In this pilot episode, John Riley and George Usi discuss the recent cyberattacks on Las Vegas casino giants MGM Resorts International and Caesars Entertainment. Their conversation centers not so much on the technical aspect but more on the leadership side, discussing how business executives should swiftly act and appropriately react. John and George compare cyberattacks to arson, drawing effective response tactics from firefighting operations. They also discuss why executives must never let their emotions cloud their judgment when addressing these attacks and how to regain the trust of clients (and employees) after hackers blemish your well-guarded reputation.
—
Watch the episode here
How Should Business Executives Act And React After A Cyberattack
Welcome to our first episode of Navigating Cyber Risks. We have a special episode, and we’re going to stray away from our normal format to talk about the cyber risks that are going on in Vegas. The news has been covering it mainly from a consumer perspective, and we want to understand what the executives are going through and maybe have some technical discussions but really, what could have prevented this or how they’re feeling. Maybe some regulations and what the fallout of this is going to be.
With that, we’ll start off by talking about the breaches themselves. If you’re not aware, Caesars was breached with some ransomware. It’s September 21st, 2023 and it’s about noon PST. This is going to be information that we know as of this time. At the end of August, Caesars was breached. It looks like they paid some ransom to the company that breached them. They’re coming back online.
Not too long after that, sometime during September 2023, MGM Entertainment Group was also breached. It’s a number of hotels and casinos affecting the operations. With that being the case, we’ll go ahead and start with George and talk a little bit more about this. George, what do you think the executives might be feeling right about now?
From a casino operations perspective and with any type of incident, the very first thing that you do is go through an exercise at the executive level of the impact as well as crisis response. However, you’re making decisions generally, and these decisions should have already been made in that respect in the past. They are probably going through what we refer to as containment or return to operation. My guess is that they’re probably in containment.
When you have a cyber incident in the executive, and because this doesn’t happen all the time to executives, understanding what the process looks like from a simple language perspective is first, you have what essentially is the shocking moment of, “Uh-oh.” The very first thing that’s generally done is the executive teams get together and try to understand the impact and in this case, it has been catastrophic.
The choice that they have to make is to unplug and that’s almost always the first step, “Unplug everything. We’ve got a pretty serious issue,” or you’re in such a situation where the hackers unplugged you so you were down already. Generally speaking, they probably had to go through that exercise first. From there, you’re either making an immediate call to your attorney, which is generally what happens, or a group of attorneys as well as reaching out to some of your insurances.
Also, we’re already assuming at this point, that if you’re the executive, your IT team has probably gone through those steps. It probably first started with, “Something’s not quite right,” and then it progressed and got worse and worse. It was a serious problem and you’re unplugging. From there, it is about containing the issue and eradicating the hacker. You have to contain it. It’s like firefighting, except for the digital fire.
Hackers are arsonists. They start these little digital fires and essentially, they say, “You pay up or we’re going to light the match. It’s going to be a big fire. We’re going to burn your house down.” From an executive perspective, you have to make decisions and as John had mentioned, in some cases, you pay or at least allegedly, it gets reported that you paid.
We don’t know what happened. We are not in any way, shape, or form involved in this incident. I want to be clear that this is from the perspective of our understanding of what these executives are probably going through. However, the most important thing is understanding what is the availability and impact of the operation. This eradication and containment that you’re going through from a tech perspective is a ground war.
You’re trying to fight these guys out. Once you’ve gotten to a point where you think things are contained, you have to understand your position of, “Have I lost data? Can I return to operation?” These can happen in a number of different orders and ways, but since we don’t know what is going on in this situation, we’re not going to take the liberty to guess. Most of the time, it’s a pretty standard process of unplug, contain, eradicate, and recover very generically.
From the news reports that I saw, it was somewhat interesting. I’m not sure exactly where it started but it was affecting hotel operations. It was affecting slot machines. It was affecting the loyalty programs, the main websites, and the reservation systems. This one spread throughout and my understanding of it is that they were losing about $3 million a day of profit and not just revenue.
