For decades, the only time employees would gamble on sports during work hours was during the annual March Madness bracket pool, a vice that ranks somewhere between using the company phone to make personal calls and microwaving fish in the break room.
That all changed on Jan. 1, when legalized sports gambling arrived in Ohio — and brought a whole bunch of workplace dangers along with it.
“It’s not just the informal $20 to do a bracket, where someone from the organization is passing around a hat,” said Lacy Rex, vice president and cyber strategic leader for Oswald Cos.
Instead, many employees are now using their work computers to place bets on sites such as FanDuel, BetMGM or DraftKings, putting their companies at greater risk for cyber fraud.
“Obviously, employees need to understand what is and what isn’t acceptable at their jobs,” Rex said. “Most of them understand they shouldn’t be placing bets (at work), especially on their company-owned devices.”
But with more companies employing digital natives — i.e., people who could be seen using computers on their sonograms — and with more employees working from home, the traditional lines between work life and personal life have been blurred, if not eliminated.
That creates opportunities for cybercriminals to hack into company databases by targeting employees who place sports bets from their office computer or company phone. They then steal passwords and financial data about a company or its clients, and either use it for themselves or sell it to other bad actors.
“Whenever you have an organization that’s collecting a lot of personally identifiable information — credit card information, taking bets, that sort of thing — there’s always going to be fraud around it,” Rex said. “There are going to be those who are targeting organizations, or trying to impersonate them as well.”
So how can companies, and their employees, stay safe? Here are four tips.
Be proactive, not reactive.
Since sports gambling is still new, many Ohio companies may not think to outline their workplace policies until after there’s a problem.
March is a good time to get ahead of the issue, since unlike Browns or Cavs games, NCAA tournament games often take place during work hours.
Oswald recommends companies create an acceptable use policy that reminds employees how they are permitted to use their employer-issued technology.
Organizations should also block sports gambling sites on work computers (something that’s more difficult for remote employees) or set up geofences that prevent employees from wagering at the office.
“It seems kind of obvious, but a lot of times it’s a missing component,” Rex said.
Companies should also add sports betting to their cyberattack training, using phishing simulations to beef up their “human firewall,” which refers to training employees to recognize scams and suspicious activity. Rex recommends companies do phishing testing at least monthly, especially if their employees are failing regularly.
“We see a lot of targeting phishing (with sports gambling),” Rex said. “You’ll get some sort of phishing email that has something interesting or exciting, where it says, ‘Click Here’ to go and place a new bet and see some sort of new incentive for it. These types of sites, too, there could be ads where you’re just searching and (you have to ask) is it a legitimate site or is it not?
“It just puts an organization at risk in an already really challenging and tricky environment.”
Change passwords regularly, or use a password manager.
Oswald recommends companies install phishing-resistant, multi-factor authentication that includes two or more authentication factors before granting access to the network.
Younger employees tend to be especially lax about authentication, Rex said.
“Digital natives are typically a little more blase about cybersecurity on their work devices,” she said.
Passwords should be complex — Microsoft recommends they be at least 12 characters long, with a combination of uppercase and lowercase letters, numbers and symbols — and they should be changed every 30-90 days. That last part is key, since 70% of users who were breached in 2021 were still using the same exposed passwords found in previous years’ breaches, according to Spy Cloud.
Oswald also recommends turning off the browser’s password saver and use a password management application instead.
“Having something like that (password manager) makes you a tougher mark for a bad actor,” Rex said. “You only have to remember one password and everything else they’ll auto-fill for you. It takes that burden off your shoulders and it’s just good cyber hygiene.”
Don’t punish employees who own up to mistakes.
When employees accidentally click on something they shouldn’t, Rex said they should immediately raise their hand and tell the IT team.
For that to happen, employees need to feel like they’re not going to be punished.
“Whether a company chooses to use a carrot or a stick is really about what aligns with their company culture,” Rex said. “But having an environment where an employee isn’t afraid of the consequences, especially if you think you’ve given someone access to your email accidentally, is hopefully going to stop the bad actor from being able to move laterally in the environment and wreak more havoc on the environment and steal more information.
“Employees shouldn’t be scared of raising their hands and saying, ‘I screwed up.'”
Watch for warning signs of problem gambling.
Gambling during work hours isn’t just a security issue or a productivity issue. It’s a human issue.
Betting during work hours on the first day of the NCAA tournament isn’t necessarily a sign that someone has a gambling problem.
But gambling during work hours on, say, a Tuesday morning in July? That’s a different story — and employers may be in a unique position to recognize it.
That’s why, when a company sets a sports wagering policy, it may choose to include problem gambling resources so employees will know where they can find help.
“Obviously, betting addictions exist; it’s a real thing,” Rex said. “It’s good to have an environment where employees understand there are resources that can help.”
One other thing: Problem gambling poses a crime risk for an organization, Rex said. Companies should have a system of checks and balances for financial transactions, so that one employee can’t create a new vendor, pay the vendor and sign the checks all at once.
“If you’re betting and losing a lot, you could be in some sort of distressed financial situation, which could be a situation for organizations to monitor,” she said. “Betting and potentially losing and then creating some sort of hazard in the environment for thefts of funds is certainly a real possibility.”