In iGaming cybersecurity matters not just from the compliance perspective but challenges also include fraudulent activities, data leaks and general hinderances to long-term innovation Symphony Solutions, as a company that offers iGaming software development services, partnered with UnderDefense, a leading US cybersecurity firm, to address real Cybersecurity challenges the Technology industry faces today. The discussion was led by Eduardo dos Remedios, VP of iGaming at Symphony Solutions and a true industry's veteran, Nazar Tymoshyk, a founder of UnderDefense and an ethical hacker with over 20 years of experience, and Giannella Borg, Information Security Team Lead at Catena Media. The webinar focused on cybersecurity challenges in iGaming and two main topics on the agenda were: Cyberattacks and security in iGaming How developing products secure by design can mitigate the risks The relationship between IT and cybersecurity Gaming companies spent an average of $1.2M because of damage or theft of IT assets and infrastructure. Very often in iGaming business whether it’s new or well-established, IT and product development are key drivers for business success. However, it is quite frequently a case in this domain, that at the initial stages, cybersecurity tends to be undervalued. Which is a fatal mistake, because sooner or later security may create a dramatic situation for a business. The right way of approaching things is actually factoring in the security from the beginning. iGaming is a huge and tempting domain for hackers, as fines and compliance are critical here. One day of business interruption for major iGaming operators may cost $ 42-50 million on average, not to mention a reputation loss. And none of these things are to be trifled with. The average payment following a ransomware attack in 2020 rocketed up 171% to $312,493 compared to $115,123 in 2019. Much like the industry itself, the IT vs cybersecurity relationship is a team sport. Here you have various roles like defenders, attackers, and the builders from the security side. And as in any team, to be successful, you obviously have to collaborate in order to get things done. Essentially, from the security side you need to have a good communicator, the Jack-of-all-trades, that can collaborate well with other groups and other organizations. Because often there is an incorrect perception between CIO and product development team that security just has to make sure that the product releases secure. That's why they heavily rely on just pentesting. But security often depends on the rest optimization and there should be someone who’s in control of it. A case when one compromised user account in Azure Cloud created a situation when the attackers were able to take down the whole customer infrastructure in the Cloud is sadly quite common. As iGaming providers believe that if they shift everything to the Cloud it will be a solution to every and each of their problems. The important thing about the Cloud is having the right skills and the right team to be able to operate in the Cloud. But before actually doing that, you have to look back and ask yourself whether your business meant be on the Cloud and whether the business model is made for the Cloud. The next step would be skilling up your team to be able to support the Cloud. Because being on the Cloud just for the sake of it is a just about the brand waste of time and money. Cyber resilience and where to start Cyber resilience is not a one-time thing Achieve the right balance between the people, processes, and technology Tools often do not solve real issues, people who know and use tools effectively – make an impact Building cyber resilience is a process. It's not something you can do and be done with it. It's achieved slowly over time. And even if a business is in a comfortable position, it has to continue working towards it. Resilience improves over time. But it's not just about the technologies, you also need people behind it who will run the tools, extract the information. And then using that well-informed skillset of people, you can create processes to continue the good work that you’ve done. It’s a long-term work. But it’s essentially about achieving the right balance between those three components – people, processes, and technology. Building their cyber resilience program Create a mindset. To really embrace it and make sure that security is embedded into the product design and software development lifecycle, it has to be a mindset. You need to be thinking about that as a company and you need to educate the people that you already have. And during this process you may identify that you are actually missing some key roles. Make sure that it is here in your head, cybersecurity is something that you need to be thinking of all of the time. Pentesting. In iGaming penetration testing is a part of a regular IT process. But many companies treat it just like a tick of the box. In reality, it’s only a one-time idea of what your products look like. The important thing is to do it more frequently, as a part of a holistic application assessment process. It might identify some gaps in the way you do things but ultimately, it’s just a snapshot of what is happening. It should be a part of an information security strategy. But you shouldn’t depend on it completely. Think like a hacker. The problem is that developers are very often just engineers who are told what to do and what functionality has to be achieved. Getting products secure by design means that there should be someone who will think from the very beginning of the ways the product might be misused, and consequently, how the customers must be protected. There should be someone who will set these security requirements and educate the developers to build secured products. With the development of the DevOps culture and with DevSecOps, it is much easier because now security has a place at the table and it is shifting from the reactive to a proactive approach. Getting started A word of advice: Analyse current practices; Define your maturity level; Ask yourself, where you are with security awareness training The later you are in your production cycle, the harder it I for you to fix any architectural issues. Make sure your attention is focused sooner rather than later. If something is already live, in production, and you have an incident there, the cost of remedying that can be vastly higher than the cost associated with remedying it at the beginning, when you are creating the requirements for your software. Key takeaways New paradigm of 2021 when we witness numerous businesses getting hacked, shows that the main difference between successful and unsuccessful companies is how ready they are to deal with the incident. This can be achieved through regular practices and simulations of attacks. As well as constantly learning. When the breach does happen, how we communicate from the marketing and legal perspectives to all our consumers is essential. Cyber resilience is about building the readiness, preparing for the worst-case scenarios. And good companies think ahead about such issues, hiring security professionals to drive this process, to share their thoughts with the board and realize the risks. To be as proactive as you can be and to seek input from people. Get specials that know more about security than you do. Ensure that you are as secure as you can be. Because at the end of the day you have a responsibility before your customers. And that’s the key thing. Summing up: Every company can be hacked. The difference is in the way how they are prepared and how they react to an incident. Building products secure by design - is way more cost-efficient and we recommend to apply SDLC and DevSecOps best practices to your product To get the most of it, work with specialised companies Monitoring and understanding your assets and users is critical. Small anomalies also matter and if you don’t watch your infrastructure, this blindness will be costly Make cybersecurity as part of your Dev and IT/Sec team mindset. It makes far more sense to be proactive Make security your priority and take the right steps to protect yourself from security breaches and hack attacks. Symphony Solutions provides Pentesting and Secure SDLC as part of the Application Security Assessment and DevOps services.