They were still recovering. I think that’s the bigger report that is going to show up and very much like Clorox where they were breached a while ago, but even in the SEC filings, they are talking about how they’re still returning to operations. On September 25th, 2023, it’s still coming back online. I think a lot of executives are not necessarily hiding the fact but they still don’t believe that something’s going to happen.
Where I see it right now is that whether you’re a large company or small company, it only takes a little bit here and you’re down. If you’re a smaller company, you can’t recover from this or you may not be able to recover from this. Having the procedures, the policies, and the controls in place is becoming even more important whether you’re a small company or a large company. The financial risks are too high these days with the digital arsonists as you put it.
That’s part of the challenges. A lot of these attacks are not a surprise. Companies get attacked all the time. The question is whether or not they succeed. Generally, if you’re preparing for this cybersecurity ground war as we call it, which we’ve been fighting for more than 50 years by the way and seem to be losing. A lot of the natural gut reaction is, “They didn’t do this right. They didn’t do that technically. This leader wasn’t running things correctly internally,” if those kinds of discussions we are having but that’s not where this organization is at right now.
Maybe there’s some water cooler talk happening about that but they’re still trying to return to operation unless I’ve been misinformed as of this time, September 21st, 2023. I would argue that right now, it’s a war room. Wherever they are in the process, they’re trying to make sure that they can reasonably return to operation. When you’re returning to operation, that’s when you know that there’s an incident or the situation is contained. It’s like firefighting.
We’ve seen it on the news year over year in the real world. The internet is a digitally delivered world and businesses experiencing what essentially are digital fires. You look to that industry to help you understand what might be happening here. The difference here is that you’re not necessarily evacuating people. You’re evacuating 1s and 0s. You are moving things that might be at risk if you still have access to them, locking them out, and making sure that they can’t catch fire as well.
I imagine they’re well past that state because generally when you’re going public on an incident, first off you have regulations. From an executive perspective, any executive should be aware of the fact, “What are my regulatory impacts?” Unfortunately, there are a lot of new cyber laws out there. In the casino case, one of the things that was noticeable was a new mandate that happened. It was unanimously approved by the Gaming Commission specifically as it relates to protecting customers and employees against cyberattacks.
That mandate went into place on January 1st, 2023. Interestingly enough, it took effect on January 1 and that’s a function specifically to the state of Nevada which is the Association of Gaming Equipment Manufacturers and the Nevada State Gaming Board Legislation or Gaming Commission Legislation. In those cases, you might argue that this is something that the attorneys are already talking about, which in most cases when you have an incident, you’re activating some attorney. There is always in-house counsel. In larger organizations, there will be. There’s a good chance there are outside helpers as well 100% of the time.
Also, organizations with insurance, the insurance companies are going to bring people that are on the panel. In MGM’s case, I can’t tell you exactly what they’re doing, how they’re doing it, or what their situation may be but from the perspective of the executive team, these are probably discussions they’ve been having for some time. One of the things they may be talking about is whether they’re in the crosshairs or the crossfire of this new regulation.
As I understand it, at least in the State of Nevada, they’re probably in the crossfire because generally, these things pass and you have time to do things. The thing that is on the top of their list is reputation management, crisis management, and returning to operation. These are all parts of what essentially you would do with a real disaster except it’s a digital one. That’s how I would probably perceive the state of their leadership. They’re trying to give their teams as well as their outside helpers as much room as possible to return to operations, an all-hands-on-deck situation.
In some cases, with Caesars being hacked first and then MGM afterwards, both of those are giant organizations that are subject to that gaming board. You mentioned that some of those things came into effect on January 1st, 2023. That was specifically in regards to giving them one year to clean the house and put the controls in place so that things like this didn’t happen. If this had happened sometime in January 2024, that would have been much more difficult or they’d be at a higher risk of even possibly losing their gaming license or having a restricted gaming license instead.
