The iGaming and online sports betting industry is facing unprecedented cyber attacks as it seeks to protect business operations, safeguard personal data and uphold public trust.
On April 14, 2024, Gaming Laboratories International (GLI) released the first gaming information security standard, “ GLI Gaming Security Framework Module 1 (GLI-GSF-1): Gaming Information Security (GIS) Common Controls Audit“, and on July 30, re-released the module for public comment.
It’s important that operators and suppliers understand what this means. Therefore, in this blog, we will explore the released framework, how a cybersecurity framework can assist the iGaming industry and its role within the online gaming industry.
What is the GLI Gaming Security Framework (GLI-GSF-1)?
The GLI-GSF-1 is the first cybersecurity framework explicitly tailored for the gaming industry. It was developed to address the sector’s unique security challenges by providing a set of controls to safeguard critical system components, transaction processing, and sensitive data.
This framework provides common controls for auditing a gaming organisation’s Gaming Information Security Management System (GISMS). The structured framework ensures that gaming operations can function securely, similar to eCommerce operations, within safe and stable environments.
GISMS protects sensitive data and systems within a Gaming Production Environment (GPE). It addresses evolving threats and compliance requirements by maintaining policies, controls, risk management and continuous improvement.
Why does the iGaming industry need a cybersecurity framework?
Industry experts highlight recent attacks on major casino and hospitality businesses as a wake-up call for the industry to enhance cybersecurity in the iGaming industry. Two of the more high-profile cases involved MGM Resorts International and Caesars Entertainment:
- In September 2023, MGM Resorts suffered a 10-day cyber attack. The breach affected systems across Aria, Bellagio and MGM Grand, including corporate email, reservations, bookings and digital key card access. At the G2E 2023 gaming show, MGM CEO Bill Hornbuckle shared that the cyber attack disruption cost the company over $100 million.
- Caesars Entertainment fell victim to a cyber incident in the same month, and it appears that the same hacker group was behind the attack. “Scattered Spider” or “Roasted 0ktapus,” an affiliate of the Blackcat ransomware group that deploys their ALPHV malware during attacks, accessed the “Caesar’s Rewards” loyalty program database. Caesars reveals making a $15 million ransom payment to prevent sensitive information from being made public.
“Cyber attacks have become the new normal in the iGaming and online sports betting industry,” said Patrick Gardner, VP & CSO at C8 Secure, a Continent 8 Technologies company. “The persistent and escalating occurrence of security breaches highlights the urgent requirement for organisations to effectively manage cyber incidents. Unfortunately, many organisations are ill-prepared for such situations, emphasising the need for an industry-specific cybersecurity framework approach.”
The benefits of a cybersecurity framework
Cybersecurity frameworks are not a new concept. The financial sector, with its mature cybersecurity practices, can offer valuable insights for the iGaming industry.
For instance, the Payment Card Industry Data Security Standard (PCI DSS) cybersecurity framework is designed to create a secure environment and protect card transactions against data theft and fraud. Compliance with PCI DSS is, in fact, mandatory for any company that processes credit card information, regardless of industry. The latest PCI DSS v4.0 standard emphasises Web Application Firewalls (WAF) for securing online platforms, which is critical for iGaming sites handling sensitive user data.
Another cybersecurity framework is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). This cybersecurity framework, used in the financial sector but also across a wide range of business verticals, is developed based on industry standards and best practices to help organisations manage critical infrastructure cybersecurity risks. It consists of five core functions – identify, protect, detect, respond and recover – and offers guidance for developing organisational profiles.
The iGaming market can adopt the best, proven principles from existing cybersecurity frameworks but create one that is tailored to the industry’s unique cybersecurity challenges and requirements. iGaming and online sports betting operators and suppliers deal with complex, interconnected infrastructure and IT environments that offers attackers a vast surface attack area. With so many potential attack vectors and vulnerability endpoints, a proactive, layered threat prevention, detection and response approach ensures optimal protection – from the edge to the data centre to endpoint and the cloud. Key implementations should include:
- Regular security audits and assessments
- Conduct regular security audits and assessments.
- Perform internal and external evaluations.
- Update vulnerability assessment and penetration testing (VAPT) regularly.
- Advanced threat detection and response using the latest technologies
- Invest in AI-driven analytics, machine learning and behavioral analysis tools.
- Implement Security Information and Event Management (SIEM) systems.
- Robust incident response and mitigation plans
- Develop and maintain clear procedures for detecting, responding to, and recovering from cyber incidents.
- Regularly test and update these plans through simulations and drills.
- Comprehensive training and awareness programs
- Provide ongoing cybersecurity training and awareness programs for all employees.
- Educate staff on recognising phishing attempts, social engineering tactics and other common attack vectors.
- Cyber hygiene practices – protecting the environment
- Implement and enforce strong cyber hygiene practices.
- Ensure regular software updates, patch management and the use of multi-factor authentication (MFA).
- Supply chain security
- Strengthen supply chain security by assessing and monitoring third-party vendors and partners.
- Establish strict security requirements and conduct regular assessments.
- Regulatory compliance
- Ensure compliance with relevant cybersecurity regulations and standards, and not simply performing Checkbox Security.
- Stay abreast of legal requirements and industry standards.
“Another important consideration is that iGaming operators and suppliers are faced with the challenging task of maintaining the highest security standards and managing how cybersecurity interacts within their hosting, connectivity, cloud and regulatory ecosystem. This places a significant investment and resource burden on many of these organisations, and we’re observing an increase in operators and suppliers seeking to outsource these responsibilities. Managed security service providers that can support all of these requirements should offer the simplest path to integration for smooth deployment with minimal to no downtime,” said Patrick.
Promoting industry-wide collaboration, industry standards
Industry standards embody the collective goals, values, duties and long-term success of an entire industry. Continent 8 has consistently championed and advocated for these standards, engaging and collaborating with fellow industry members through various industry bodies and organisations. Recently, Continent 8 was welcomed into the International Gaming Standards Association (IGSA). With this new role, Continent 8 joins the IGSA Cyber Resiliency Committee, contributing to the development and implementation of industry-recognised cybersecurity standards aimed at enhancing regulatory and cybersecurity quality, innovation and performance throughout the iGaming and online sports betting industry.
The critical role of cybersecurity frameworks
The introduction of a common framework is a critical and necessary milestone to bring parity to Gaming security standards with other highly regulated industries. By embracing these additional controls, we are not only protecting the integrity of our industry but also prioritising the privacy and protection of our customers’ data. If adopted, Continent 8 stands ready to assist operators achieve compliance with all aspects of the proposed standards with comprehensive and cost-effective solutions.
As the online gaming industry continues to grow, and the risks that come along with it, cybersecurity frameworks will continue to play an essential role. Continuous monitoring, enhancements and technical advancements will be required to maintain the security and integrity of gaming operations while ensuring standardised protection for all stakeholders.
To learn more about Continent 8’s cybersecurity approaches, best practices and recommendations for the iGaming and online sports betting industry, contact sales@continent8.com.
