Learning from MGM’s Mistakes: How a Quality Audit Can Help

by Tori Thurmond / September 15th, 2023

A $33 billion company breached because of a 10-minute phone call, and, according to vx-underground, all the hackers had to do was a simple search on LinkedIn.  

You’ve probably heard about the MGM breach that happened earlier this week, but did you know that the attack was a result of social engineering? A notorious hacking group, ALPHV (aka BlackCat), searched one of MGM’s employees on LinkedIn, called MGM’s help desk, and pretended to be the MGM employee that they identified on LinkedIn. They were able to get the employee’s username and password reset to then upload the malware that has greatly impacted MGM resorts across the country.  

There have been reports of room keys not working, slot machines glitching, difficulties with check-in procedures, and even parking lots and elevators not working. It’s been reported that the hacking group requested an unknown ransom from MGM, but MGM refused to pay.  

MGM’s breach isn’t the first major ransomware attack to happen in the last month, though. After this week’s breach, rumors of another major attack began to surface about Ceasars Palace, another popular destination in Las Vegas. However, Ceasars reportedly paid off the $30 million ransom that was requested of them, possibly to avoid some of the issues that MGM is currently facing.  

Can your organization afford a $30 million ransom or to lose access to essential operation systems for days at a time? Most organizations can’t, so let’s talk about what we can learn from MGM’s mistakes.  

How a Quality Audit Can Help Defend Against Ransomware

From what we know about the attack so far, it seems like the recent MGM breach could have been avoided if the company had stricter password and verification policies in place. It only took the threat actors 10 minutes to get the information they needed, after all.  

How can an organization ensure that they have policies in place that will protect them against bad actors? An audit—but not just any audit.  

Many organizations are beginning to turn to automated and check-box audits to show clients that they have the reports and documentation they are required to have. All organizations must do is say that the required policies exist and maybe upload the document to an automated platform. Once the client confirms that the policies exist, the auditor moves on without checking the policy’s content or observing the procedures in action. No one is actually reviewing these policies.  

To truly ensure that an organization’s policies are effective, a security expert needs to thoroughly review the policies that are meant to keep the organization secure. However, the audit shouldn’t stop there. Your auditor should observe the procedures that the policy outlines in person. It’s one thing to say you’re doing something, but it’s another to actually follow through.  

What is the process when someone needs to change their password or needs to request sensitive information? Are password changes being logged and monitored? What are the steps taken to verify that the person on the phone is who they claim to be? These questions can’t be answered through automation. 

Audits that feature in-person visits are invaluable. The auditor will be able to confirm that a company is doing everything they can to remain as secure as possible, or they can point out gaps and vulnerabilities that the organization may not have previously considered.  

When the stakes of security events are higher than they’ve ever been, organizations shouldn’t consider a clean audit report their highest priority. Instead, it’s important that organizations strive to find a thorough auditor who will help them identify where their security defenses could improve. Once an auditor identifies areas for improvement, the organization can then work to remediate any findings, creating a more secure environment.  

Don’t be an easy target for threat actors. When you work with an audit partner committed to helping you reach your security and compliance goals, you can stop worrying that something like the MGM breach will happen to your organization and start feeling confident about your organization’s security posture.  

Work with KirkpatrickPrice to face today’s threats confidently.

It’s natural to feel uneasy when headlines of multi-million-dollar breaches break the news. You don’t want to be next. But the good news is that you don’t have to be. By working with KirkpatrickPrice, you’ll have access to security experts who actually care about the well-being of your organization. We want to partner with you throughout your entire security and compliance journey, from audit readiness to final report and everything in between. When you choose KirkpatrickPrice, we don’t rely on automation alone. Instead, we pair you with an expert who will work to understand how your business operates and what you need to do to remain secure and complaint. If you want to know if your policies and procedures are enough to keep your organization secure or if you’re ready to start your next audit, connect with one of our experts today.  

About the Author

Tori Thurmond

Tori Thurmond has degrees in both professional and creative writing. She's has over five years of copywriting experience and enjoys making difficult topics, like cybersecurity compliance, accessible to all. Since starting at KirkpatrickPrice in 2022, she's earned her CC certification from (ISC)2 which has aided her ability to contribute to the company culture of educating, empowering, and inspiring KirkpatrickPrice's clients and team members.