June 4, 2019 By Douglas Bonderud 4 min read

The massively multiplayer online game (MMO) market is huge. The juggernaut “World of Warcraft” (WoW) has generated more than $10 billion in revenue over the last 15 years, while Square Enix’s revenue is up 36 percent year-over-year in large part thanks to “Final Fantasy XIV.” The cost of security threats is also on a similar rise — as noted by ZDNet, companies spend more than $13 million annually dealing with cyberattacks and their aftermath.

Beyond a break for world-weary IT experts, successful massively multiplayer franchises offer actionable insights to help organizations level up their cybersecurity best practices — and avoid losing the hard-won data they’ve fought so valiantly to collet and defend year after year.

Ready to game the system? Here are three information security lessons from MMOs.

The Security Game Never Ends

WoW is closing in on its 15th birthday and is still going strong. But keeping players interested for over a decade is no easy task. Along with new core content, the game also has to add new items and equipment to obtain, bosses to defeat, and opportunities for character progression.

It’s a difficult balance — too much too fast and players are overwhelmed. Too little, and players leave the game. For example, the game’s most recent expansion was met with player criticism about content being too accessible and too easy to complete. Meanwhile, Blizzard is releasing a version of its game that will be stripped down to the bare essentials found in its first iteration — “WoW Classic” — in hopes of luring players back.

Security experts face the same challenges: How do they keep employees engaged, and how do they design defensive strategies capable of continually meeting new threats? As noted by Human Resources Director, it’s now critical for companies to deploy custom-built training courses that provide real-world examples and relevant exercises to boost staff retention. In addition, many organizations are leveraging gamification techniques such as point-scoring, rules of play and friendly competition to increase impact. Much like the continually evolving avatars in MMOs, employees need a sense of progression and security mastery to effectively engage with corporate mandates.

Cybersecurity best practices must also come to terms with the never-ending nature of security threats. Just like massively multiplayer games, there is no final battle, no single information security enemy that companies can defeat to ensure network safety. Instead, organizations must take a page from games like WoW by splitting their time between the maintenance of familiar security systems and controls and deploying new security content — such as artificial intelligence and automation solutions — to help security plans remain relevant.

Sometimes, It’s Best to Start From Square One

In 2010, Square Enix launched “Final Fantasy XIV,” version 1.0. It was, in a word, awful.

From broken gameplay and progression systems to poor graphical implementation, fans reacted so negatively to the game that Square Enix shut it down, rebuilt it from the ground up, and relaunched it in 2013. The result — “A Realm Reborn” — has been a massive success. Ahead of its upcoming third expansion in July, PC Games N reported that registered player counts worldwide have officially topped 16 million.

The lesson here for enterprise information security? Sometimes, it’s worth starting over. If security deployments and applications aren’t producing expected results and delivering positive returns on investment, investing more time and money in hopes of fixing fundamental problems won’t create desired outcomes. Consider the continuing role of legacy security tools — solutions purpose-built for enterprises that typically fall under the mantra of “If it’s not broken, don’t fix it.”

The problem with this approach, as noted by Techgenix, is that 93 percent of companies surveyed say they’re now deploying these legacy tools in the cloud, which “is like buying a really expensive safe and putting a cheap lock on it as an afterthought.” Here, organizations need to take a cue from “Final Fantasy XIV” and start over. Let legacy tools reach end-of-life on-premises and adopt cloud-based solutions such as next-gen firewalls and end user monitoring solutions to secure critical data.

Just as game companies must listen to fans or suffer the consequence of cash flowing elsewhere, organizations must pay attention to stakeholders — from front-line users to consumers to C-suite members — and then evaluate their current information security posture. Better to scrap ineffective security measures and start over than run the risk of a serious data breach.

Teamwork Makes the Dream Work

MMOs such as “Destiny 2” and WoW require players to work together if they want to acquire the game’s most powerful items. In “Destiny 2,” “fireteams” are capped at six players, while WoW permits “raid groups” of up to 30 people. Encounters are designed to be challenging, often requiring teams to fail over and over again before finding the right strategy. Even more critical is that each member has a role to play. In WoW, heavily armored “tanks” soak up damage and distract enemies, while damage-dealers whittle down health pools. Healers are required to keep everyone alive.

Security teams face a similar challenge on a regular basis: New attack vectors and vulnerabilities that require coordinated responses and specific actions from each team member. Effectively responding to security threats means creating incident response (IR) plans that lay out who does what, as well as when and how. Recent data suggests that companies with well-documented IR plans can save more than $1 million on the total cost of a breach. As a result, just like top-tier MMO players, it’s critical for organizations to assign IT experts specific roles, define their scope of work and practice, practice, practice to ensure they’re ready to respond when new threats emerge.

Improving company security culture is critical to leveling up cybersecurity best practices as well. High-performing groups want only the best of the best and aren’t willing to consider training new members or changing current approaches, even if they’re not delivering results. Boosting enterprise information security means demystifying the culture and recruiting beyond narrow borders — for example, leveraging the talent of new collar staff who may not have typical qualifications and certifications, but come with a passion for security and display an aptitude for picking up the necessary skills.

No Rest for the Wicked

MMOs create a persistent, ever-changing world for players. Malicious attacks pose the same challenges for cybersecurity best practices: evolving, ongoing threats that demand effective and immediate responses. While there’s no way to win once and for all, it’s possible to game the system and level up enterprise information security by deploying new solutions to meet emerging needs, starting from scratch if existing tools aren’t up to the challenge, and creating a new security culture that puts talent above tradition.

More from Risk Management

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today