‘We care about security – but we don’t want to spend money on it’


eSports providers largely agree that both streaming piracy and cheating during online gameplay pose a serious threat to their fledgling businesses but are unwilling to take the necessary measures to defend against them, according to research on the growing industry.

Asaf Ashkenazi, chief operating officer at Verimatrix, the cybersecurity company that commissioned a report by Omdia into cybersecurity challenges facing the virtual games market, is surprised. “We knew there were problems with gaming and money being lost from cheating,” he says. “But we didn't anticipate so many saying content theft is a real problem for eSports.”

It isn’t the only reason why Ashkenazi is surprised. Despite eight in ten eSports businesses agreeing that cheating or hacking is at least a fairly serious concern, most are unwilling to spend serious money on measures to tackle it. Roughly two-thirds agree that their industry has suffered reputational damage because of cheats, hackers, and pirates – and yet four in ten have no cybersecurity program in place, with a similar ratio saying they would not spend more than $5,000 on one.

“There is still a mismatch between the amount of investment and what they see as risks,” Ashkenazi says of his respondents. “If you look at cyber as a whole, it's not very different from any crime that was done in the past – where you see money, you know that criminals will follow it.”

And that appears to be just what cybercriminals are doing in the eSports world, adopting a two-pronged approach that could prove lethal for many a start-up in the field. Using hacking skills to enable their avatars to cheat at an eSports contest to cash in a big prize payout is one thing – but the other dimension, streaming or content piracy, is much more dangerous because it is largely invisible.

“What they do is very creative,” says Ashkenazi of the cybercriminals. “They rob the owners of the content, restream it through their website, and put on their own advertisements and commercials.” Viewers and advertisers alike are oblivious to their complicity in this criminal enterprise, he claims, because they are under the false impression that the website they are engaging with is legitimate.

“The advertising network works in a way that the companies that advertise don't know where it will go [because] it's going through brokers,” he explains. “What's even more amazing is that the hackers find a way to manipulate and use the infrastructure of the guy that's streaming it, the company, so the cost of streaming is also being billed to the service provider. So the hackers have almost no costs, they just redirect the stream through their website, but the stream is still distributed by the legitimate owner – they just don't know that they are distributing it through a different website.”

“It hurts the content distributor in two ways. They pay the bill for content that hasn't reached viewers coming through their website, and of course, they have other eyeballs that are going and watching someplace else. In many cases, the end consumers that are watching it are not even aware that the website is not legitimate.”

This is what Ashkenazi dubs the “silent killer” for eSports streaming start-ups. “If somebody is doing that within an application, you make 20% less on your revenue. It's like a parasite. And sometimes the margin of these companies is 20% – so they go out of business, but they die slowly.”

Time to take action

Ashkenazi hopes that growing awareness of this ugly phenomenon will inspire more eSports companies to start putting their money where their mouths are on cybersecurity – before they lose it all to threat actors.

“The first thing that covers cheating and piracy is your game itself,” he says. “You need to protect the code of the game and make it very difficult for hackers to hack. The hackers need to reverse engineer it, understand what's going on – and then they find these vulnerabilities.”

“It sounds very complicated, and it is, but if you want to boil down what cybersecurity in hacking is, it's that some programmer out of a million lines of code made a mistake. Something that can be taken advantage of by somebody else. And what hackers are doing is trying to find these places and then insert their code to take control over it. And if you have a huge code, you have a lot of people that are making mistakes.”

The best defense against piracy is to turn the tables on the hackers by breaking their own “business model,” Ashkenazi says.

“If you make it very difficult for hackers to inject their code without being detected [and] they have to spend a year hacking against you, they will not do that. They will go somewhere else. Sometimes in cyber, we say you don't need to run faster than the bear – you need to run faster than the guy next to you.”

But there is still a long way to go before eSports firms are fully in their stride – three in ten have little to no knowledge of services that can protect their games against hackers and cheating, while half do not realize services to combat the parallel problem of piracy even exist at all. This lack of interest in and awareness of cybersecurity is all the more puzzling to Ashekenazi, given the growing understanding among eSports providers of the threat posed by malicious hackers.

“If you have more than half of people worried that their house will be burgled and they have no lock on the door, you will assume that probably less of them are concerned,” he notes wryly.

Growth industry under threat

Such lax attitudes to cybersecurity in eSports are all the more surprising, given that last year the industry notched up a tidy $1.6 billion in global revenue, a figure forecast to nearly double over the next five years. The figure for 2021 is thought to have been partly boosted by the COVID pandemic, which forced many to seek remote forms of entertainment like never before. Major media rights deals included a five-year exclusive distribution agreement in China signed by streaming platform Huya for $310 million, which focused on just a single eSports game, League of Legends.

But Ashkenazi warns that if the epidemic of cheating is not curbed, those profits could be hurt as honest gamers vote with their feet and walk away from the platforms.

“The way that it hurts them is mostly because participants know the game is not fair anymore,” he says. “They lose interest, and that could be desperate – you develop a game, and then you have a few guys that can gain different powers or abilities or manipulate time, [acquiring] virtual assets without paying.”

I point out that businesses not taking cybersecurity seriously because they think cyberattacks won’t affect them and aren’t willing to invest the money is a trend prevailing across industries and not confined to eSports.

Ashkenazi agrees, but adds: “What we see here is even more to the extreme. They're saying if you spend the money and nothing happens, there is the feeling: ‘I could have done nothing, I just spent money I could have spent developing this or that.’ And it's very similar to saying: ‘I have insurance for an earthquake in California – I'm such a stupid person, I paid for ten years and no earthquake happened!’”

Ashkenazi strongly believes that businesses across all sectors, especially eSports, need to stop assuming they are not on the radar of cybercriminals, a misperception he suggests is partly being driven by skewed reporting of cyberattacks.

“In the media, what do you see in terms of cybersecurity?” he asks. “You see T-Mobile had a hack, hundreds of millions of records got stolen, you see Colonial Pipeline got hacked, SolarWinds… you hear about the big companies. So a lot of the medium- and small-sized companies believe that they're not a target. They answer, ‘cybersecurity is a concern – but who wants to attack me? I'm a small hotel in the Alps.’ That's a wrong perception.”