Small Business Lessons from the Casino Cyber Incidents

It came to light this past week that both Caesars and MGM suffered cybersecurity incidents (https://bit.ly/3EJ8kho). While we don’t yet know the full details of either incident, there are still lessons we can take away from the information we do have. Let’s take a look.

Preliminary information in the MGM case leans towards social engineering as the initial method of access. Some claims state that the malicious actor made a phone call to the MGM IT help desk, and they were able to trick/convince the IT staff that they were an MGM employee and needed to reset their password. Upon having the password reset and gaining access to the account, they were able to gain further access to the network through more sophisticated methods of attack. They were then able to access a system used to authenticate users of MGM services, which essentially gave them “the keys to the kingdom”.

CISA (Cybersecurity & Infrastructure Security Agency) says that more than 90% of all cyber attacks begin with a phishing email, and an IBM report from 2022 found that spear phishing (targeted) attacks combined with phone calls (vishing, or voice phishing) were three times as effective as just emails. Peter Nicoletti, global chief information security officer at cybersecurity company Check Point Software, is quoted in Vox saying “There’s always a little back door, and all the best defenses and all the expensive tools can be fooled by one good social engineering attack[.] What we’re seeing, especially in the new age of artificial intelligence, is the attackers are leveraging not only hacked information that they find about you, but also all of your social profile information[.]” (https://bit.ly/46g4jNh)

So what can we learn from all this?

  1. Cybersecurity is a team effort: Cybersecurity is not just the responsibility of the IT person/department/company. It is important for all employees to be aware of the risks and take steps to protect their devices and data. Businesses need to create a culture of cybersecurity awareness and provide training to their employees on how to spot cyber threats.
  2. Educate employees about cybersecurity: Employees are often the first point of contact in the cybersecurity chain. Businesses need to educate employees about cybersecurity best practices, such as how to identify and avoid phishing attacks and how to create strong passwords.
  3. Implement a layered security approach: This involves using a variety of security controls, such as firewalls, intrusion detection systems, and data encryption, to protect their systems and data. No one solution is 100% effective at stopping attacks.
  4. Have a plan in place to respond to cyberattacks: This plan should include steps to identify and contain the attack, mitigate the damage, and communicate with customers and employees.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips. For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n