The news last month of yet another cyberattack on MGM Resorts, initiating a system shutdown and disrupting its operations, is yet another in a very long list of attacks that we have witnessed in the past couple of years. Having the right preventive and defensive cybersecurity measures in place for such attacks is a given, and it is what most organisations focus on. But it is also about understanding how the organisation will recover from an incident and how they can limit the extent of an attack. 

Today, being impacted by a cyberattack is almost inevitable. The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years, according to IBM.Therefore, companies also need to think about how they can proactively recover, how quickly they can recover, and the cost of recovery to the business.

For MGM the priority now will be to stabilise infrastructure, while they find the best copy of their data and restore it so they can continue to drive business operations, bringing systems back online as quickly and securely as possible.

Here at 11:11 Systems, we know that recovering from a data-compromising cyberattack requires planning, investment, capabilities, procedures, and more. We also understand how important it is for organisations to recognise the difference between traditional disaster recovery, in response to incidents such as wildfires, earthquakes, and extreme weather conditions, and compromised data recovery in the event of a cybersecurity incident.

We’re keen to help educate the market in understanding their own capabilities to get back to business-as-usual post an attack. An interruption to operations caused by a cyberattack can cost businesses an enormous amount, financially and reputationally, so this type of intelligence is vital.  Below are some essential elements organisations should think about in order to proactively protect their infrastructure:

1. Understanding the Insider Threat

Employees are often the first line of defence against cyberattacks. But without proper training, they can also be the weakest link. While external threats are more dramatic and grab the biggest cyberattack headlines, insider threats—whether malicious or the result of negligence—can be more costly and dangerous. According to Verizon’s 2023 Data Breach Investigations Report (DBIR), 74% of all breaches involve the human element.

Comprehensive employee training goes beyond mere awareness. It involves regular phishing simulations, workshops on identifying social engineering tactics, and creating a culture where cybersecurity is everyone's responsibility. By transforming the team into a human firewall, you not only protect the organisation but also empower employees to be part of the solution.

2. Segmenting the network

A network is more than just a collection of connected devices; it's the backbone that facilitates the organisation's operations. Protecting the network is as important as securing the physical boundaries of the organisation.

Technologies like firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and network access controls are essential. But it doesn't stop there. Network segmentation enables organisations to create barriers within the network, limiting the spread of threats. By securing the perimeter of each segment, this ensures that even if one part is compromised, others remain intact.

3. Continuous scanning and monitoring

Software flaws and misconfigurations are like unlocked doors waiting to be exploited. It’s imperative that the organisation continuously scans for these vulnerabilities and promptly patches them. Industry professionals still talk about the 2017 Equifax breach that exposed 143 million records, all because of an unpatched vulnerability.

Closing these doors requires a proactive approach, where security teams are not just reacting to threats but actively seeking and addressing potential weaknesses. After all, an exposed vulnerability is an open invitation to attackers.

4. Knowing when to revoke access

Access controls are the gatekeepers to the organisation's most valuable assets. This means implementing complex passwords, deploying multifactor authentication (MFA), and limiting access to sensitive data are all imperatives.

But access control is also about knowing when to revoke access. For example, immediately disabling former employees’ credentials is crucial as often insider threat cases involve a disgruntled ex-employee.

Employees don’t necessarily have to be disgruntled to be a threat to the business, though. Yahoo, for instance, recently sued a former senior research scientist for stealing valuable trade secrets minutes after being offered a job by a competitor. By acting as vigilant gatekeepers, you can ensure that only authorised individuals can access vital information.

5. Shielding the frontline

Endpoint protection is about securing the devices that interact directly with users and data. These endpoints, such as laptops and servers, are often the frontline in the fight against cyberthreats.

Tools like endpoint detection and response (EDR), antivirus software, disk encryption, and application whitelisting are crucial. By shielding the frontline, organisations not only prevent attacks but also gain insights into potential threats, allowing for more informed decision-making.

6. Safeguarding data requires a multifaceted approach

Data is the lifeblood of the modern organisation. It fuels growth, innovation, and customer satisfaction. Safeguarding this data requires a multifaceted approach.

Classifying sensitive data, implementing robust controls around high-risk information, encrypting both data at rest and in transit, and regular backups are crucial. By treating data as a valuable asset, the organisation will improve the chances of this data remaining secure, accessible, and compliant with regulatory requirements.

7. Regularly tested incident response plan

No defence is unbreachable. Even with the best security measures, some attacks will inevitably succeed. That's why it is important to have a well-maintained and regularly tested incident response plan.

This plan should detail roles, responsibilities, and processes for detection, containment, eradication, and recovery, including updated business continuity (BC) and disaster recovery (DR) plans.

This includes being prepared to restore impacted systems and data quickly. Organisations should maintain recent backups of critical assets, including immutable backups, to ensure they can rapidly restore when needed. Furthermore, these backup processes should be regularly tested to ensure they’re up to date and align with any changes in the production environment.

8. Treat security as a continuous journey

Security is not a one-time effort; it's a continuous journey. Periodic third-party audits and vulnerability assessments provide an external perspective on security posture and help identify gaps, risks, and opportunities to address any shortcomings.

The ISO/IEC 27001 standard, adopted by organisations worldwide, emphasises the importance of regular audits and continuous improvement. Embracing this culture ensures that security measures evolve with the changing threat landscape to provide robust protection against current and future threats.

Change the narrative

The MGM cyberattack is an all too familiar story that we have heard countless times before over the years.

In today’s world of heightened attacks, organisations need a multi-disciplinary, layered approach involving ongoing diligence, training, and investment, if they are going to be ready to minimise business interruption from a cyber event as well as proactively prevent the company from becoming the next cyberattack headline.