The cost of complacency: Lessons from the 2023 MGM breach

In September 2023, MGM Resorts International found itself in the midst of a major incident after a sophisticated cyberattack brought their systems to a grinding halt. Estimated costs from the incident have exceeded $100 million so far according to SEC filings. So what happened, and what can organizations learn to help prevent similar high-profile breaches in the future?

The incident began with a social engineering attack on MGM's IT help desk team. By gathering basic personal details about employees likely from public sources, cybercriminals were able to call in posing as legitimate employees in need of password or account access resets. Social engineering relies on manipulating individuals through psychological tactics rather than technical exploits. The hackers successfully convinced MGM's help desk staff to reset credentials, including multi-factor authentication in some cases, highlighting weaknesses in MGM's controls around credential and access management.

Once initial access was obtained, the attackers were able to deploy ransomware across MGM's environments, encrypting systems and disrupting operations. Everything from front desk check-ins to casino games and online reservations came crashing down. To rub salt in the wound, the incident came during MGM's busy convention season further exacerbating financial losses. Clearly MGM failed to implement adequate prevention, detection and response controls - a striking oversight for such a large organization.

MGM is certainly not alone in underestimating the role of human vulnerability in cyber risks. The 2023 Verizon Data Breach Investigations Report found that 74% of incidents involved human factors through actions like errors, data leaks and notably social engineering. As attacks become more sophisticated, it's absolutely critical for organizations to view their employees not just as users but as a critical line of defense. Merely executing annual cybersecurity awareness training is clearly insufficient given today's threat landscape.

Effective security awareness starts with recognizing people as the weakest link and making them a proactive strength instead. But what does a mature training program look like? Experts advise taking a comprehensive, multifaceted approach:

• Frequent, ongoing training: Monthly micro-sessions keep risks top-of-mind versus annual compliance clicks. Education must evolve as threats do.

• Role-based scenarios: High-risk roles like executives, help desks and finance receive customized modules reflecting their exposures.

• Dynamic content: Interactive materials cover the latest techniques like smishing, voice phishing and evasion methods being seen "in the wild".

• Skills assessment: Quizzes and simulated phishing validate understanding before certification. Remedial training is provided for anyone still vulnerable.

• Comprehensive reporting: Metrics around click-through, assessment and real phishing simulation results enable tracking program impact over time.

• Executive buy-in: Demonstrating value through benchmarking and reduced incident response costs keeps leadership invested.

Experts also note that merely checking boxes is not enough - training must cultivate a security-centric culture. This involves fostering curiosity, empowering "human firewalls" to spot and report anomalies, and making phishing tests learning experiences rather than punitive reactions. Organizations must move from security awareness as an afterthought to an integrated business function.

While MGM was caught off guard, other firms are starting to get serious about the weakest links in their security chain. Fortune 500 manufacturers AB InBev and GSK recently invested in innovative training platforms that gamify learning to boost engagement. The platforms incorporate tailored scenarios, reinforcement through integrated phishing simulations, and benchmarking to contested best practices.

Some organizations even go a step further with executive red teaming exercises. These simulations test leadership's ability to detect and respond to targeted spear phishing and social engineering attacks as they would unfold in real life. The results often serve as a wake-up call even for experienced C-suites. When the very top is vulnerable, it highlights just how much work remains.

As attacks persist and breaches like MGM's make headlines, the message is clear: a singular focus on technical controls leaves major gaps that modern threat actors will and have exploited. Security must become as much about people and processes as technology. Organizations owe it to their customers, partners and shareholders to safeguard the crown jewels by securing human vulnerabilities as diligently as datacenters and code. Those who learn from painful lessons tend to avoid repeats. Overall, prioritizing employee security awareness training represents perhaps the single highest ROI activity for bolstering an organization's cyber defenses.

Here at ThunderSecurity, we understand developing comprehensive security awareness programs requires significant expertise that many organizations lack internally as resources. Our team of seasoned training specialists has extensive experience designing and implementing customized human-centric security solutions.

ThunderSecurity offers a full suite of awareness services including needs assessments, program roadmap development, tailored content creation, engaging delivery platforms, simulated phishing assessments, and detailed reporting. By partnering with us, customers can leverage our proven methodology and tools to establish an impactful initial training foundation.

We recognize the modern threat landscape demands new priority on human-centric security. By empowering employees as active defense participants, organizations can more strategically address both technical and human risks. As breaches like MGM show, without addressing social and cultural aspects, even strong controls fall short.

ThunderSecurity is ready to assist customers with getting started on their awareness journey. Our consultative approach simplifies standing up a scalable, optimized initial program to focus training where it makes the most difference. As a new entrant, we maintain competitive pricing and flexibility compared to large established firms also servicing this growing need.

For any organizations seeking to prioritize personnel security awareness, partnering with ThunderSecurity presents a valuable opportunity to efficiently build baseline protections. We welcome prospective customers to learn more about how we can support cultivating a robust security culture from within.