It appears beating the competition may be the easy part. In the digital age, the biggest challenge is outfoxing Internet pirates who can rob profits and wreak havoc with a few keystrokes or a piece of valuable information left unprotected.
Cyber security expert Shawn Henry delivered that reality check to casino industry executives Wednesday during the Global Gaming Expo at the Sands Expo in Las Vegas. Henry, president of CrowdStrike, spent 24 years with the FBI, rising to assistant executive director with more than six years overseeing investigations into computer network attacks.
If that makes him sound like a character straight out of a William Gibson cyber-punk novel, it’s not much of a stretch. He’s adept at navigating both the physical and cyber networks that converge a little more each day in our business and personal lives. Henry called for a holistic approach to a complex problem that not only robs businesses and citizens of trillions each year, but in some cases poses a catastrophic and even existential threat to society.
Think it’s an exaggeration?
A Russia-backed hack of network systems in Ukraine effectively brought the sovereign nation to a halt and pilfered it for billions. Major corporations took massive losses. In June, Reuters reported that Ukraine officials are anticipating a follow-up attack. Although not specifically targeted by malware hackers, companies doing business with Ukraine lost billions.
Although hackers can work a great distance, their dirty work can hit close to home. G2E casino host Las Vegas Sands was hacked in 2014 by associates of the Iranian government, then-Director of National Intelligence James Clapper confirmed. The assault on systems cost the casino giant approximately $40 million.
Threats can come from nation states, political “hacktivists,” organized criminal groups, terrorist organizations, and individuals. They can come from down the street to across the globe.
“You name the geo-location,” Henry said, “and they’re accessing the network.”
But many victims aren’t business behemoths or publicly traded household names, but smaller, niche companies whose executives may believe they’re off hackers’ radar because they only make “widgets,” Henry said. Whether it’s a data breach, the theft of sensitive customer information, or the purloining of intellectual property, no one is immune.
The answer, he said, was to be “forward leaning all the time.”
Admitting that parts of his talk would sound alarmist and confusing to people focused not on espionage, but on the bottom line in an extremely competitive atmosphere, he boiled the issue down to an equation: Threats times, vulnerabilities, times consequences. Even the busiest corporate boss can appreciate the threat to his customer base and bottom line.
The increased use of “smart” appliances and “the Internet of things” only complicates matters further, Henry says. When your refrigerator can be accessed by computer from outside your home, it’s a brave, new world, indeed. The consequence piece, he said, “from a business perspective is the thing that’s most easily translatable to business owners.”
He offered one anecdote in which a hacker was able to access casino player information via a resort’s Internet-connected commercial aquarium.
It’s not always the shadowy stranger who puts a company at risk. Often, Henry said, a cyber threat originates inside the building. Knowing your employees’ backgrounds and watching for signs of behavioral changes are essential. Some of the most devastating attacks are carried out by disgruntled employees, but others are the result of a sophisticated level of corporate espionage, one in previous generations more typically seen carried out by foreign actors around military installations and government agencies.
“Are you testing your security, again, from the physical side and the remote access side?”
Whether it’s out-of-date software or a hole in the fence, patching the holes and catching the moles in an increasingly complex environment remains a daily challenge.
“Pro-actively hunting” is also part of maintaining security, he said. A “10-foot-high” firewall is nice, but regular testing of the security system is paramount in minimizing risk.
Cyber security expert calls for real-time vigilance to protect gaming industry
Late in his Power Point presentation Henry flashed a still photograph on the screen taken from “Raiders of the Lost Ark” in which Indiana Jones, pistol in hand, ends an altercation with a saber-wielding marauder.
The caption: “Don’t bring a knife to a gunfight.”
Although it drew laughter from the audience and was intended as a humorous aside, the point was well taken.
“This is about people at the end of the day,” he said, “it’s about human beings who are interested in whatever you have, or they’re interested in disrupting your operations, or they’re interested in targeting key executives in the organization, and there are multiple vectors that they can pursue.”
Those corporations hoping for a return to a simpler way of doing business are kidding themselves.
“It’s one of those things that’s not going way,” Henry said.
Contact John L. Smith at jlnevadasmith@gmail.com. On Twitter: @jlnevadasmith.
