Preparing for and responding to cyber-attacks in the games industry

Written on 16 Feb 2021

Like a number of other data-driven sectors, the games industry has recently seen a string of high profile cyber-attacks that has placed it on high alert. As workforces continue to work from home, games companies need to reconsider the way they prepare for and respond to cyber crises.
This article provides a brief overview of some of the cyber risks faced by games companies; how they can mitigate these risks; and what to do when the attackers strike.

Why are video game companies a target?

It is hardly surprising that the games sector has been the target of cyber-attackers, especially since the pandemic has driven the industry to work in a more distributed way. Intellectual property in games and software, gamers' personal data and tightly-scheduled releases are at the heart of everything video game companies do.

Whilst cyberespionage and data theft have historically been the focus of many attacks in this sector, we have seen recently an increase in financially motivated attacks through ransomware. For example, CD Projekt Red, a leading Polish video games developer and publisher responsible for the infamous Witcher series as well as Cyberpunk 2077, has recently announced that it suffered a ransomware attack, which led to the source code for numerous video games titles being copied and allegedly sold on the black market. This is just one of numerous recent incidents.

Criminals are likely to target games companies because they know that if they can encrypt the company's systems and steal valuable data, they can get to the heart of the business and pressure it into paying the ransom.

As ever, the criminals are often one step ahead of their victims and are using increasingly sophisticated methods to get around ever-improving cyber defences, so businesses need to keep stepping up their game in order to ensure they do not leave themselves vulnerable.

How can you mitigate these risks?

The starting point is that cybersecurity is a team game. Companies are only as good as their weakest link and so it is not good enough having state of the art cyber defences if, for example, temporary IT staff are not trained properly on password protocols. A culture of security needs to be embedded throughout the business, from the board, the IT team, through to front-line sales. Compliance programmes need to be brought to life: story-telling, real life training, and testing can be far more effective than e-learning, emails and policies – although a strong compliance function will usually include a mixture of different measures.

A key principle of the GDPR is that data controllers must have in place ''appropriate technical and organisational measures'' to protect personal data. Many companies focus on the technical aspects and overlook the organisational aspects of this – for example training, incident response, employee exit procedures, and password control protocols. Often the policies and paper tell a good story, but they are not followed in practice. Even the most sophisticated of companies can be exposed by a simple mistake from one person who took their eyes off the ball by not applying the same level of controls to a testing environment as to the live system.

As many games businesses are working remotely, there is also an increased focus on technical aspects of remote-working, particularly on systems that can detect unusual activity from unrecognised IP addresses.

Another technical area to focus on is encryption. Games companies are likely to hold usernames, passwords and possibly payment card details for their customers, which can be of great value to cyber criminals. This is all data that should be segregated from other data and encrypted.

Multi-factor authentication is another hot topic for data regulators, particularly in relation to remote working portals. A failure to employ MFA will be pounced upon by data regulators, even if there is no evidence that it would have prevented the attack in question.

But all of these points of detail need to sit within an overall cyber framework, set and overseen by the board. Without top-down buy-in and engagement from the board, the technical and organisational systems sat beneath will only go so far to protect a business. A board-level crisis simulation exercise can often be a great way of achieving this buy-in and alerting the board to areas where systems, processes, and talent may need to be improved.

How to react to an attack

The cyber services industry is now well-rehearsed in responding to cyber-attacks of many different varieties. But every incident is different and the response relies on the company having good decision-makers and the right environment in which to make those decisions.

The immediate priority in the first few hours of any cyber-attack will be to establish what has happened, to stop the attack if possible, and to mitigate any damage. This can often be a time-consuming and highly complex exercise that will not deliver concrete answers in the kind of time-frames typically expected by regulators for data breach reporting (for example, 72 hours to report to data regulators under the GDPR).

It is vital that this exercise is carried out thoroughly and by experts. If that means being equivocal about what is said to the regulators and other stakeholders while the matter is investigated, that is preferable to putting out false or speculative information that later need to be corrected.

While the forensic investigation is ongoing, the business should also be considering its legal and commercial risks and how this feeds into its communications and regulatory strategy. Very quickly, the number of issues being considered across different parts of the business can become significant, so expert project management and prioritisation will be required. Incident response plans tend to be helpful for the first 24 hours in getting the right people around the table, but from there the key will be management of information in order to facilitate calm and methodical decision-making.

We find that allocating issues to three overlapping buckets can be extremely helpful:

(1) Investigations/operations;
(2) Legal/regulatory; and
(3) Communications.

Adopting this structure can help with calls, meetings, update notes, and simply to help people think under pressure.

Whilst many tech-focussed businesses, including games companies, may feel they have the in-house expertise to investigate and respond to cyber-attacks, this can be a dangerous strategy. In-house investigations do not carry the same degree of independence as external investigations. IT departments can also be defensive when the systems for which they are responsible are breached. External specialist providers get to see a wide variety of attacks day in day out and can often identify the modus operandi of the attacker more quickly because they have seen it before.

For ransom attacks in particular, specialist help will be required, particularly if consideration is being given as to whether to pay or negotiate with the attackers. Their method of attack varies considerably and having insight in the track record of the attackers can be immensely valuable in assessing the risks associated with payment or non-payment.

When instructing outside experts, it is important to consider the nature of the work product and whether it can be protected from disclosure by legal privilege. For example, it can be extremely unhelpful for cyber forensics experts to report in detail about what they found before considering how such findings could be used against the company by regulators or litigants further down the line.

Reporting obligations

As is now well known, under Article 33 of the UK GDPR, data controllers have 72 hours to report a personal data breach to the regulator, the Information Commissioner's Office, unless the data controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of individuals. The extent to which a business is ready to make this risk assessment within the 72 hour window will vary considerably. It may sometimes be wise to make a precautionary notification within 72 hours but without a great deal of detail, and then follow up shortly afterwards once the facts are clearer.

Article 34 of the GDPR governs whether data controllers need to notify individuals whose personal data may have been compromised by the attack. It requires such notification when there is a "high risk" to such individuals. This can be an extremely complex exercise, both in terms the risk assessment and the mechanics and wording of notification. Done badly, it can greatly increase the risk of civil claims by the individuals notified. While the legal requirements of these notifications are important, so too are transparency, clarity and tone. Individuals now receive these notifications all the time and so know when the wool is being pulled over their eyes – and don't react well to this.

Insurance

Many business are increasingly turning to insurers as a partial solution to the problem. Cyber insurers have become very sophisticated in their approach. They know the experts to turn to and will provide support in overseeing the handling of the incident. Businesses that do have cyber insurance need to involve their insurer as soon as possible to avoid any issues over coverage and to ensure they have the right support in accordance with the policy.

Preparation is all

This article has only touched the surface of handling data breaches and cyber-attacks. The short conclusion is that they require a great deal of thought, preparation and precision. Those businesses that prepare in detail will survive far better in the heat of the real battle.

Interactive Entertainment Update | February 2021

Read the series overview here, or view all games and interactive entertainment Insights here.