In the ever-evolving landscape of cyber security threats, no organization, regardless of its size or prominence, is immune to the threat of cyber attacks. The recent breach at MGM Resorts International serves as a great reminder that even giants of the entertainment and hospitality industry can fall victim to cyber criminals.
In this blog post, we’ll not only review what MGM as a company should be doing following this attack but also delve into what your company should be doing, too. Even if your company is not in the hospitality or entertainment industry, any big mainstream news story like this serves as a great opportunity to light a conversation within your company to grow your security culture.
On September 11th, casino and hotel chain, MGM, reported a “cybersecurity issue” and stated they needed to shut down their systems to protect their business and customer data. The result? For days there were reports that everything from digital gambling machines to electronic hotel keys were offline. According to Morphisec, these disrupted operations led to a $80 million loss in revenue for the corporation.
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
More importantly, the hackers claim to have stolen 6 terabytes of data including the driver’s license numbers and social security numbers of loyalty program members.
Social engineering. Social engineering is not a technical strategy, but rather a psychological or emotional strategy that an attacker uses in order to convince, manipulate, or trick an employee or data holder to give them access to their systems.
In this case, the hackers found an MGM employee on LinkedIn and impersonated them in order to trick the IT desk into helping them gain access to the network. After the initial entrance into the systems, they were able to access multiple passwords and launch ransomware attacks.
This type of attack is as old and classic as hacking and social engineering can be. Impersonating one person to trick another into gaining access to an email, a locked room, or a hotel room you do not belong in are some of the oldest tricks in the book.
As long as humans have been around other humans have been engineering them into gaining what they want or need. The reason some people may believe these cyber attacks are new is because cyber security reporting is becoming easier and more popular in mainstream media.
Having a remediation plan is as important as having cyber insurance, cyber awareness training, or any other step in your security awareness program. Being such a large and prominent organization, we expect that MGM has a remediation plan on deck and has been implementing it immediately.
If we were MGM, these are some things that would be included in our next steps:
As a security professional or business owner, after any big cyber security news story hits mainstream media like this one, you need to take action. This story is evidence to your executives and employees that cyber attacks can happen to anyone. Use it as your next tool to start conversations and spark action.
Chances are even people in your organization who aren’t security geeks have briefly seen the “MGM” headlines and wonder what’s going on. Take advantage of this spark of curiosity by sharing the story with the whole organization.
Book a quick, important meeting with your executives to go over the story. Present the revenue lost due to operational disruptions, the number being asked for ransom, and other numbers that will grab their attention. Draw out the story for them to show how easy it was for these extreme cyber hackers to get into a huge organization with lots of important data. Then, provide your executives with hope and action by telling them what you plan to do to stop this from happening to them.
In your team’s #security or #general channel in Slack, share the story. Identify the threats, assets, and vulnerabilities, and ask a question to continue the conversation. Remember, you don’t want to scare your employees by saying “SEE – This is what happens when you don’t do your training”, but instead encourage reflection and curiosity by sharing the story and keeping the conversation open.
Conduct a threat analysis of the case. Identify all the vulnerabilities that allowed this attack to occur and then see if they exist within your organization. In this case:
If any of these vulnerabilities are identified in your organization, act immediately to cover them.
If anything, let this be a lesson that employees still can and will fall for social engineering attacks. The best way to protect your business from a human risk like this is to implement security awareness training modules specifically for social engineering.
If you have an IT Help Desk, now is also a great time to implement customized group training. Create a group with all IT Help Desk employees with targeted training that includes identifying employees and stopping social engineering attacks.
Create an IT Help Desk customized training group using Click Armor’s new Customized Training Group Feature. Book a call with us to see a demo.
Although the MGM attack is a scary story, don’t let it scare you away from using it as a positive learning opportunity for your organization. Now is a great time to share this story with your team to encourage conversation and grow your security culture. You can also conduct your own threat analysis to identify any vulnerabilities that could lead to a similar attack and pitch the solutions to your executives. Most importantly, use this as the final motivation you need to implement social engineering training for all employees to protect your business and customer data.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.