Following September’s ransomware assault on MGM Resorts, the hospitality and on line casino big swiftly determined to not have interaction or negotiate with cybercriminals — and based mostly on its most up-to-date Securities and Change Fee (SEC) disclosure, the gamble paid off.
MGM’s incident response technique was a pointy left flip from Caesars Leisure, which after it was breached by the identical menace actors, determined to pay a negotiated ransom of $15 million and transfer on. Within the days following the on line casino cyberattacks, Caesars was again to day-to-day operations, whereas MGM struggled to claw again operations for greater than per week.
In its revised SEC disclosure type 8-Ok, MGM stories it misplaced about $100 million because of the breach, which looks as if a hefty price ticket at first blush. Nonetheless, the corporate famous that the losses will solely barely influence the corporate’s third quarter financials, with minimal potential spillover into the fourth quarter. For comparability’s sake, MGM hauled in practically $4 billion in income within the second quarter of the yr, throughout its world operations — and $2.1 billion in income from its Las Vegas properties alone.
“The Firm doesn’t count on that it’s going to have a fabric impact on its monetary situation and outcomes of operations for the yr,” MGM mentioned. The on line casino juggernaut is already trying ahead to November Method 1 racing coming to the Vegas Strip, which it added will increase its fourth quarter earnings considerably.
As compared, Caesars recovered and stood up operations extra shortly, however within the course of, rewarded cybercrime exercise and doubtlessly averted essential restoration work, in response to Anne Cutler, cybersecurity evangelist with Keeper Safety.
“Paying a ransom to cybercriminals doesn’t assure a full return of a company’s programs and information, and solely furthers the ransomware ecosystem,” Cutler says. “Though the $100 million in losses are expensive on the floor, MGM’s choice to not pay the ransom adopted the plan of action beneficial by cybersecurity specialists, authorities, and regulation enforcement.”
The result makes a stunning enterprise case for telling cybercriminals to pound sand following a ransomware assault.
Do Deep Pockets Make Orgs Higher or Worse Targets?
Are some organizations simply too wealthy to ransomware?
“No firm is just too huge to hack; the important thing subject is a enterprise too resilient to hack,” Viakoo CEO Bud Broomhead says. “MGM could have invested closely in backup and restoration, and should use this assault to be taught the place their weak point[es] are so subsequent time they are going to be much more resilient to assault.”
Cutler factors out that for small- and midsize companies, a ransomware assault “may pressure them out of enterprise totally.” Bigger companies are extra financially outfitted to soak up remediation prices.
However as an alternative of playing on whether or not to pay after a ransomware assault already occurs, it is smarter for companies to repeatedly put money into cybersecurity know-how to maintain up with evolving menace actors, in response to Omri Weinberg, co-founder of DoControl.
“No firm will ever be totally bulletproof, and similar to the on line casino, you should guess the place to take a position the assets and funds into your cybersecurity follow,” Weinberg says. “Adversaries will at all times be extra subtle with new applied sciences, and it is a unending sport.”
Cybersecurity Kevlar apart, Broomhead commends MGM’s incident response to the ransomware assault.
“MGM deserves credit score for not paying the ransom; hopefully their instance will push extra organizations to deal with resiliency and enterprise continuity,” Broomhead says. “It is by no means a query of will you be hacked, simply whenever you’ll be hacked and the way ready you’re for it.”
