GPWA Times Magazine - Issue 25 - June 2013

dards and go no further. The same trend has already been observed in the iGam- ing space. I recently had an individual from one of the major testing labs tell me that they have to be careful only to test to what the standard requires, and no more. Unless the sites begin to go above and be- yond what the regulations require, they will suffer the same fate experienced by many companies in other sectors that view compliance as checking a box. Regulation alone can’t make the sites secure, but it is a necessary starting point. An interesting part of the executive order was the section encouraging information sharing between commercial entities and the federal government. While this part of the order is not popular among some critical infrastructure organizations, I believe it does make sense. Although per- haps not as damaging as an attack against critical infrastructure, a significant breach against one of the iGaming sites may have dire consequences for the entire industry. Imagine if one of the online poker sites suffered an attack where players’ hole cards could be viewed. Even though only one site was affected, the general pub- lic’s perception of the safety and integrity of the overall industry could be greatly compromised. I am not suggesting that competitors give away their trade secrets, but sharing information in certain areas would have its benefits. For example, if operators were to share distributed denial of service (DDoS) threats and attack vectors, or if they dis- cussed how they were detecting the lat- est bots and collusion attempts, the in- dustry would become more mature and respected due to its greatly improved security posture. Perhaps this type of ac- tivity is already taking place and you have PokerStars, for example, sharing secu- rity information with Bodog, but I doubt it. Before critics claim that this does not happen in other industries, I am here to tell you that it does. For example, one of my customers is in the railroad industry, and the major railroads’ heads of security meet on a regular basis to discuss what each is doing and to learn what improve- ments they can make. I am not going to lie; security comes at an expense. The $64,000 question is: Would players pay more to use a site that they knew took extra steps to verify and ensure the security of the gaming platform and environment? Unfortunately, businesses often look at this additional cost and, be- cause they do not see an immediate return on their investment, it is one of the first items to get cut. This does not occur just in gaming. When there is competitive pres- sure to cut, sometimes security becomes the victim. The more visionary site owners do take security seriously, and I have had gam- ing customers come to me because they don’t want to just comply with regulations and minimum internal control standards; they want to go above and beyond, mak- ing sure their systems are actually pro- tected. Would customers be willing to pay 10 cents more in rake if that meant that the code was undergoing security reviews on a regular basis, that monthly vulner- ability assessments were occurring and that other security mechanisms were in place? I am not sure, and the argument can be made that they should not have to. However, unless these types of continu- ous monitoring approaches are mandat- ed, I don’t believe it will be done unless a portion of that cost can be passed on. Securing iGaming has only gotten more complicated over the past few years. The games and applications are more com- plex; they are being offered on new plat- forms, such as mobile, and the stakes have never been greater. I do believe that the iGaming industry needs to borrow the right concepts and plans from other ver- ticals, including the federal government, and at the same time learn from the past mistakes that have been made both within and outside gaming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gus Fritschie serves as Chief Technology Officer (CTO) of SeNet International. He has been involved in the field of information security for over 10 years. Fritschie’s responsibilities include the adoption of new lines of business and new technologies for the delivery of expert services to SeNet’s government and commercial clientele. He has multiple industry certifications including the CISSP and CAP. “The $64,000 question is: Would players pay more for using a site that they knew took extra steps to verify and ensure the security of the gaming platform and environment?” 42 Improving cyber security and how it relates to iGaming