Leon Allen, our Cybersecurity Director, assesses the NCSC report on UK gambling industry cyber threats.
The National Cyber Security Centre (NCSC) recently published a rare but important study into cybersecurity practices within the UK gambling and lottery sector.
Conducted by Ipsos MORI, it takes a close look at the attitudes towards cybersecurity, the key threats organisations are up against, the level of preparedness and the increased risk of falling victim to an attack faced by those that rely heavily on third parties
Below, I pick out some key takeaways from each section of the report and share my thoughts on what it means for those operating in the UK gambling and lottery industry, as well as further afield.
Attitudes towards cybersecurity:
The report noted that the majority of stakeholders saw cybersecurity as a “very important function” within their organisation because it could directly impact customer trust and confidence in the products and services they offer. They further noted that cybersecurity was a “high priority” within the organisation but that it was a “competing priority” and that it was seen more as part of the IT function than as being integral to the overall success of the business.
It is good to see that the wider industry is taking cybersecurity seriously and that it is considered a high priority by most organisations in the sector. As it should be, given the seriousness of being subjected to a cybersecurity attack as shown by the average cost of a data breach in 2021 being $4.2m according to IBM.
Cybersecurity is nothing new to Continent 8, which has been protecting operators’, suppliers’ and industry data for more than 20 years. Over that time, we have continued to enhance and augment our Secure suite of solutions to meet the ever-changing demands of the sector. This includes the addition of our Endpoint Protection and SOC/SIEM solutions to address the ever-growing concern around ransomware.
In addition, it has become increasingly important – no, essential – to educate and train staff at all levels about the cybersecurity threats being faced and what needs to be done to mitigate them.
Given cybersecurity is, however, still seen as a “competing priority” it lends further weight to ensuring cybersecurity experts are given a voice at the most senior levels of a business, to guarantee they are advised regarding the latest threats, and to ensure they have planned their response to a cybersecurity attack before it actually happens.
The types of threat being faced:
The NCSC report identified four of the most prevalent threats being faced by organisations in the gambling and lottery sector. It’s no surprise that Distributed Denial of Service (DDoS) attacks made the list, but the most prevalent threat identified was credential stuffing (i.e. using previously stolen credentials).
Other threats highlighted include phishing and ransomware, which was identified as the “most severe threat” both in terms of an organisation’s ability to defend against a possible attack and in terms of the impact it could have.
When it comes to DDoS, the report noted a rise in the number of attacks during 2020 and at the height of the Covid-19 pandemic where the shift to work from home presented more vulnerabilities that “bored” and “opportunistic” cyber criminals were keen to exploit.
Our own data shows that the volume and size of DDoS attacks have continued to rise despite life returning to normal. In 4Q21 we blocked 641 DDoS attacks against our customers, up from 546 in the previous quarter. It is worth noting that the Q3 number was more than double that recorded in the second quarter.
This demonstrates the importance of taking a multi-layered approach to cybersecurity in order to protect against the various attack methods used by hackers and criminals. Protection should cover the data, endpoints, applications and network layers of your business to safeguard against the different types of threats. The defences, such as a private network, DDoS, WAAP, SIEM/SOC and EDR/MDR, operate together to protect an organisation.
Levels of preparedness:
Those interviewed for the report said they felt they were “well prepared to deal with cyber attacks” but many noted challenges when it came to ensuring that cybersecurity was taken into “consideration at every step of the product development” and ensuring better ownership of risks.
Employee awareness was also considered to be good, but this can only be achieved by continued training through a mix of mandatory courses as well as fictitious attacks (such as phishing campaigns) to test and improve the resilience of the wider workforce
Third-party and supply chain management:
One of the most interesting findings to come out of the NCSC report was the reliance on third parties, and in particular game studios and content providers, and the impact this has on security.
All of the organisations interviewed for the report used a large number of third-party providers, ranging from between 75 and 10,000.
The report highlighted a number of risks of using third parties to such a great extent, including the confidentiality of user data as well as the increased risk of cyber attacks against their own systems and networks if a third-party provider were to become compromised.
If you use third-party providers, my advice would be to treat them with the same level of diligence as if they were directly part of your business. Request to see their security strategy and ensure it meets the same standards as your core business.
Crucially, what is essential here is a complete understanding of the unique nature of the iGaming industry, especially given it is one of the most attacked of all market sectors
Having served the global gambling industry for more than two decades, Continent 8 not only understands the importance of a safe player experience but how to provide this by ensuring data is effectively protected.