- How frequent and effective is staff security training?
- How well positioned is the organization to tackle the ever-increasing risk of cyber threats?
- Which security frameworks does the organization follow and/or comply with? Is this enough to fight new and evolving threats?
- Do you know where critical data is stored and who has access to it?
- How often is the security tested and assessed?
- Have all identified issues or potential issues been resolved? Have the resolutions been tested?
- Have you rehearsed a cybercrime scenario as part of the crisis management preparations?
Understanding the current cybercrime readiness and any potential gaps in your organization enables it to best address these risks and demonstrate due diligence in cyber security. In developing a cyber security framework, consideration should be given to the following key elements:
- Know the business risk – Assess the threat landscape and strike the right balance between focusing on likely channels of attack and business operations.
- Be proactive – Secure data and systems in advance; don’t wait to invest until after a breach has occurred and the damage is done.
- Gather and share intelligence – Understand the nature of and methodologies used by cyber criminals. Use this information to make informed decisions and share it with trusted partners in the gaming industry.
- Train your team – Employees remain critical to security, both as the first line of defence and conversely as a potential major threat. Education and awareness are key to ensure enhanced cyber security controls.
- Engage expertise – Don’t rely solely on the IT department to ensure company data remains secure.
- Have a deliberate response and focus on the business – Being deliberate is essential in both proactive investment and reactive response. For example, develop a critical incident plan to maintain customer and shareholder confidence in the brand.
Gaming organizations interested in differentiating themselves from their peers should take notice of the support of initiatives, including the CSA 11-326, to attain a better cyber security posture in the industry. While there is currently no requirement to do so, self-adoption by the gaming industry of similar disclosure principles as those outlined in the CSA 11-326 would have a significant impact on gaming integrity, transparency and overall security.
To learn how to protect your organization from cyber security risks, contact Louie Velocci (firstname.lastname@example.org), Partner, Advisory Services, KPMG and visit www.kpmg.ca for more information.