Every year there are large-scale cyber security breaches and events reported in the media. Cyber attacks against online giants such as Ebay, LinkedIn, Sony and Yahoo have made global headlines in the past few years. In addition to the multi-million euro financial losses that these companies have incurred, they also suffered reputational damage which has significantly harmed their brands. Once customer confidence is broken, it can take a long time to regain that trust.
The gaming industry thrives online. Its size is expected to rise to €53 billion in 2018 from €24 billion in 2009 according to figures published on statista.com. The online presence of video games, competitions, virtual reality games and large international and sports events attracts both customers and criminals from around the globe. From script kiddies, who see breaking into a system as a game in itself, to lone wolves, activists, organised crime and national governments – their main aim is to make financial gain. Statistia.com reported that the average annual damage to organisations caused by global cyber-crime in August 2016 reached €10 million in the global technology sector and €15 million in the global financial services sector.
Some gaming companies still choose to believe that the chance of a breach is fairly low, yet it takes one cyber attack to cause a significant business disruption. Others put their faith in expensive technology, hoping that it will solve their cyber security problems. In fact, adequate technology could prevent a number of external threats, however, a single click on a rogue link in a phishing email by an employee from within the organisation could breach its external security perimeter. Breaking into an organisation from outside requires effort and resources for cyber criminals, yet phishing campaigns continue to grow due to the simplicity and the effectiveness of its business model. Cyber underground even offers platforms for Phishing-as-a-Service (PHaaS), Malware-as-a- Service (MaaS) and Ransomware-as-a-Service (Raas) – a three-month subscription which could cost as little as €6.
Employees are often the weakest link in many gaming companies. A relaxed atmosphere helps to be innovative and creative, but it increases the risk of cyber security breaches that could be avoided with the implementation of comprehensive policies and awareness training. Appropriate identity and access management controls help to prevent fraud, money laundering and insider trading within the company, yet it could also stop the spread of ransomware across the internal network and save a company from a potential disaster.
An employee is not the only insider that poses a threat to a gaming organisation; significant risk could also reside within the supply chain due to a high number of affiliates and outsourced services. The telecom giants T-Mobile US and TalkTalk experienced large-scale information security breaches due to insecure technologies of third parties. As a result, these companies suffered exorbitant fines, a heavy financial impact, irrevocable reputational damage and loss of customers. Being the controllers of that data they have a legal responsibility to secure the information about their customers. Strong supply chain management could have prevented significant reputational damage and lost business opportunities.
Data Protection Regulation
Gaming companies try to meet the legal and regulatory requirements related to cyber security, but because of its complexity and multifaceted nature, it is often approached as a tick-box exercise. Yet new legislation is meant to make organisations rethink the way their business operate and to make the necessary improvements. The new European Union General Data Protection Regulation (EU GDPR), which comes into effect on 25 May 2018, is an example of such legislation. GDPR sets out strict requirements for data controllers and data processors, and has stringent fines for non-compliance. Offending companies can face fines of up to €20 million or 4 per cent of company’s global revenue, whichever is higher.
Compliance with GDPR will be hard for those gaming companies that do not have a comprehensive register of the data they hold, where that data is stored or what it is used for. However, the implementation of industry standard records management practices and data mapping would go a long way to enable compliance with GDPR. It would also provide for a better understanding of the data flows within the organisation, the systems it resides on and which individuals have access to that data. As a result, organisations would achieve a significant reduction of risks related to data processing as well as potential costs associated with the implementation of controls to protect that data. Increased confidence and transparency in data processing practices could have a positive effect on customer retention and growth.
The number of cyber threats that organisations are exposed to every day could seem daunting. KPMG offers professional help through its knowledge, skills and expertise to tackle the complex cyber security problems. Our global reach and broad experience in the field brings value-adding insights as we work shoulder-to-shoulder with our clients to address their business needs for cyber security.
Innovative gaming companies can achieve a successful security posture with an appropriate strategy, understanding of the adversary and knowledge of the weakest links within the organisation. Combined with effective performance monitoring of implemented controls it could be turned into a rewarding business improvement process and new opportunities.
In the world of cyber security, an understanding of the risks that businesses are exposed to and building a plan of action to address those risks helps to defend the business from cyber threats. Effectively managed, cyber security can give organisations a competitive advantage against their peers because customer confidence and trust is an important driver for successful online businesses.