MGM Resorts experienced a significant cybersecurity breach when attackers used a phishing technique via a help desk call. The incident highlights the urgent need for better employee training in handling emails and phone calls. As a result of the breach, MGM faced severe disruptions, with the malware spreading rapidly across all their systems, causing a complete shutdown. Major cybersecurity firms, like industry juggernaut CrowdStrike, emphasize regular training for non-security staff, often monthly, to prevent such incidents but hotel organizations may or may not offer such rigorous training protocols. The attackers used social engineering, persuading employees to open malicious email attachments while on a call. This method is a favored tool for hackers, alongside creating viruses. Once the malicious attachment, which could be a PDF, Excel file, or other formats, is opened, the malware activates. It then searches for open shared networks, injecting itself into various processes and spreading to other machines. The speed of this spread is alarming, potentially affecting up to 100,000 computers within seconds.

"Annual social engineering and phishing training for employees is the shield that keeps many organization's digital fortress secure, empowering teams across different departments to recognize and thwart the ever-evolving tactics of cyber threats remains important every single day," says CrowdStrike Senior Security Researcher Ryan Cornateanu.

The recent cyberattack on MGM Resorts underscores the profound vulnerabilities that even major corporations face in today's digital age. The fact that the breach originated from a platform as commonplace as LinkedIn serves as a stark reminder of the dangers of oversharing professional details online. It's not just about the immediate financial implications, though they are significant. With MGM's Las Vegas properties alone raking in over $13 million daily, the economic fallout from such an attack is staggering. But beyond the tangible losses, there's the intangible damage to consider. The tarnishing of MGM's reputation, especially among patrons whose dream Vegas experiences were marred, is a blow that might take years to recover from. This incident should be a wake-up call for hoteliers everywhere about the paramount importance of robust cybersecurity measures and the potential long-term consequences of any lapses.

1. The Power of Social Engineering: The attack's origin from a platform like LinkedIn highlights the potential risks of oversharing professional details online. How can individuals and companies better protect themselves from such vulnerabilities?

2. Economic Impact: With MGM's Las Vegas properties generating over $13 million daily, the financial repercussions of such an attack are immense. How will this incident influence the cybersecurity investments of other major corporations?

3. Reputation at Stake: Beyond the immediate financial losses, how might this cyberattack impact MGM's long-term reputation, especially considering patrons who might have had their once-in-a-lifetime Vegas experience ruined?

In the context of cybersecurity, social engineering refers to the manipulation of individuals into performing specific actions or divulging confidential information. Rather than exploiting software or hardware vulnerabilities, social engineering attacks target human weaknesses. The goal is to trick individuals into revealing sensitive information, granting access to restricted areas, or performing actions that would compromise security.

There are various forms of social engineering attacks, including:

1. Phishing: This is one of the most common forms of social engineering. Attackers send fraudulent emails, messages, or websites that appear legitimate to lure victims into providing sensitive data, such as login credentials or credit card numbers.
2. Pretexting: Here, the attacker fabricates a scenario (or pretext) to obtain information from a victim. For example, they might pose as a bank representative and ask for account details, claiming they need it for verification purposes.
3. Baiting: This involves offering something enticing to the victim, such as free software, to lure them into downloading malicious software.
4. Tailgating or Piggybacking: In this method, an attacker seeks entry to a restricted area without proper authentication by following an authorized person closely. For instance, they might walk into a secure building right behind an employee who has access.
5. Quizzing: Attackers use quizzes or surveys on social media to trick users into revealing personal information.
6. Vishing: Similar to phishing, but conducted over the phone. The attacker might pose as a bank representative, tax official, or tech support agent to extract sensitive information from the victim.

The success of social engineering attacks relies heavily on the attacker's ability to manipulate human emotions, such as fear, curiosity, or the desire to help. Because these attacks target human behavior, continuous education and awareness training are crucial in helping individuals recognize and resist such manipulative tactics.

Hotels, as prime targets for cyber threats, must prioritize the security of their digital infrastructure and the education of their staff. One of the most effective measures is to offer regular training sessions for employees, ensuring they are well-versed in identifying and mitigating potential threats, such as phishing emails or suspicious online activities. By fostering a culture of cybersecurity awareness, hotels can significantly reduce the risk of human error, which is often the weakest link in the security chain. Furthermore, partnering with software vendors who have heavily invested in cybersecurity ensures that the hotel's digital systems are fortified with the latest security protocols. Such vendors bring expertise, cutting-edge technology, and continuous updates to the table, providing an additional layer of defense against the ever-evolving landscape of cyber threats.