touches on the wider remit of possible security threats faced by gambling operators in an eff ort to highlight how difficult it is for a company to protect itself from every possible risk.

One example he raises can be traced back to probability expert Nassim Nicholas Taleb’s book, The Black Swan, which sheds light on the likelihood of certain events occurring. In the text, Taleb references a Las Vegas casino that dipped into its reserve funds to pay a ransom after the CEO’s son was kidnapped.

As a result, the casino lost its licence as it no longer supplied the cash to cover its chips. The moral of the story? Online companies face an entire spate of risks that, at present, are entirely unknown.

Similarly, Reid Tatoris, VP for product outreach and marketing at bot prevention security firm Distil Networks, says that companies often take the wrong approach by only preparing for the threats they are already familiar with.

“That’s the wrong way to approach it, because you should be most worried about an unknown new threat that hasn’t been tried before,” says Tatoris. “In the past we’ve thought of security as identifying a specific vulnerability and fixed it. Where companies are shifting now, instead of trying to fix these problems, it is about monitoring usage to understand.”

Tatoris suggests that with additional preventative measures in place, a security team is more likely to spot irregular and unusual movements within its processes.

Considering the freely available advice from security experts on the internet, not least the UK government’s National Cyber Security Centre (NCSC), which frequently publishes reports on new threats and incident-management advice. Companies of all sizes are advised to maintain contact with the NCSC and keep updated with its site.

While the BetVictor case might raise some questions about the industry’s general approach to insider threats, it also serves as a very public reminder that cyber-security is a perpetually evolving area and has helped highlight some of the key areas operators should be looking at and which preventative measures they should be adopting.

Keeping tabs: The UK National Cyber Security Centre regularly advises companies of all sizes on how to prevent new threats to their systems.