In an era where cyber threats are a daily reality, the iGaming industry must evolve its approach to security. On Day 1 of the SiGMA Europe event, industry experts gathered to discuss these challenges, offering a front-row seat to the latest insights on safeguarding operations in a digital world. The panel, held on the SiGMA Stage, included leading voices in cybersecurity and legal regulation. Each shared valuable advice on preparing for the cyber threats facing operators today.
“We have an interesting panel,” opened Harmen Brenninkmeijer, Managing Partner at NYCE International, chairing the discussion. “We’re going to focus on some events happening around cybersecurity, especially phishing attacks and other threats. This is not just for an IT department to say, ‘what can I learn?’ This is for everyone managing operations to understand the seriousness of the situation.”
The panel featured Peter Wilson, CEO of PWL Legal; Francesca Zammit, Associate and Advisory at NOUV; Kris Galloway, Head of iGaming Product at Sumsub, and Ivan Spiteri, Director of Technology and Assurance Services at BDO Malta. The discussion ranged from phishing attacks to state-sponsored threats, with each speaker highlighting what leaders should prioritise.
Cyber threats in the real world
Peter Wilson, with over thirty years as a regulatory and defence lawyer, shared a story that underscored the risks of inadequate cyber vigilance. “Imagine this,” he began. “You’re a fairly lonely employee sitting in a branch office, one of 70 branch offices in an organisation that employs 20,000 people. It’s Friday afternoon, and you receive another CV by email in response to a recruitment ad. You click on it, thinking nothing of it, and go home for the weekend.”
Wilson explained the attack that ensued. “Over the weekend, the IT department notices some activity on the network but doesn’t look into it too much. Come Monday, that CV had unleashed a payload of malware. It locked everyone out of the system, encrypted payroll data, and made all 20,000 employees’ details inaccessible.”
The attackers demanded a £10 million ransom, leaving the organisation on its knees. “Luckily,” Wilson continued, “one individual in the IT department had taken a partial backup of the system earlier that week. The company managed to rebuild its system, but only by sheer luck.” Wilson’s tale highlighted the importance of dark web monitoring, regular system checks, and employee training to prevent similar incidents.
The human element in cybersecurity
Harmen turned to Kris Galloway, asking how companies can ensure that thousands of employees are vigilant against cyber threats. “Training is one part of it,” Galloway noted. “What Peter described reminded me of the malware attack on MGM and Caesar’s, which resulted in Caesars paying millions to avoid a prolonged shutdown. This happened in September 2023. Since then, AI has advanced so much, and it’s making attacks even more sophisticated.”
Galloway warned that a CEO’s confidence in their security may signal overconfidence or unawareness. “Can you go to your CEO and reassure them that everything is under control? In an ideal world, yes. But given the impending threat of AI, it’s hard to say, ‘everything is under control’ with any certainty. In fact, if anyone says that, it’s probably a red flag, they don’t know the threats.”
When asked who should be held accountable, Galloway responded: “I think you hold yourself responsible at the C-level. The IT guys know their job well, but if you’re not preparing for these new threats, you’re doing something wrong.”
Zero trust and a culturally embedded security strategy
Francesca Zammit shared her perspective on embedding security at every organisational level through a zero trust model. “At the top level, we need to foster a culture of cybersecurity,” she stated. “It’s not just about the IT team. We need to embed Zero Trust principles where you never trust, always verify.”
Zammit argued this approach ensures even basic tasks like granting access rights are performed cautiously. “You adopt a mindset of never trusting and always verifying. For IT teams, this means always questioning access rights and continuously monitoring.”
Galloway supported her stance, drawing an analogy. “Imagine a Formula One team,” he said. “You can’t expect the same mechanic who’s been with you for 10 years to pioneer your car with the latest tech. It’s up to the C-Level to bring in new expertise.”
Social engineering risks
Peter Wilson highlighted the vulnerability of IT departments to social engineering. “I had a case where two directors in a gambling company persuaded an IT staff member to give them system access. They then shut out other directors, taking over company systems. The IT department must have some independence to prevent manipulation.”
Galloway chimed in with a thought-provoking question: “Could training create a false positive? If someone receives instructions from a deep-fake of their boss, they’re more likely to trust it. Could training actually backfire in this scenario?”
Wilson replied, emphasising comprehensive policies. “There is no perfect answer,” he said. “But if you’ve put reasonable procedures in place, have a paper trail, and prove you’ve taken security seriously, you’re much more likely to avoid severe regulatory consequences.”
Ivan Spiteri suggested an industry-wide approach to cyber resilience. “The gaming industry should look at the energy sector’s model in Europe,” he said. “They have Information Sharing and Analysis Centres ISACs, which are effective at sharing threat intelligence.” By collaborating on threat information, iGaming companies could pre-emptively combat cyber risks, following successful examples from other industries.
Spiteri also recommended data protocolisation, a strategy from the payments sector that involves encrypting sensitive data separately from the main system. “If there’s a breach, the data remains protected,” he explained.
Ai and the future of cybersecurity
Returning to AI’s role in cyber resilience, Galloway voiced his concerns. “We can talk about anti-fraud measures all day, but ultimately, we’re throwing stones while AI is launching missiles,” he warned. He called for transparency in AI solutions to ensure they make traceable decisions. “The more transparent AI systems are, the easier it is for humans to spot false positives and understand why the AI made certain choices.”
When asked if platform providers understand the gravity of AI’s impact, Galloway replied bluntly: “Absolutely not. Regulators don’t fully understand it either. This technology is big, new, and dynamic. Staying in control is crucial, even as AI advances. But we need to program transparency to see why decisions are made.”
As the session neared its end, Harmen encouraged the panel to share final thoughts.
“We’re going to see a growth in state-sponsored attacks,” predicted Wilson. “And probably, we’ll see AI used to automate these attacks on a wider scale.”
Galloway responded thoughtfully, saying, “I hadn’t even thought about what you just said. That makes it infinitely scarier.”
Wilson added, “If you’ve read 1984, Orwell’s vision of the future was a boot stamping on a human face forever.” Zammit offered a parting mantra: “Never trust. Always verify. That should be the way to go.” Ivan Spiteri added, “This needs to be a continuous commitment. Cybersecurity must always be on the agenda for the future.”
With that, Brenninkmeijer closed the discussion. “Please take this seriously. This cannot be emphasised enough. Be vigilant.”
This panel persuaded the audience that cyber resilience requires not only technical defences but a culture of vigilance and proactive adaptation. For the iGaming industry, the message is simple: staying ahead of cyber threats demands attention from every level.
Quelle: SiGMA Group