It’s been a tough week for MGM.

The entertainment giant, which owns more than 30 gambling and hotel properties, was forced to shut their doors after a simple phone call circumvented its cybersecurity protocols, allowing hackers to shut down systems at several MGM resorts, including the Bellagio and MGM Grand properties in Los Vegas. The cyber attack locked down hotel and casino doors and elevators, limited access to guest rooms, and turned off ATMs and slot machines.

The social engineering attack, allegedly organized by a well-known cyber crime group called “Scattered Spider,” was the second high-profile hack in weeks, with Caesars Entertainment Inc. claiming it was also a victim of a ransomware attack in early September.

Perhaps the worst part of this entire situation? It all started with a phone call to the MGM helpdesk, with hackers convincing IT support staff they were employees. While MFA can often be frustrating, this attack provides the perfect example of why it's required and why businesses must continue to be diligent with employee cybersecurity training about social engineering.

Scattered Spider is infamous for its use of social engineering—attacks that psychologically manipulate employees to get past cybersecurity defenses. Once inside an organization’s environment, hackers often have free rein, siphoning off critical business and personal information. Additionally, Scattered Spider is based in the U.S., making it easier for them to execute scams such as calling an employee and convincing them to click links, accept MFA requests, or run malicious apps.

The unfortunate lesson here is simple: Regardless of the size of your organization, penetration testing and employee security training must be top of mind.

Why Do Businesses Need Penetration Testing and Social Engineering Risk Assessments?

With the constant evolution of social engineering tactics—and other manipulation techniques used by hackers—every organization should be conducting regular network penetration testing to uncover vulnerabilities and potential gaps in cybersecurity. Often described as ethical hacking or vulnerability assessments, pen testing can be used to guide organizations as they make investments into cybersecurity solutions, update security policies, and conduct ongoing employee security training.

While the details of the MGM attack and its consequences continue to evolve, it serves as a great reminder about the importance of cybersecurity risk assessments and social engineering awareness. There is no better time to ask yourself:

• Does our organization regularly conduct network security tests?
• Do we leverage experienced cybersecurity testing services from a trusted partner such as a managed IT services provider?
• Is our partner using a third-party penetration testing tool built on a modern, thorough security testing methodology?
• Do we have a plan for turning your penetration testing report into action?
• Are we regularly conducting security awareness training with a focus on social engineering prevention?

Penetration Testing and Vigilance Keys to Avoiding Social Engineering Attacks

At Exigent, we partner with a third-party vendor for our cybersecurity audits, offering the service free to clients and potential customers. But we also take several steps to protect our clients from social engineering attacks that might open the door to their IT environments by following our own advice—conducting penetration tests on our own network and requiring MFA for all applications as well as access to our support helpdesk.

While we continue to watch the MGM situation unfold, we urge you to remind your team:

• Always be suspicious of unusual or urgent requests for information such as MFA tool details or leadership emails, even over the phone
• Remember that Exigent helpdesk personnel will never ask you to share multifactor codes – but we will require MFA for support requests, especially when you call us
• Finally, always be cautious about emails that have attachments or links in them, particularly if there is a call to action such as scanning a QR code or sharing information about your company, phone number, or other details

Interested in a free cybersecurity risk assessment?