Andrew York Denouement Rar File

Hank Opdam has seen things behind the scenes at The Star Entertainment Group’s casinos that would make any CISO wince. And the general manager of IT Governance, Risk and Cyber Resilience for the the company, which runs three huge ‘integrated resorts’ on Australia's east coast, has the photos to prove it. Like the sign an employee stuck up above the computer and printer set-up that makes staff access cards that read, in all caps: ‘The new staff ID computer password is ___’. 'That's a security fail times two. I love that one,' Opdam told an audience at the CeBIT technology conference in Sydney yesterday.

As well as being a security nightmare, it is a literal sign that employees at the time felt security measures were hampering their work, Opdam said. 'How do you know when you've got this perception of too much security? It looks like this: people put passwords on little bits of paper and stick them to computers. Your security guys do this excellent thing called the 'any, any, any' rule on the firewall turning a $40,000 device into a $10 switch,' he explained. 'When people feel it's too much, they feel obliged to circumvent it.'

To bring a halt to the security horrors, over the last couple of years The Star has changed the way staff encounter security measures by removing the friction they cause, and raising awareness with some cheeky education campaigns. “We don’t block things or stop things because we’re bastards, we’re doing it because we want to get a better outcome,” Opdam said. Rapidshare memento mori art. High-rollers, high-risk. Read more Opdam joined The Star Entertainment Group (then Echo Entertainment Group) in 2011, following many years in security roles with financial firm AMP. Coming from a career in banking, Opdam said some of the technology set-ups he found at the casinos came as a shock. In some cases an eagerness to provide a great customer service had left security lacking. In his second week he was asked to check the security of devices used to assist high-rollers access more money to gamble.

“This is a VIP customer, getting potentially tens of millions of dollars delivered to them and them authenticating and authorising that – on an iPad, on a wireless connection, in a public place,” he remembers. Read more “I came from finance and it would take 13 years, 17 committees to go and approve for that to happen. I had one week to secure itWe had a predisposition towards getting it done then sorting out the security later, or that’s historically how it worked.” As a result there had been some security slip-ups in the past: “stoushes with malware”, physical assets including a bouncer's walkie-talkie stolen, USB sticks used to take work home, a “defaced” kiosk display. The group’s security stance has since tightened considerably.

Things could have got a lot more serious. Casinos are undoubtedly prime targets for hackers, and their staff considered a valuable gateway to access systems. Casino ‘hacks’ do happen. Melbourne's Crown Casino was the victim of a $32 million scam in which cameras in a VIP room were ‘tapped’ to view player cards, which were fed to one gambler via a wireless transmission. A staff member that looked after high-rollers was later sacked. Read more The staff count is doubling over the next few years as the group opens another three casinos, making easy to follow, scaleable security measure essential.

Online staff portal MyStar has been rolled out where employees can book holiday, access pay slips and swap shifts. It will soon come as an app, with pin and fingerprint access. “We’re trying very hard to be frictionless. It needs to be frictionless,” Opdam said. “If you make it too much of a challenge you're going to have a crappy experience for your employees and your partners. And ultimately they'll circumvent what you have in place and you'll end up with breaches in any case.” Security policies have been condensed into a single page, since “policies are boring”.

Web pages are no longer blocked, but accessed after a warning page gently reminds users about the potential dangers, plus their “name and date and IP address – just letting you know everything’s being logged”. Read more Most importantly, there’s been a cyber awareness campaign targeted at an employee base who are “typically very young, they're quite IT aware but not very cyber savvy,” Opdam says. Given the younger demographic, educational messages use humour and sauciness to cut through. One poster reads: “It’s a thin line between OMG! Ask yourself if it’s appropriate before you send it”. Opdam and his team have taken a Disney inspired approach to rules. At Disney theme parks and resorts, whenever a rule is given it comes with a full explanation of why it’s in place.