MGM Resorts Cyberattack: A Harsh Reminder of the Importance of Cybersecurity Training
By Matthew Mangels – Director of Information Security & Compliance
The recent MGM Resorts ransomware attack didn’t rely on fancy hacking tools. Armed with basic information found on LinkedIn, the hackers bypassed MGM’s cybersecurity measures with a convincing story and an empathetic support personnel trying to help a “user.”
According to a study by the World Economic Forum,95% of cybersecurity breaches result from human error. In this case, the human error enabled threat agents to execute a modern-day Trojan Horse. The hackers tricked the MGM support desk employee by using a tactic called social engineering, the act of deceiving or manipulating a person to grant access to a computer system or steal personal and financial information. The hackers disguised themselves as a user who forgot their password or needed their MFA authenticator reset to slip inside MGM’s security walls, and once they crossed the threshold, agents deployed ransomware to encrypt valuable data and halt their operations.
This one misstep caused a 10-day computer shutdown. A report by AP News revealed that MGM Resorts lost hotel reservations and loyalty reward functions. In this time span, experts also estimate the hotel giant suffered a cumulative loss of $80 million dollars.
While many write this off as a cautionary tale for enterprises with significant capital – it’s not. Tech.co reports that 82% of ransomware attacks target small-midsize businesses.
82% of ransomware attacks target
When it comes to guarding online systems against attacks, a holistic approach is necessary for safeguarding valuable information. The data breach is a harsh reminder of the consequences of inadequate security training and how even the most advanced technical controls can be vulnerable. Use this reminder to ensure, in addition to good technical security controls, that the following is in place:
- Employee Training and Awareness Program – Regularly educate employees about social engineering tactics like phishing, pretexting, and baiting.
- Strong Security Policy and Procedure – Develop a protocol for verifying the identity of individuals requesting sensitive information, especially if the request is unusual or unexpected.
- Access Control and Principal of Least Privilege – Ensure that employees have access only to the information and systems necessary for their roles and restrict individuals’ access rights to the minimum required for performing their job tasks.
It’s easy to feel overwhelmed, however, you don’t have to tackle these issues alone. Guard your organization against hackers with the proper fortifications and training with Moonshot Solutions. We offer a FREE security and maturity assessment and evaluations of online defenses to cybersecurity. Let’s work together to become more resilient to social engineering attacks.