2023 MGM Breach: A Wake-Up Call for Better Social Engineering Training for Employees

Hackers have turned up the heat on voice social engineering attacks, as the recent devastating MGM hack illustrates. The renowned resort was crippled by a ransomware gang in September, which caused a system-wide outage. Customers were unable to use credit cards, digital hotel room keys didn’t work, casino machines were down, the web site was broken, and more.  In a recent SEC filing, MGM declared that the anticipated loss was $100MM. How do you avoid this type of attack? We’ll dive into the details of the MGM attack, share tips on how to incorporate social engineering training for employees in your cybersecurity plan, and provide advice on how to turn your employees into your first line of defense against cyberattacks.

Understanding the 2023 MGM Breach

According to Bloomberg, the MGM devastation was caused by a “social engineering breach of the company’s IT help desk.” While MGM has not confirmed the details, a former MGM employee noted that the company’s password reset process was very weak, and an adversary would only need to provide basic information such as name, employee ID and date of birth in order to trigger a password reset—details which were “too easy to obtain.”

Even though multifactor authentication was in use, reportedly the hackers were able to reset the victim’s MFA app as well—a common tactic used by hackers that claim to have “lost my phone” in order to convince the help desk to reset the employee’s  Multi Factor Authentication (MFA) credentials. But MGM is not alone. The 2023 Verizon Data Breach Investigations Report  found that 74% of attacks involved the human element and social engineering was a top cause.  In this blog, we will share tips on how to incorporate social engineering training for employees in your cybersecurity plan and provide advice on how to turn your employees into your first line of defense against cyberattacks.

The Importance of Social Engineering Training for Employees

The MGM breach serves as a stark reminder of how cybercriminals can exploit the weakest link in an organization’s security chain—its employees. In fact, Okta warned that this type of social engineering attack strategy is increasing, “In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users.”

With the increase in remote work arrangements, social engineering attacks on employee personal devices are increasing. Organizations need to train all employees to identify and thwart these attacks whether it’s on company or personal devices (you may also want to check out our blog on mobile security best practices). Let’s look at some of the best practices your organization should incorporate into your training.

Five Tips to Maximize the Success of Social Engineering Training for Employees.

1. Frequency of Training Matters. One of the key aspects of effective social engineering training is its frequency. Cyber threats are constantly evolving, and attackers are becoming more sophisticated. Consequently, annual or bi-annual training sessions are no longer sufficient. Regular, ongoing training (at least monthly or more) is essential to keep employees informed and vigilant.

Regular training sessions serve as timely reminders of the ever-present risks of social engineering attacks AND they should incorporate the latest tactics. When training occurs frequently, employees are more likely to stay up-to-date with the latest tactics employed by cybercriminals. The goal is to instill a culture of cybersecurity awareness within the organization. The industry best practice is at least monthly cybersecurity training for everyone.

2. Dynamic Training Content. Static and repetitive training materials are not effective in today’s rapidly changing threat landscape. Social engineers adapt and modify their tactics continuously, which means that your training content must evolve as well. Organizations must invest in up-to-date training materials that reflect the current methods and strategies employed by attackers.

Training content should cover a wide range of social engineering attacks, including mobile device phishing (often referred to as “smishing”), pretexting (impersonating another person like your boss and asking you to do something), voice phishing (aka vishing), MFA fatigue attacks and more. You may also want to consider physical social engineering testing where our testing team tries to enter your facility to access your data (available upon request). Employees need to understand the risks associated with these attack vectors and learn how to recognize and respond to them effectively.

3. Role-Based Training. Not all employees face the same level of risk when it comes to social engineering attacks. Tailoring training to specific roles within the organization is crucial. High-risk roles, such as executives, and all members of your help desk, human resources, and finance teams, should receive specialized training.

For instance, executives may be targeted with “whaling” attacks, which focus on high-profile individuals. They should be educated about the risks and instructed on how to limit their online presence to reduce their vulnerability. Meanwhile, employees in HR and finance may not hold management positions, but they handle sensitive financial information, making them attractive targets for attackers.

4. Assessment and Remediation. Effective training should not end with a one-time session. It is essential to have a process in place to review employees’ performance and provide remediation where needed. If an employee fails to meet the training standards, additional training should be provided until they demonstrate a sufficient level of cybersecurity awareness. Regular assessments, quizzes, and simulated phishing attacks can help gauge employees’ knowledge and preparedness. This data can be used to identify areas of weakness and tailor additional training accordingly for individuals, teams, or your entire organization.
5.  Comprehensive Reporting. To evaluate the effectiveness of your social engineering training program, you need accurate performance metrics beyond attendance records. Reporting should include the results of quizzes and phishing simulations, allowing you to assess employee knowledge and susceptibility to social engineering attacks. These reports can be shared with upper management to provide them with an accurate view of the organization’s risk level. It also helps justify the investment in cybersecurity training by demonstrating its impact on reducing the risk of successful social engineering attacks.

In today’s ever-evolving cybersecurity landscape, organizations must prioritize social engineering training to protect themselves against a wide range of threats. By implementing the five tips for effective social engineering training for employees that we’ve outlined in this article, you can empower your employees to become a robust human firewall.

Investing in cybersecurity awareness and training is not just a preventive measure; it’s an essential component of modern business resilience. As the threat landscape continues to evolve, staying proactive and vigilant through regular training is the key to safeguarding your organization’s data and reputation.

If you need help with training, contact us for more information on our employee security awareness training, executive cybersecurity training, IT training for ransomware response, or tabletop exercises that simulate a breach.