By now you've probably heard about the recent (Sep. 11, 2023, for anyone reading In The Future) cybersecurity breach and ensuing chaos at the MGM Casino. For days after, there were reports of slot machines and hotel room keys not working, offline websites and hotel check-in systems, and more. A week later, they are still dealing with the effects, and losing millions everyday.

A group claiming responsibility for the attack claimed that they had done it by spending some time researching employees on LinkedIn, and making a 10 minute phone call to the Help Desk.

Although nothing new, this may be a moment where we see social engineering tactics, and "Vishing" (voice-phishing, i.e. a phone call) in particular to really take the lead in how attacks occur going forward.

Why? People, like electricity and water, tend to follow the Path of Least Resistance.

When you want to infiltrate a highly secure system, like a safe, do you kick the door open with brute force, or do you look around to see if someone wrote down the combination?

Manipulating people is almost always the path of least resistance.

Especially if they are stressed, or tired, or busy, or hungry, or new, or have strict 'The Customer Is Always Right' policies,

or really any of a million human foibles.

That's just people being people. Mistakes happen. People get taken advantage of.

The big mistake, however, in deciding how to move forward in protecting your business from this sort of attack,

is in solely placing blame on or trying to move away from the human element. Automation isn't going to solve the problem.

People may be a weak point, but those same people can also be your greatest defenders.

People aren't the real problem. Policy is.

• Multifaceted training is essential.  Some companies rely on just phishing simulation training. That is a good start, but too often the training gets punitive, and the employees really learn only how to spot the training emails. Training like this wouldn't have stopped the MGM attack at all. A better option is to make sure employee security training covers multiple topics and attack vectors, is updated often, and isn't just rote testing.

• Front-line employees will go to great lengths to defend your company, if they care about the company. They'll care about the company if the company cares about them first. Devalued employees may not feel particularly invested in whether the company gets hacked or not, or take the time for the critical thinking involved in thwarting sophisticated attacks. An invested employee, on the other hand, will be paying attention. What makes people care about their job and their workplace? Management that is supportive, not micro-managerial. Non-toxic culture. Reasonable hours, adequate breaks, and competitive wages. Meaningful work. Being honestly valued for their contribution.  A pizza party is not going to do it.

• Limit Personal/Professional information available online. This may be difficult to regulate, but encourage all staff, especially upper management/C-suite to be extremely mindful of the information they put on social media, and in emails.

• It's not so much if, as when. Have a detailed Disaster Recovery Plan in place and ready to go. If the MGM incident shows us anything, it's that even the largest, richest, most securely defended systems can be brought down.  With the sheer number and force of cyberattacks that happen every day, sometimes it's just a numbers game.  (Natural disasters count too!) The wise move is to assume the worst will happen. Prepare for it.  Get multiple backup systems in place. Have policies ready for what to do when the worst happens, so if it does, there's no panic, hopefully no data is lost, and business can get operational again as soon as possible.

• Party like it's 1999. And 1979. And 1879. Here's a good exercise for disaster preparedness. Imagine if you woke up and it was 1999.  Your organization has computers, but no internet. Can your organization function?

How about 1979 - you have no computers. Records and receipts are all on paper.

You can take credit cards, if you have a knuckle-buster and call in the numbers. Can your business function, to some extent?

(If this feels silly, remember this is essentially what happened to the MGM hotel employees.)

Now it's 1899, and there is no electricity.  Does your business handle essential services that need to keep going? Can you do that?

How can you best prepare for these sorts of scenarios?

Ask your people.