There will be penalties or sanctions of some sort. I didn’t dig deep into what this gaming commission regulation may look like in terms of penalties. Even though we do have experience working in the gaming area, at least in terms of the experiences that they may be going through specifically within the state and Nevada are more impactful than just the gaming commission.
There are also new state privacy laws, rewards programs, and loyalty programs where if they get caught breaking those laws, they certainly will come to light. There’s a State Bill, SB-220, which is the state of Nevada opt-out requirement. If they’re in the rewards program, they weren’t properly allowing opt-out. Now, they’ve had an incident. There’s going to be risk there.
That’s probably what leadership is doing as they transition. They may be at a point where they’re starting to return to operations. We’re not on the ground in Vegas. We’re in a different state but I imagine that one of the biggest challenges that they’re facing right now is how they return to operation and what essentially are those areas where they haven’t been able to properly recover.
Ultimately though, the reality that they’re going to face immediately is making sure that they properly eradicated the threat. It’s possible to start recovering and then find out that you didn’t get everything. When you have such a massive network and if they’ve gotten into different enclaves of the networks, which are the things that connect all these systems and departments together, then it’s a bigger problem.
What executives should be doing in every industry under business is going to be different because you have certain things that you have to grapple with. It’s not just the incident and getting things back and running, but you have a certain degree of responsibility to the consumer. There are regulatory and statutory requirements as well as notification expectations in these situations. As the dust settles, there’s going to be a lot of different kinds of notices going out to consumers who have ever been at or who’s had their information impacted or absconded with, as we would say. Interestingly enough, they’re going to get notifications and that is par for the course.
Getting any type of loyalty card there at the casinos is always giving your driver’s license with your home address, expiration, birthday, and all the other wonderful things that are getting captured there. That will be rough for them. Let’s put it that way. Maybe I’m more emotional but what gets me is coming in that first day when that’s happening. That roller coaster that starts, it’s like that first drop and that pit in your stomach of, “How do I get through this? What’s going to happen?”
No matter what kind of an executive you are and you find out that this is going on, it’s emotionally devastating to understand that you’re a victim. Now, you have to deal with it. There’s nothing you can do. You can try and pay ransom but you’re not guaranteed anything. It’s very much a street fight at that point.
Having been through this with a number of customers, there’s some empathy that goes along with that. Why don’t you talk about that a little bit as far as the emotions that you’ve seen when you’ve been working with some of our customers and understanding what those emotional pieces are that they’re going through?
Generally, there are two different mindsets. You’re the technical team. You don’t have time to be emotional. You just got to get on it. What happens is a lot of them will adopt the mindset of, “Let’s get it done. We have something that we have to stop.” At first, the emotions may be, “My job. What did I do wrong,” to very quickly realize, “We’ve got a problem to solve and it’s all hands on deck.”
At first, the emotional side of the executive though, which is a little bit different is, “I don’t know what I’m doing. What do I do?” especially at a very high level, even in the boardroom. You have to also understand that these casinos aren’t exactly new to security in general. Physical security is something that they’ve been doing for years. They have a considerable amount of interest in protecting their casino operations.
There are regulations there for them as well that they have to follow but when it comes to cyber-related incidents and understanding when a hacker jumps in and gets access, in this case, the best way to describe it is a consortium of channels of hackers. They’re identifying it as the Scattered Spider group but ultimately, the reality is that the pursuers, the criminals are different gangs.
They’re going to do things in a certain way. Some of those things are predictable. In this case, there seem to be reports about how this attack has originated out of a hacker service, so to speak, or ransomware as a service operation but let’s not make any assumptions. “Does it matter as an executive?” The emotion is, “I don’t care. How do I get back to revenue?” It’s that fear of, “I’m not producing the revenue, but I am incurring costs.”
The substantial risk that you’re going to have to deal with afterwards when you’re in that war room situation with your technical people, is a different emotion. That’ll come later. There are stages of emotions that will occur. For many of our customers, what most companies receive is the CEO call. Perhaps, it was some executive that we’ve educated on these topics in cyber risk and some of these new cascading cyber laws. We call them statutory and regulatory requirements. Where they were in terms of understanding their position in their industry.
