Hank Opdam has seen things behind the scenes at The Star Entertainment Group’s casinos that would make any CISO wince. And the general manager of IT Governance, Risk and Cyber Resilience for the the company, which runs three huge ‘integrated resorts’ on Australia's east coast, has the photos to prove it.
Like the sign an employee stuck up above the computer and printer set-up that makes staff access cards that read, in all caps: ‘The new staff ID computer password is ___’.
"That's a security fail times two. I love that one," Opdam told an audience at the CeBIT technology conference in Sydney yesterday.
As well as being a security nightmare, it is a literal sign that employees at the time felt security measures were hampering their work, Opdam said.
"How do you know when you've got this perception of too much security? It looks like this: people put passwords on little bits of paper and stick them to computers. Your security guys do this excellent thing called the 'any, any, any' rule on the firewall turning a $40,000 device into a $10 switch," he explained.
"When people feel it's too much, they feel obliged to circumvent it."
To bring a halt to the security horrors, over the last couple of years The Star has changed the way staff encounter security measures by removing the friction they cause, and raising awareness with some cheeky education campaigns.
“We don’t block things or stop things because we’re bastards, we’re doing it because we want to get a better outcome,” Opdam said.
Opdam joined The Star Entertainment Group (then Echo Entertainment Group) in 2011, following many years in security roles with financial firm AMP.
Coming from a career in banking, Opdam said some of the technology set-ups he found at the casinos came as a shock. In some cases an eagerness to provide a great customer service had left security lacking.
In his second week he was asked to check the security of devices used to assist high-rollers access more money to gamble.
“This is a VIP customer, getting potentially tens of millions of dollars delivered to them and them authenticating and authorising that – on an iPad, on a wireless connection, in a public place,” he remembers.
“I came from finance and it would take 13 years, 17 committees to go and approve for that to happen. I had one week to secure it…We had a predisposition towards getting it done then sorting out the security later, or that’s historically how it worked.”
As a result there had been some security slip-ups in the past: “stoushes with malware”, physical assets including a bouncer's walkie-talkie stolen, USB sticks used to take work home, a “defaced” kiosk display.
The group’s security stance has since tightened considerably. Things could have got a lot more serious. Casinos are undoubtedly prime targets for hackers, and their staff considered a valuable gateway to access systems.
Casino ‘hacks’ do happen. In 2013 Melbourne's Crown Casino was the victim of a $32 million scam in which cameras in a VIP room were ‘tapped’ to view player cards, which were fed to one gambler via a wireless transmission. A staff member that looked after high-rollers was later sacked.
Last year, Darktrace reported that a hacker used an internet-connected fish tank to gain access to a casino’s network and send out data.
“It's dynamic. it's sexy. it's glamorous, from the outside it looks we've got lots of liquid money, so we're interesting to attackers,” Opdam said.
Frictionless and fun
Star Group’s 10,000 employees are on the frontline of information security, Opman said. Cyber hygiene has to be made easy for them for it to be effective.
The staff count is doubling over the next few years as the group opens another three casinos, making easy to follow, scaleable security measure essential.
Online staff portal MyStar has been rolled out where employees can book holiday, access pay slips and swap shifts. It will soon come as an app, with pin and fingerprint access.
“We’re trying very hard to be frictionless. It needs to be frictionless,” Opdam said. “If you make it too much of a challenge you're going to have a crappy experience for your employees and your partners. And ultimately they'll circumvent what you have in place and you'll end up with breaches in any case.”
Security policies have been condensed into a single page, since “policies are boring”. Web pages are no longer blocked, but accessed after a warning page gently reminds users about the potential dangers, plus their “name and date and IP address – just letting you know everything’s being logged”.
Most importantly, there’s been a cyber awareness campaign targeted at an employee base who are “typically very young, they're quite IT aware but not very cyber savvy,” Opdam says.
Given the younger demographic, educational messages use humour and sauciness to cut through. One poster reads: “It’s a thin line between OMG! And WTF? Ask yourself if it’s appropriate before you send it”.
Opdam and his team have taken a Disney inspired approach to rules. At Disney theme parks and resorts, whenever a rule is given it comes with a full explanation of why it’s in place.
At Star Group, rules are framed in a way that makes employees feel following them is for a greater good.
“We’re actually implying that we’re in this together, and we’re looking out for each other because it’s good for everyone. You’re not protecting the company, you’re not protecting money, what you’re really protecting is the mums and dads of Australia who own the organisation. You’re protecting your ability to turn up to work tomorrow and get paid. Your protecting your friends who work in the organisation because if you don’t do things right, well then some of us are out of jobs,” Opdam explained.
“It’s all about that kind of feeling. It’s about community and it’s about heart and it’s about feeling, it’s not about rules,” he added.