When people want to bet, they will bet. Just make it secure for them!

In the last weeks, the global cybersecurity community has been “hit” with the news that RSA, one of the most notorious cryptographic algorithms, named after its inventors (Rivest–Shamir–Adleman), used worldwide for identity verification, digital signatures or key generation in data and communications encryption, has been partially broken by Chinese researchers, using advanced computing methods.

By Sergiu ZAHARIA, Founder Expand Cyber

Sergiu ZAHARIA, Founder Expand Cyber

After some days of news-storms, including the concern that researchers managed to break the so called “military grade” cryptosystem, the security experts understood that there is just an important but small step, yet at an astronomical distance, to break such a widespread algorithm. Probably, in the next 5 years, this will still not happen and if so, the industry is prepared with the so-called quantum resistant algorithms, which are really strong and practically unbeatable in the upcoming 50 years. But just the idea of having in the near future a broken, globally widespread, public cryptographic algorithm which is used to prove your identity or your clients’ identity, made me think seriously about the industries that may be the most affected, at least from a client perception perspective.

The military is not. They use different encryption algorithms for serious stuff. The critical infrastructure sectors, like banking, telco, energy or transportation, are following strict regulations across EU and worldwide, so they are more prepared for this type of technological advances in cryptology. I would not bet everything on that. Healthcare players are trying to keep pace. What about the gambling industry? Is the gambling industry prepared for such a “big thing” in the technological world? Are you aware of how much technology and math does gambling involve and what’s important for players in this industry, and when I mean “players” I refer to the companies providing a platform for real players, the clients, who need to trust “the system”?

First of all, it’s about randomness. If somebody can predict each of the next numbers with more than 50%, that’s not randomness. It should be equally the same for me if I flip a coin or play online gambling. Practically, after military systems using hardware-based purely random number generators to protect big secrets, gambling infrastructures are one of the most concerned about this process. Today, the pseudo random number generators algorithms used by the gambling developers are examined by independent testing laboratories and have to pass statistical analysis and simulation tests before being moved to operation, which transfer a good level of confidence in the gambling system. Secondly, the same level of confidence comes from the usage of globally recognized encryption algorithms for protecting transactions, personal data and ensuring identities are strongly validated, despite the recent concerns floating within the cyber community of experts. So, on the encryption side, let’s affirm we stay very well, as long as we are not constantly targeted by state actors and crypto scientists, with huge budgets.

However, for the rising star of online gambling, the implementation of these random number generators, crypto algorithms and their supporting IT infrastructure, applications, identity and access, including age verification, become one of the most critical parts of trust. Players’ trust. And in this area, at least, I would suggest three actions for the companies acting in the gambling industry, to ensure their business resilience and maintain customers’ trust.

Cyber Security

1. Assess your cybersecurity posture holistically, every year at least

Cybersecurity is a holistic domain including more than 30 major areas to consider, from the governance and management to digital access control, identity management, incident detection & response, anti-malware, software security or sensitive data protection. On the encryption area, for example, evaluate how modern are your cryptosystems and if they are considered resistant to future attacks, as those discussed by the cyber community these days, and make it your competitive advantage. Test your critical systems and applications with multiple methods, from vulnerability scanning of the source code to penetration testing the final product, and ensure that only secured, thoroughly scrutinized applications are launched into operation. Any open channel to cyber criminals or misleading internals shall be identified, observed and controlled. When security measures costs are unbalanced, the resulting risk should be managed differently, by transferring the risk to insurance companies or just monitoring possible exploitations of the weak channels. Without visibility on how strong are your people, processes and technologies that secure the game, you are just spending money blindly, with unperceived benefits.

2. Exercise the failure through cyber crisis simulations

Any budget you allocate for cyber resilience, every skilled professional you hire within the security department, every consultant you use to design your cyber transformation program, anything you do will not keep you away from a future cyber crisis! It happened to MGM and Caesars Entertainment, and for sure they had important budgets and skilled cyber professionals. It’s just the asymmetric sort of battle that you are facing: the hacker has to find only one way to enter your infrastructure, you have to cover all of them. For the worst-case scenarios, management teams, starting from the CEO, have to be prepared and the best way to do it is via tabletop cyber crisis simulations. The nominated crisis cell members are brainstorming trough different scenarios, from hackers encrypting their systems to sensitive data being exfiltrating, and test different types of response decisions, like the communication strategy or the not recommended, but always considered, ransom negotiations. As gambling industry companies will not benefit from the same empathy when being hacked, like healthcare organizations, media or client communication should be tested and validated upfront, during simulations, to have them ready for real attacks. Trust is a perception matter and should be well managed. Why not testing a scenario where people in Romania suddenly start speaking about the cryptosystems being hacked, and their online gambling identities, with the associated money, being at risk?

3. Train your top management in cyber risks

Having the top management aware of cyber trends (like breaking the fundamental cryptosystems) and inherent risks, generated by cyber criminals, researchers or disgruntled insiders, is one of the best defenses, as the executive officers would sponsor with their authority and will act as a model in ensuring cyber hygiene on every single action they do. Explaining to them the cyber trends, in a way that is both relevant and adapted to their role and industry, help leaders allocate the right attention and optimize the costs for the optimum cyber resilience of their business. Do not miss this part, as management commitment is one of the most important topics in cybersecurity governance. Give the leaders the right chances to both ask the right questions and win the cybersecurity and reputational battles they have to face. It’s a win-win situation for players from both sides of the game.

When people want to bet, they will bet. Just make it secure for them, at least like RSA!