Some Industries are more mature but when you look at a casino getting hit, you would think, at least from a practical perspective, that the way that hackers do their work, they shouldn’t be able to break into a casino that has so much experience in security. The other piece that you have to consider is your consumer’s emotions. Now, you have all these consumers that our patronizing your business. They’re used to coming and seeing you and now, they’re scratching their heads going, “Oh.”
The emotion that the executive is feeling is, “How do I earn their trust back?” This is that time. “We got to get back to operations.” That’s the biggest emotion that an executive starts to feel. That first call is, “The house is on fire. Help. Get your cyber fire department going.” Sometimes that cyber fire is so out of control that it takes a long time to contain.
I will reference another incident that happened a while ago, which was Clorox. Clorox had an incident. Looking at their journey and where they are now, an incident that happened, there are reports now saying how they’re being impacted in production. I would imagine that a situation that Clorox went through that was months ago. Now, there are reports of how it’s impacting them, the emphasis behind what an executive emotion may be is, “I’m having issues. This is going to impact me long-term. What’s my long-term impact?”
Once the dust settles and containment and eradication, then those kinds of emotions set in is, “How do I restore faith? How do I make sure that I’m not having issues further down the road?” The regulatory side is going to also fall into place. The pursuits, the lawsuits, and those sorts of things. This is where demonstrating that you were doing the right thing, especially when nobody was watching before the hack, becomes important.
It’ll be interesting to see how that does fall out and whether they had good tracking of that from a GRC and executive standpoint and I understand. Do they have all those check boxes done and where are they ready? Is there anything else that you think our audience should know about this?
There is one of the things which is this should be a lesson to consumers that compromise is a matter of when. You have to be diligent within your own right as an individual that even an organization that you would imagine is going to be able to stop hackers. They are so incredibly sophisticated that things are a little bit more complicated for some of these organizations. Believe me, there will be a lot of reactions about, “They didn’t do A, B, C, or D right.” Those reactions used to be blamed on the technical teams. “They didn’t do this or that right. They didn’t program something correctly. They didn’t configure something correctly.”
That’s the interesting thing. Although that may be true, what is happening is this lesson to the consumers that it’s buyer beware but on the executive side, you better be able to demonstrate that you were doing the right thing before the breach. Even if you had a breach, it’s going to happen no matter what. You have to take a close look at your risk management teams. How well are you handling cyber risks specifically?
Unfortunately, in a lot of these, John used the term GRC which is Governance, Risk, and Compliance. It’s a term that’s been around longer than cybersecurity but that was almost always an area of risk of somebody falling in the workplace in a factory, risk of a bank teller doing something incorrectly, or certain kinds of things that mean not having transferred into the digital world. Now, we have all these cyber risks and it’s not an easy thing to deal with for any company mainly because there are millions of jobs that are unfilled right now. We don’t have enough people.
It almost feels untenable. The lesson here for the executive team is it’s wise to start to prove and demonstrate what you’re doing. Whether it is mature or immature, you’re going to have to build your burden of proof pile. That would be the lesson for them because these incidents were probably a lot easier to deal with if you’ve also done exercises and planning and you went through these kinds of scenarios.
None of them are simple, but when I say easier, it’s still hard but how you make it less difficult and that is the challenge that executives are responsible for making sure the resources are given to these teams because cyber laws are common and they’re going to roll over you. Essentially, the executive is accountable.
My analogy for that is you don’t want to be on the Pee Wee team trying to figure out how to play when you need to be like an NFL team or professional practice and ready to go when something like that happens. Overall, it pretty much covers most of how everybody is doing, the executives, and how they’re going to return to operations. I appreciate it. Thanks everybody for reading this one. We appreciate your time, and we hope you enjoyed this format on this particular one. Let us know. This has been a good first episode for Navigating Cyber Risks.
Thanks, everybody. We’ll probably see you at business conferences or otherwise. We look forward to having you visit us again on one of our future episodes.
Thank you, everybody.