Gaps in cybersecurity recently cost MGM Resorts a reported $100 million after cybercriminals hacked the casino giant. Though disastrous for MGM, other companies can learn valuable lessons from the headline-making cyberattack…without paying $100 million to do so. Here are a few key takeaways from this incident:
1. Beware the power of social engineering.
Social engineering is the criminal act of impersonating someone else, for example another employee, to gain a victim’s confidence and convince the victim to provide something of value to the criminal, such as a password or an actual transfer of money. This type of scam is extraordinarily common and is typically executed through emails or phone calls: Billions of social engineering emails and tens of thousands of social engineering phone calls happen every day.
In the case of the MGM hack, a criminal reportedly impersonated a real MGM employee and tricked an IT help-desk employee into providing them access to company systems. Company leaders cannot afford to underestimate the power of social engineering and how easily their own employees can fall victim to it without the right safeguards in place.
2. Adopt strong verification protocols.
Social engineering scams are often successful because victims such as IT desk workers want to be helpful – however, in their desire to provide immediate assistance, they may not stop to ensure that the person they are helping is actually who they say they are.
But they should.
Identity verification methods can be more or less stringent depending on the nature of the request being made and the overall risk a company faces of being a target of criminal activity. A caller may be asked to read back a code sent to their email or phone, or use a specialized physical identity token, like a key fob, which sends a unique verification symbol. Companies may need back-up protocols when identity verification devices are lost or stolen, such as confirming a person’s identity with a third party, like a manager.
3. Institute ongoing training.
Scammers’ methods are constantly evolving, which is why ongoing cybersecurity training is a must — what’s a top threat today may be displaced by an entirely different threat tomorrow.
Employees must also be trained to avoid taking shortcuts. For instance, if verification is performed by asking a manager to identify their employee, the call should be placed to a number already on file, not one “conveniently” provided by the caller. If the caller is a scammer, the number they provide may very well belong to their accomplice in the scheme.
4. Encourage a security culture that tolerates inconvenience.
Identity verification and other cybersecurity measures take time. A business’s actual employees, including C-suite leaders, may find themselves waiting longer to gain or regain access to their company systems as a result — but these delays are a small price to pay for preventing costly cyberattacks.
Leaders should also empower employees to escalate concerns to them, even if those concerns arise at inconvenient times. For example, sometimes putting security ahead of convenience means getting a CIO or COO out of bed in the middle of the night. At Xantrion, if such an escalation turns out to be a false alarm, we don’t mind; we want our employees to err on the side of caution.
5. Restrict access by position and authority.
The fatal flaw in MGM’s cybersecurity program may have been that a junior employee was able to provide someone access to a high-level administrative account. No low-level employee at a company should be able to do that much damage. Instead, companies must limit who can access and provide others access to the most important or sensitive parts of a company’s systems. This reduces the risk that inexperienced workers end up handing over the veritable keys to the kingdom.
6. Take advantage of third-party auditing and testing.
By partnering with independent auditors and cybersecurity experts, companies can confirm that the security controls they have in place are really as effective as they’re supposed to be. Without independent testing of your security systems and protocols you may be unaware of a gap in your defenses until it’s too late.
At Xantrion, our systems undergo a rigorous, month long Service Organization Controls Type 2 (SOC2) assessment as well as regular penetration testing. We’re just as vigilant about internal security and systems as we are about those belonging to our clients.
7. Don’t cut corners.
There are a number of ways businesses can try to cut corners on their cybersecurity, such as hiring outsourced IT providers who do not have a security focus, using weak verification protocols, and skipping auditing and testing. But while compromising on cybersecurity may yield some cost savings up front, it could cost businesses much, much more down the road.
Xantrion provides proven, audit-ready cybersecurity and compliance solutions. Let our experts help you significantly reduce the likelihood and consequences of a breach. Get a free cyber assessment or contact us today to learn more.