After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the world.
So, what are we doing wrong?
While controls and audit-based approaches have moved the needle forward, even large corporations struggle to manage the complexities of cyber, especially at a time when highly motivated adversaries, complex digital supply chains, and new advances in AI can challenge even the most well-resourced security program.
If forecasts for cyber risk are accurate, losses will continue to grow as digital transformation initiatives also grow. A grounded approach to security should anticipate and prepare for limiting losses, not trying to stop them completely. This means identifying plausible loss scenarios that could impact the company’s ability to deliver value and then focusing security investments on reducing the probability of these kinds of incidents. This is how organizations identify their tolerance for loss, which is a core foundation of a risk-focused approach.
A Risk-Focused Approach in Action: MGM and Caesars
Rather than focusing on the total implementation of a framework or control set, organizations must focus on what is required to continually deliver value to their clients without interruption. This approach is risk-focused rather than controls first and is fundamental to the value-driven risk management strategy that we call Cyber Resilience.
Cyber Resilience tolerates losses – within limits.
This is different from implicit security principles, which seek loss elimination as an end goal. A value-driven risk management strategy requires the CFO, CRO, and CISO to determine what the business can stand to lose. When Caesars Entertainment experienced a data breach in the Fall of 2023, threat actors compromised the personal identifying information of an unknown number of rewards program members. The hackers allegedly demanded a $30 million ransom, of which Caesars purportedly paid half.
As a counterpart, MGM Resorts was hit with a subsequent data breach and opted not to make a ransom payment. The result was an attack that shut down all of the systems at a dozen of Las Vegas’ most prominent casinos for ten days, with issues including cash-only transactions, downed ATMs and gaming machines, digital key cards not working, and more. To resolve the incident, MGM spent around $10 million on legal and consulting services. However, the impact on their business while the attack persisted led to a $100 million loss in third-quarter revenue.
Both organizations took a risk-focused approach to managing the incident– they looked at their value at risk and leveraged the decision to pay as a business decision that would impact their ability to deliver value. While it is impossible to know what was going through MGM and Caesar’s business leaders’ minds during the incident, they were almost undoubtedly making quick calculations to quantify their value-at-risk, the cost-benefit of paying vs. not paying a ransom, and which scenario fell within their risk tolerance.
Two Approaches to Risk-Focused Incident Response
It must be noted that no ransom event is the same: Caesars was notified of ransom demands earlier in the incident cycle than MGM, which most likely influenced MGM’s decision to withhold payment. However, for this exercise, reviewing the fundamental differences between their incident response tactics can teach the general cyber community a lot about calculating, managing, and anticipating losses to their organization’s overall risk surface.
Caesars opted to pay the ransom after negotiation. They likely calculated the business impact of a downed system and determined that paying a portion of the ransom would lead to the least amount of losses. In this case, they were fortunate; their customer-facing systems were not impacted, and client data was not leaked online.
MGM took a different approach and resisted ransom payment. As a result, their third-quarter finances took a considerable blow. However, with a total revenue of $15.38 billion, $100 million in loss is a drop in the bucket. This amount was probably within their loss tolerance, and the choice not to pay the ransom likely stemmed from confidence in their incident response capabilities, an understanding of their value at risk, and a risk-focused approach to loss that anticipated an incident like this.
Neither reaction– making the ransom payment or resisting– is wrong. Caesars knew that they could reduce business interruption and avoid further losses by making the ransom payment. They calculated the cost of their risk surface and acted to minimize financial loss. MGM did the same; they determined their bottom-line could handle the cost of business interruption and leaned on their investments in cybersecurity to regain operationality. Both organizations determined how much loss they could accept, and proceeded to make decisions based on that calculation.
A Cyber Resilient Objective
While calculating how much loss you can accept may feel counterintuitive to the objective of resilience, it is critical for organizations to understand what they can afford to lose. Most cyber incidents cost something, and whether that is paid in the form of incident response, a ransom, business interruption, or reputational damage, the true and probable costs of cyber risk must be anticipated.
A grounded approach to security should expect and plan for reducing losses, not trying to stop them completely. This means identifying plausible losses that will severely impact a company’s ability to deliver value to its clients and then focusing on reducing the probability of incidents that can cause them. This focus on being resilient to material losses– instead of any loss– is the core objective of Cyber Resilience.
