‘A huge wake-up call:’ Experts stress human defenses after MGM cyberattack

Following high-profile cybersecurity attacks at MGM Resorts International and Caesars Entertainment last fall, experts at the Black Hat USA convention say the hospitality industry should focus on shoring up human defenses to suspicious behavior.

Bob Barker, a sales engineer manager at the cloud security company Sysdig, said those large-scale cyberattacks can happen quickly. For companies, that means they can have just minutes to respond to a threat. And for consumers, it means they should be careful sharing too much information online.

“Believe it or not, that’s where a lot of these incursions come from,” Barker said. “It’s someone who was able to assume an identity of someone who had more rights or more privileges in an environment.”

That was the case in MGM’s security breach that crippled the hotel chain’s operations for 10 days in September 2023. A British teenager was arrested on July 18 for his role in the breach. The hacking syndicate group ALPHV and an affiliate Scattered Spider claimed responsibility for the attack, as well as a similar one on Caesars Entertainment the previous month.

In the MGM case, the hackers used “social engineering,” or the practice of assuming a plausible identity of a company’s worker, then communicating with the company’s IT team to be given access.

Robert Grimes, a data-driven defense educator for the employee security awareness training platform KnowBe4, said 70 percent to 90 percent of modern cyberattacks are done through social engineering and unpatched software. Many businesses will worry about their antivirus protections and other network types instead of focusing on the human errors that most commonly lead to breaches.

A silver lining to MGM’s data breach was the increased attention to how such a large-scale attack could occur so easily. Grimes said the company has had a bump in business since then.

“The MGM event was certainly a wake-up call,” Grimes said. “That was a huge wake-up call that sent shudders. We got not only more customers, but also existing customers who wanted to do awareness training correctly.”

Eric O’Neill, a cybersecurity consultant and former FBI operative, said investing in more cybersecurity — and actually employing it, rather than contracting a firm to check a box — is one of the biggest ways that companies can combat pending threats.

Companies also have to make sure they’re teaching the cyberattack prevention techniques in an understandable way. He said storytelling can help everyday people understand what they should do to protect themselves and their companies.

“If you just see statistics — this is how many ransomware attacks happened and this is how the percentage of a chance that you’re gonna get hit by a spear phishing — your eyes are going to glaze over like you’re just trying to click through the training,” O’Neill said. “When I’m speaking to crowds, I literally see them all pull their phones out. Not because they’re bored — it’s because they’re turning on two-factor authentication.”

Black Hat USA, a six-day cybersecurity conference, ends Friday. But expect to see cybersecurity professionals, government officials and corporate leaders stay in town for DEF CON 32, a hacking conference beginning Aug. 15 at the Las Vegas Convention Center.

Contact McKenna Ross at mross@reviewjournal.com. Follow @mckenna_ross_ on X.