MGM Cyberattack Puts Spotlight on Human Risk

The cyberattack that took down multiple systems at MGM sites across the U.S. earlier this month has shone a spotlight on a vulnerability faced across industries – that of human error or behavior.

The breach was found to be due to a vishing (voice phishing) attack, where the hackers impersonated an employee to gain access to systems and ultimately compromise multiple aspects of the casino. 

Such attacks are remarkably common throughout businesses. Verizon’s DBIR report, released earlier this year, found 74% of security incidents have a root cause in some sort of human error or human behavior.

While now addressed, the breach begs the question: how can businesses better protect themselves against these kinds of attacks and lower their human risk.

“Regardless of how many tools, how many different technologies we have in place in our environment, from a security perspective the human is still the number one cause of security incidents and breaches,” said Ashley Rose, CEO of human risk quantification firm, Living Security. “The MGM hack is one of many examples of the attacks that still come in to compromise the human factor. I think it's time for organizations to wake up to the fact that the way we've been doing things historically is still leading to the same results.”

Related:MGM Attack Drives Cybersecurity to Top of Mind

According to Rose, while organizations have compliance training for staff, much of this happens just once a year and offers a holistic, rather than targeted, approach.

This is where human risk management training comes in, using data and predictive analysis to identify employees most at risk and create targeted training in response to shift from a responsive to a preventative security model. 

“If we can start trying to identify who the employees in an organization are that are most susceptible to falling for this type of attack, we can take proactive action to actually prevent it before something occurs,” said Rose. “Through identifying the combinations of human behaviors that could lead to a breach, you can actually start identifying those highest risk populations in your company so that you can take more prescriptive action. That's really where we're seeing the biggest shift to taking a more data-driven and predictive approach.”

Data points can be collected on an employee’s job title and the data they have access to, as well as their behaviors that could lead to increased vulnerability, such as whether they are clicking more links, reusing passwords or browsing potentially malicious websites. 

“All this data is used to create a risk profile and then, once you have this, you can become more prescriptive and targeted with your mitigation steps,” said Rose.

Related:Cyberattack Shuts Down MGM Resorts; FBI Investigating

Rose says what they’ve learned is that there is not a holistic measurement of human risk. 

“The business risks that our clients are looking at are things like account compromise, data loss, malware, phishing email and then also training compliance,” Rose said. “We're able to categorize the human behavioral risks that could cause risk to the organization, and essentially give them a scoring that shows where they are and how much they improved over time.” 

Having a new understanding of the risk landscape that takes human workers into account is a crucial step in businesses protecting themselves against targeted attacks, Rose said.

“The first step is we need to acknowledge that typical compliance training is not enough to protect businesses any more,” said Rose. “We need to get more data-driven and we need to get more predictive. Over time, what we hope to start seeing is the recognition that checkbox training is not enough. 

“There will need to be proper management and quantification of human risk, and then eventually we may see organizations required to have data and metrics to support evidence of an effective human risk management program. I think we're quite a ways out, but we're definitely moving in the right direction.”