Data security and the gaming sector in Malta

Over the last decade, remote gaming has seen the introduction of new internet-based business models, content digitalisation, and the need to enable content to be used on different platforms. This technological evolution has exposed businesses to cyber-crime, as cyber-criminals find new and innovative ways to defeat security measures. Data security has emerged as a major challenge, particularly in view of the very real threat which loss of data can represent to the continuity of a company’s operations and the long-term effect on its reputation.

However, it seems that cyber risks do not always seem to feature on the agenda of Boards of Directors, or as part of the risk management function. In most cases, cyber security is sidelined and omitted from firms’ enterprise risk management systems, simply because management can’t figure out where it can fit in their firms’ traditional structures. Such a myopic perspective is dangerous, because the truth of the matter is that cyber security risks can have grave, and sometimes fatal, repercussions on businesses. There should be no doubt as to the direct connection between technology risk and business risk.

Reducing exposure to cybercrime requires both technical and operational investments, and  the formulation of efficient and effective defense strategies addressing the numerous information technology risks to which gaming companies are exposed, is a critical first step. The mapping of information technology risks and the allocation of the necessary resources to address each major risk should be at the top of the list.

At the same time, management, including the company’s Board of Directors and its Audit Committee, must be made aware of cybersecurity risks, and each of these should understand their respective roles and responsibilities. This would normally include an assessment of the legal implications linked to an attack, and how such an attack might affect the reputation of the organisation. One should also analyse and evaluate the implementation of regular and effective communication between the various management entities, which would be critical in such circumstances. A typical checklist should also take into consideration the allocation of the appropriate human and financial resources, and the implementation of performance indicators for the cybersecurity programme. Finally, it is the responsibility of management to ensure there is a change of culture in order to take into account the impact of these new risks on the organisation.

The importance of personnel training is also critical and so is the integration of security in all company projects. Statistics show that most hacks are caused by errors committed by employees. The latter should therefore be fully aware of the risks of data hacking and the consequences for the company. The key words here are awareness, training and information.

Because of the technical nature of the risks involved, IT management must have in-depth knowledge of best practices, especially those estab­lished by the ISO 27001 standard on information security management systems, NIST (National Institutes of Standards and Technology), ISACA (Information Systems Audit and Control Association) and the SANS Institute.

Regular testing of existing capabilities and procedures will of course enhance the quality of the protection and its durability over time. These should be complemented by social engineering tests such as email phishing, phone pretexting, etc., to ensure users are able to detect a maneouver or any process aimed at extracting information from them that might facilitate an attack. Meanwhile, depending on the type of data the company holds and its reputation, it may be subject to hundreds of attacks per day. If a breach appears, the implementation of a proper response plan may make the difference between a mere incident and a complete disaster.

Because of their potential vulnerability, the integration of security in applications or online games (security by design) requires strong awareness and professionalism on the part of organisations, particularly in terms of Information Systems Management.  In this scenario, it is comforting to note that companies operating in the gaming sector are subject to robust regulation as far as security issues are concerned. In fact, the Malta Gaming Authority requires applicants for remote gamig licenses to implement an information security policy which safeguards data, applications, equipment and network, as well as a strict system access control policy. Compliance with these cyber security policies is one of the requirements for remote gaming applicants to be issued a licence to operate their business from Malta.

Nevertheless, and despite the stringent regulatory framework outlined above, the fact remains that cybersecurity remains a major strategic risk for exposed companies, and that the nature of cyber-crime is to constantly seek out and exploit vulnerabilities. Eliminating threats is impossible, so protecting against them without disrupting business innovation and growth is a top management issue. The big question mark therefore remains linked to the staying power of management to keep pace with the increasing sophistication and complexity of cyberattacks and cybercrime in general, and to protect itself against these effectively.

This article first appeared in the Malta Business Observer on 30 August 2018.